Modlishka: Powerful Reverse Proxy [Phishing NG, Bypassing 2FA]

Last Release: 05/21/2019     Last Commit: 02/13/2022

Modlishka: Powerful  Reverse Proxy [Phishing NG, Bypassing 2FA]


Modlishka is a very powerful Reverse Proxy tool that allows you to run phishing campaigns. It can be very useful to all pentesters since Modlishka is able to show current 2FA weaknesses (bypass 2FA protection on popular websites: Gmail, Yahoo, etc.) and help you find and implement adequate security solutions.

Disclaimer: This tool is made only for educational purposes and can be only used in legitimate penetration tests. Author does not take any responsibility for any actions taken by its users.

Modlishka: Powerful Reverse Proxy, Phishing NG, Bypassing 2FA

Modlishka is written in Go and it allows you to carry out an effective phishing campaign. In addition, according to the official docu, you can adjust the configuration for your chosen domain. This reverse proxy tool can be easily customized through a set of available command line options or JSON configuration files.

Modlishka tool is able to trick 2FA systems by collectiing 2FA tokens, without using fake templates (you just need to point to the target domain). To start pentesting/ phishing with Modlishka, all you need is TLS certificate and phishing domain.


  • Support for majority of 2FA authentication schemes (by design).
  • No website templates (just point Modlishka to the target domain – in most cases, it will be handled automatically).
  • Full control of “cross” origin TLS traffic flow from your victims browsers (through custom new techniques).
  • Flexible and easily configurable phishing scenarios through configuration options.
  • Pattern based JavaScript payload injection.
  • Striping website from all encryption and security headers (back to 90’s MITM style).
  • User credential harvesting (with context based on URL parameter passed identifiers).
  • Can be extended with your ideas through plugins.
  • Stateless design. Can be scaled up easily for an arbitrary number of users – ex. through a DNS load balancer.
  • Web panel with a summary of collected credentials and user session impersonation (beta).
  • Backdoor free.

Prerequisites (to run an effective phishing campaign):

  • Registered domain name
  • Wildcard SSL certificate
Note: These prerequisites are optional, there is temporary domain “” at your disposal for testing purpose ons your local machine without registering your own domain.

Modlishka Install

First of all, you need to fetch the source code with go get:

$ go get -u

Then configure the autocert plugin:

$ openssl genrsa -out MyRootCA.key 2048`
$ openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem
  1. Replace the const CA_CERT variable with the content of MyRootCA.pem file and const CA_CERT_KEY with the content of MyRootCA.key in the plugin/autocert.go file.
  2. Install and set the right trust level for the ‘MyRootCA’ (MyRootCA.pem file) CA in your browsers certificate store (FirefoxChrome).

Finally, compile and launch:

$ make
$ sudo ./dist/proxy -config templates/google.com_gsuite.json

Basic Usage

To list available options, simply use -h:

./dist/proxy -h

Usage of ./dist/proxy:
-cert string
base64 encoded TLS certificate
-certKey string
base64 encoded TLS certificate key
-certPool string
base64 encoded Certification Authority certificate
-config string
JSON configuration file. Convenient instead of using command line switches.
-credParams string
Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex)
Print debug information
Disable security features like anti-SSRF. Disable at your own risk.
-jsRules string
Comma separated list of URL patterns and JS base64 encoded payloads that will be injected.
-listeningAddress string
Listening address (default "")
-listeningPort string
Listening port (default "443")
-log string
Local file to which fetched requests will be written (appended)
-phishing string
Phishing domain to create - Ex.:


$ sudo ./dist/proxy   -target -phishingDomain -listeningPort 80

The following command will launch the proxy without any encryption:

  • Target parameter : the domain that should be proxied,
  • phishingDomain : defines the phishing domain.

DEMO: Phishing with Modlishka (author: @drk1wi)

For more detailed usage guide, click on the “documentation” button below.

Documentation Box
Download Box