Modlishka — An Open Source Phishing Tool With 2FA Authentication
Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).
Some of the most important ‘Modlishka’ features :
- Support for majority of 2FA authentication schemes (by design).
- No website templates (just point Modlishka to the target domain — in most cases, it will be handled automatically).
- Full control of «cross» origin TLS traffic flow from your victims browsers.
- Flexible and easily configurable phishing scenarios through configuration options.
- Striping website from all encryption and security headers (back to 90’s MITM style).
- User credential harvesting (with context based on URL parameter passed identifiers).
- Can be extended with your ideas through plugins.
- Stateless design. Can be scaled up easily for an arbitrary number of users — ex. through a DNS load balancer.
- Web panel with a summary of collected credentials and user session impersonation (beta).
- Written in Go.
«A picture is worth a thousand words»:
Modlishka in action against an example 2FA (SMS) enabled authentication scheme:
Note: google.com was chosen here just as a POC.
$ go get -u github.com/drk1wi/Modlishka
Compile the binary and you are ready to go:
$ cd $GOPATH/src/github.com/drk1wi/Modlishka/ $ make
# ./dist/proxy -h Usage of ./dist/proxy: -cert string base64 encoded TLS certificate -certKey string base64 encoded TLS certificate key -certPool string base64 encoded Certification Authority certificate -config string JSON configuration file. Convenient instead of using command line switches. -credParams string Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex) -debug Print debug information -disableSecurity Disable security features like anti-SSRF. Disable at your own risk. -jsRules string Comma separated list of URL patterns and JS base64 encoded payloads that will be injected. -listeningAddress string Listening address (default "127.0.0.1") -listeningPort string Listening port (default "443") -log string Local file to which fetched requests will be written (appended) -phishing string Phishing domain to create - Ex.: target.co -plugins string Comma seperated list of enabled plugin names (default "all") -postOnly Log only HTTP POST requests -rules string Comma separated list of 'string' patterns and their replacements. -target string Main target to proxy - Ex.: https://target.com -targetRes string Comma separated list of target subdomains that need to pass through the proxy -terminateTriggers string Comma separated list of URLs from target's origin which will trigger session termination -terminateUrl string URL to redirect the client after session termination triggers -tls Enable TLS (default false) -trackingCookie string Name of the HTTP cookie used to track the victim (default "id") -trackingParam string Name of the HTTP parameter used to track the victim (default "id")
- Check out the wiki page for a more detailed overview of the tool usage.
- FAQ (Frequently Asked Questions)
- Blog post
Thanks for helping with the code go to Giuseppe Trotta (@Giutro)