Modlishka — An Open Source Phishing Tool With 2FA Authentication
Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).
Some of the most important ‘Modlishka’ features :
- Support for majority of 2FA authentication schemes (by design).
- No website templates (just point Modlishka to the target domain — in most cases, it will be handled automatically).
- Full control of «cross» origin TLS traffic flow from your victims browsers.
- Flexible and easily configurable phishing scenarios through configuration options.
- Striping website from all encryption and security headers (back to 90’s MITM style).
- User credential harvesting (with context based on URL parameter passed identifiers).
- Can be extended with your ideas through plugins.
- Stateless design. Can be scaled up easily for an arbitrary number of users — ex. through a DNS load balancer.
- Web panel with a summary of collected credentials and user session impersonation (beta).
- Written in Go.
«A picture is worth a thousand words»:
Modlishka in action against an example 2FA (SMS) enabled authentication scheme:
Note: google.com was chosen here just as a POC.
$ go get -u github.com/drk1wi/Modlishka
Compile the binary and you are ready to go:
$ cd $GOPATH/src/github.com/drk1wi/Modlishka/
# ./dist/proxy -h
Usage of ./dist/proxy:
base64 encoded TLS certificate
base64 encoded TLS certificate key
base64 encoded Certification Authority certificate
JSON configuration file. Convenient instead of using command line switches.
Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex)
Print debug information
Disable security features like anti-SSRF. Disable at your own risk.
Comma separated list of URL patterns and JS base64 encoded payloads that will be injected.
Listening address (default "127.0.0.1")
Listening port (default "443")
Local file to which fetched requests will be written (appended)
Phishing domain to create - Ex.: target.co
Comma seperated list of enabled plugin names (default "all")
Log only HTTP POST requests
Comma separated list of 'string' patterns and their replacements.
Main target to proxy - Ex.: https://target.com
Comma separated list of target subdomains that need to pass through the proxy
Comma separated list of URLs from target's origin which will trigger session termination
URL to redirect the client after session termination triggers
Enable TLS (default false)
Name of the HTTP cookie used to track the victim (default "id")
Name of the HTTP parameter used to track the victim (default "id")
- Check out the wiki page for a more detailed overview of the tool usage.
- FAQ (Frequently Asked Questions)
- Blog post
Thanks for helping with the code go to Giuseppe Trotta (@Giutro)