We all try to secure our online accounts as much as we can. We turn on Two-factor Authentication on our Facebook account or Gmail account etc. and we think that now we’re fully secure.
But the tool we’re going to discuss here will wipe out this concept.
Modlishka. A reverse proxy automatphishing tool which is recently released on Github. The tool is written in the Goproman language and. the most powerful and dangerous tool ever which can take Phishing to the next level. This tool can easily bypass Two-Factor authentication running on Gmail, Yahoo mail, Proton mail, etc services and grab the username, passwords, and authentication token.`
The best things about this tool are- Wedo not require templates for phishing websites. Normally we need to clone websites in order to do phishing but in the case of Modlishka, it doesn’t require it because it works on the reverse proxy so that the target website opens live. You will not even realize for a moment that the website is fake.
It also has full control over the origin TLS traffic flow. This tool is very flexible and it has lots of options for configuration. Besides these, it has a control panel where the captured tokens, usernames, passwords are stored, and later they can be used for a web session.
The only disadvantage of this tool is, it doesn’t work on Universal Two-Factor Authentication because this authentication uses special USB or NFC devices to authenticate.
How Modlishka Works
Modlishka works on both Social Engineering and Man-In-The-Middle attack techniques. The Modlishka server is set up between the Victim and the target website which works as a proxy for the target website. Every request sent or received between the victim and the target website will go through the Modlishka server.
This setup captures the victim’s username, password, site authentication token, the session created between them, cookies, and requests are and later these things can be used to create a web session.
The victim will not even realize for a moment that his/her account was hacked. That is why Modlishka is reported as very dangerous.
Setup Modlishka in Kali Linux
Fire up your Kali Linux machine and download the tool from Github. You need Go language installed in your machine and if you don’t have it, simply apply the command apt-get install golang. This command will install the Go language. Now we need to set our GOPATH. Apply the command- export GOPATH=$HOME/go To check the path apply the command echo $GOPATH. Now we need to download Modlishka to the go folder. We are applying the command- go get -u github.com/drk1wi/Modlishka This command will download the Modlishka tool to the go folder. Now change the directory to the go folder. cd /root/go/src/github.com/drk1wi/Modlishka/ In the next step, we need to configure the SSL certificate. If you have a registered domain and SSL certificate, you can use them here. First of all, we are generating an RSA private key. openssl genrsa -out MyCA.key 2048
You can name the key as you want. In the next, we need to generate theSSL certificate. openssl req -x509 -new -nodes -key MyCA.key -sha256 -days 1024 -out MyCA.pem
In the information field section, you can fill according to you and similar to the domain you want to do phishing. Now we have to set both the Key and certificate in the Autocertificate file. Open the certificate in the leafpad and copy it. leafpad MyCA.pem/
Now open the Autocertificate file with the command given below. Find for the line CA CERT= ‘PASTE YOUR CA CERT HERE’. Delete the sentence that is between the inverted commas and paste the certificate. nano plugin/autocert.go Save and close the file. Now open the RSA private key with leafpad and copy the Key. leafpad MyCA.key
Now again open the Autocert file and find for the line CA CERT KEY= ‘PASTE YOUR CA CERT KEY HERE’. Delete the sentence from between the inverted commas and paste the key and save and close the file. The next step is compiling the file. We will apply the command ‘make‘ and the file will be compiled.
Congrats! the tool is properly configured and now we can use the tool.
Initiate The Process of The Tool
Let’s check what options we can use here. ./dist/proxy -h This command will show all the available options we can use. You can also set up a new configuration file in order to point your custom phishing domain. Use the following command to open the default configuration file. nano templates/google.com_gsuite.json
Here you can set your custom information to point your custom domain. But before that you need to configure your domain to point Modlishka server.
Before running the tool we need to import the SSL certificate to the browser. If we don’t do that it will show unsecured connection because we’ve generated a custom SSL certificate and we are on the localhost. To import it on Mozilla Firefox go to
If you configure a registered domain with Modlishka then you don’t need to import custom SSL certificate you will get a genuine SSL certificate. Now we are free to start the Modlishka server. Load the default config file if you didn’t set your own. Use the command-
Here you can see we got the URL- https://loopback.modlishka.io and it will open up google.com.
To see the captured details, simply give the command-
Doing setup of this tool is very easy and anybody can do this and it raises the hazard. You need to be a little careful to avoid damages by this tool.
Don’t open any unknown or malicious link shared on Whatsapp or any Social Media or other sources. Check the links who ask you to enter username and password because attackers can use homographs to trick you. If you don’t know what is a homograph, here is a simple example-
Original LinkUsed Homograph
Also, don’t forget to check the SSL certificate of the website. If the certificate is not provided by Google then the site may fake.
What do you do to protect yourself from this kind of threat? comment below and let others know.
The tutorial you found on this website is only for educational purposes. Misuse of this information can lead you to jail or punishment. Anything you damage, we are not responsible for that. Do use it on your own property. If you want to test it on other’s property, take written permission from them.