Modlishka is a go based phishing proxy that takes your phishing campaigns to the next level. The main feature that makes it different from the other phishing tools, is that it supports 2FA authentication. It is easy to configure with great flexibility that allows the attacker to control all the traffic from a target’s browser.
To install Modlishka, download the repo from github with ‘go get’ as shown below.
go get -u github.com/drk1wi/Modlishka
After that go inside the ‘go’ folder and run the make file depending on your OS.
To run the proxy go to the ‘dist’ folder and run the script.
cd dist/ ./proxy -h
We see many different options. You can create your own SSL certification using ‘openssl‘ to make the phishing campaign more trustworthy. Also, consider registering a domain name. There are also options to bypass some security measures such as anti-SSRF. In our example we will keep it simple and run it against a facebook domain.
Simply run the command below against a site target to see the proxy in action. The phisingDomain option needs to be changed to suit your needs. If you want to use the ‘loopback.modlishka.io‘ as shown below you have to change the ‘index.html‘ file inside your apache folder(/var/www/) to fit the template you need.
./proxy -target https://facebook.com -phishingDomain loopback.modlishka.io -listeningPort 80
After that you need to go in the control panel to see all the credentials you got. Type this in your browser.
What Bunny rating does it get?
Modlishka is very powerful tool. You need to give it some time to get acquainted with the features. Consider using SSL certificates and your own domain name for a red team exercise. Check their wiki page for more information about the tool. I’m giving it 4 out of 5 bunnies.
Want to learn more about ethical hacking?
Do you know of another GitHub related hacking tool?
Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.