Modlishka – An Open Source Phishing Tool With 2FA Authentication

Modlishka is a go based phishing proxy that takes your phishing campaigns to the next level. The main feature that makes it different from the other phishing tools, is that it supports 2FA authentication. It is easy to configure with great flexibility that allows the attacker to control all the traffic from a target’s browser.

Installing Modlishka

To install Modlishka, download the repo from github with ‘go get’ as shown below.

go get -u

After that go inside the ‘go’ folder and run the make file depending on your OS.

cd $GOPATH/go/src/

That’s it.

Running Modlishka

To run the proxy go to the ‘dist’ folder and run the script.

cd dist/

./proxy -h

We see many different options. You can create your own SSL certification using ‘openssl‘ to make the phishing campaign more trustworthy. Also, consider registering a domain name. There are also options to bypass some security measures such as anti-SSRF. In our example we will keep it simple and run it against a facebook domain.

Simply run the command below against a site target to see the proxy in action. The phisingDomain option needs to be changed to suit your needs. If you want to use the ‘‘ as shown below you have to change the ‘index.html‘ file inside your apache folder(/var/www/) to fit the template you need.

./proxy -target -phishingDomain -listeningPort 80

After that you need to go in the control panel to see all the credentials you got. Type this in your browser.

What Bunny rating does it get?

Modlishka is very powerful tool. You need to give it some time to get acquainted with the features. Consider using SSL certificates and your own domain name for a red team exercise. Check their wiki page for more information about the tool. I’m giving it 4 out of 5 bunnies.

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

Do you know of another GitHub related hacking tool?

Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.

Related posts

Multiple Vulnerabilities Found In ownCloud File Sharing App

Microsoft Defender Lures Researchers With Bug Bounty Program

Konni RAT Malware Campaign Spreads Via Malicious Word Files