You basically just put it on a local domain, point people there and it forwards the traffic up and down to the target website – so no templates, no warnings. It will also push through two factor authentication requests and answers.
Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).
Some of the most important ‘Modlishka’ features :
- Support for majority of 2FA authentication schemes (by design).
- No website templates (just point Modlishka to the target domain – in most cases, it will be handled automatically).
- Full control of “cross” origin TLS traffic flow from your victims browsers.
- Flexible and easily configurable phishing scenarios through configuration options.
- Striping website from all encryption and security headers (back to 90’s MITM style).
- User credential harvesting (with context based on URL parameter passed identifiers).
- Can be extended with your ideas through plugins.
- Stateless design. Can be scaled up easily for an arbitrary number of users – ex. through a DNS load balancer.
- Web panel with a summary of collected credentials and user session impersonation (beta).
- Written in Go.
In an email to ZDNet, Duszyński described Modlishka as a point-and-click and easy-to-automate system that requires minimal maintenance, unlike previous phishing toolkits used by other penetration testers.
“At the time when I started this project (which was in early 2018), my main goal was to write an easy to use tool, that would eliminate the need of preparing static webpage templates for every phishing campaign that I was carrying out,” the researcher told us.
“The approach of creating a universal and easy to automate reverse proxy, as a MITM actor, appeared to be the most natural direction. Despite some technical challenges, that emerged on this path, the overall result appeared to be really rewarding,” he added.
“The tool that I wrote is sort of a game changer, since it can be used as a ‘point and click’ proxy, that allows easy phishing campaign automation with full support of the 2FA (an exception to this is a U2F protocol based tokens – which is currently the only resilient second factor).