Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all articles
Browse latest Browse all 5816

Modlishka - An Open Source Phishing Tool With 2FA Authentication

$
0
0

Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).
Enjoy :-)

Features
Some of the most important 'Modlishka' features :
  • Support for majority of 2FA authentication schemes (by design).
  • No website templates (just point Modlishka to the target domain - in most cases, it will be handled automatically).
  • Full control of "cross" origin TLS traffic flow from your victims browsers.
  • Flexible and easily configurable phishing scenarios through configuration options.
  • Pattern based JavaScript payload injection.
  • Striping website from all encryption and security headers (back to 90's MITM style).
  • User credential harvesting (with context based on URL parameter passed identifiers).
  • Can be extended with your ideas through plugins.
  • Stateless design. Can be scaled up easily for an arbitrary number of users - ex. through a DNS load balancer.
  • Web panel with a summary of collected credentials and user session impersonation (beta).
  • Written in Go.

Action
"A picture is worth a thousand words":
Modlishka in action against an example 2FA (SMS) enabled authentication scheme:


Note: google.com was chosen here just as a POC.

Installation
Latest source code version can be fetched from here (zip) or here (tar).
Fetch the code with 'go get' :
$ go get -u github.com/drk1wi/Modlishka
Compile the binary and you are ready to go:
$ cd $GOPATH/src/github.com/drk1wi/Modlishka/
$ make


# ./dist/proxy -h


Usage of ./dist/proxy:

-cert string
base64 encoded TLS certificate

-certKey string
base64 encoded TLS certificate key

-certPool string
base64 encoded Certification Authority certificate

-config string
JSON configuration file. Convenient instead of using command line switches.

-credParams string
Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex)

-debug
Print debug information

-disableSecurity
Disable security features like anti-SSRF. Disable at your own risk.

-jsRules string
Comma separated list of URL patterns and JS base64 encoded payloads that will be injected.

-listeningAddress string
Listening address (default "127.0.0.1")

-listeningPort string
Listening port (default "443")

-log string
Local file to which fetched requests will be written (appended)

-phishing string
Phishing domain to create - Ex.: target.co

-plugins string
Comma seperated list of enabled plugin names (default "all")

-postOnly
Log only HTTP POST requests

-rules string
Comma separated list of 'string' patterns and their replacements.

-target string
Main target to proxy - Ex.: https://target.com

-targetRes string
Comma separated list of target subdomains that need to pass through the proxy

-terminateTriggers string
Comma separated list of URLs from target's origin which will trigger session termination

-terminateUrl string
URL to redirect the client after session termination triggers

-tls
Enable TLS (default false)

-trackingCookie string
Name of the HTTP cookie used to track the victim (default "id")

-trackingParam string
Name of the HTTP parameter used to track the victim (default "id")

Usage
  • Check out the wiki page for a more detailed overview of the tool usage.
  • FAQ (Frequently Asked Questions)
  • Blog post

Credits
Thanks for helping with the code go to Giuseppe Trotta (@Giutro)



Viewing all articles
Browse latest Browse all 5816

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>