Modlishka: Advance Phishing to Bypass 2 Factor Authentication

We all try to secure our online accounts as much as we can. We turn on Two-factor Authentication on our Facebook account or Gmail account etc. and we think that now we’re fully secure.

But the tool we’re going to discuss here will wipe out this concept.

Modlishka. A reverse proxy automat phishing tool which is recently released on Github. The tool is written in the Goproman language and. the most powerful and dangerous tool ever which can take Phishing to the next level. This tool can easily bypass Two-Factor authentication running on Gmail, Yahoo mail, Proton mail, etc services and grab the username, passwords, and authentication token.`

The best things about this tool are- We do not require templates for phishing websites. Normally we need to clone websites in order to do phishing but in the case of Modlishka, it doesn’t require it because it works on the reverse proxy so that the target website opens live. You will not even realize for a moment that the website is fake.

It also has full control over the origin TLS traffic flow. This tool is very flexible and it has lots of options for configuration. Besides these, it has a control panel where the captured tokens, usernames, passwords are stored, and later they can be used for a web session.

The only disadvantage of this tool is, it doesn’t work on Universal Two-Factor Authentication because this authentication uses special USB or NFC devices to authenticate.

How Modlishka Works

Modlishka works on both Social Engineering and Man-In-The-Middle attack techniques. The Modlishka server is set up between the Victim and the target website which works as a proxy for the target website. Every request sent or received between the victim and the target website will go through the Modlishka server.

Modlishka: Advance Phishing to Bypass 2 Factor Authentication

This setup captures the victim’s username, password, site authentication token, the session created between them, cookies, and requests are and later these things can be used to create a web session.

The victim will not even realize for a moment that his/her account was hacked. That is why Modlishka is reported as very dangerous.

Setup Modlishka in Kali Linux

Fire up your Kali Linux machine and download the tool from Github. You need Go language installed in your machine and if you don’t have it, simply apply the command apt-get install golang. This command will install the Go language.

Now we need to set our GOPATH. Apply the command-

export GOPATH=$HOME/go

To check the path apply the command echo $GOPATH. Now we need to download Modlishka to the go folder. We are applying the command-

go get -u github.com/drk1wi/Modlishka

This command will download the Modlishka tool to the go folder. Now change the directory to the go folder.

cd /root/go/src/github.com/drk1wi/Modlishka/

In the next step, we need to configure the SSL certificate. If you have a registered domain and SSL certificate, you can use them here. First of all, we are generating an RSA private key.

openssl genrsa -out MyCA.key 2048

You can name the key as you want. In the next, we need to generate the SSL certificate.

openssl req -x509 -new -nodes -key MyCA.key -sha256 -days 1024 -out MyCA.pem

In the information field section, you can fill according to you and similar to the domain you want to do phishing. Now we have to set both the Key and certificate in the Autocertificate file. Open the certificate in the leafpad and copy it.

leafpad MyCA.pem/

Now open the Autocertificate file with the command given below. Find for the line CA CERT= ‘PASTE YOUR CA CERT HERE’. Delete the sentence that is between the inverted commas and paste the certificate.

nano plugin/autocert.go

Save and close the file. Now open the RSA private key with leafpad and copy the Key.

leafpad MyCA.key

Now again open the Autocert file and find for the line CA CERT KEY= ‘PASTE YOUR CA CERT KEY HERE’. Delete the sentence from between the inverted commas and paste the key and save and close the file.

The next step is compiling the file. We will apply the command ‘make‘ and the file will be compiled.

Congrats! the tool is properly configured and now we can use the tool.

Initiate The Process of The Tool

Let’s check what options we can use here.

./dist/proxy -h

This command will show all the available options we can use. You can also set up a new configuration file in order to point your custom phishing domain. Use the following command to open the default configuration file.

nano templates/google.com_gsuite.json

Here you can set your custom information to point your custom domain. But before that you need to configure your domain to point Modlishka server.

Before running the tool we need to import the SSL certificate to the browser. If we don’t do that it will show unsecured connection because we’ve generated a custom SSL certificate and we are on the localhost. To import it on Mozilla Firefox go to

Advanced>Certificates>View Certificates>Import.

If you configure a registered domain with Modlishka then you don’t need to import custom SSL certificate you will get a genuine SSL certificate.

Now we are free to start the Modlishka server. Load the default config file if you didn’t set your own. Use the command-

./dist/proxy -config templates/google.com_gsuite.json

Here you can see we got the URL- https://loopback.modlishka.io and it will open up google.com.

To see the captured details, simply give the command-

leafpad google.log

Conclusion

Doing setup of this tool is very easy and anybody can do this and it raises the hazard. You need to be a little careful to avoid damages by this tool.

Don’t open any unknown or malicious link shared on Whatsapp or any Social Media or other sources. Check the links who ask you to enter username and password because attackers can use homographs to trick you. If you don’t know what is a homograph, here is a simple example-

Original Link Used Homograph

https://google.com https://googlc.com

Also, don’t forget to check the SSL certificate of the website. If the certificate is not provided by Google then the site may fake.

What do you do to protect yourself from this kind of threat? comment below and let others know.

Disclaimer

The tutorial you found on this website is only for educational purposes. Misuse of this information can lead you to jail or punishment. Anything you damage, we are not responsible for that. Do use it on your own property. If you want to test it on other’s property, take written permission from them.

Archives

Categories

Meta

[Dorking] Hacking Google with uDork Tool in 2021 | Kali Linux

[Fixed] Unable to locate package in Kali Linux

[Solved] Could not get var/lib/dpkg/lock | Kali Linux

[Solved] WiFi not showing up on Kali Linux

7 Bitcoin Myths And Lies You’re Wrong About.

8 Best Hacking Apps For Android To do Social Engineering [No root]

Analyze Images and Search For Face matching with PAnalizer

Analyze your Mobile Network Security with Snoopsnitch Android App

Auto-Download & Auto-Execute Payload on Windows/Linux PC

Automate Metasploit with Easysploit | Easy to Use and Faster

Beelogger- How To Create a Keylogger For Windows 10| Kali Linux

Biggest Cybersecurity Disasters in History That You Can Share With Your Friends

Bitcoin Forks? | Free Coins Of Forks | Key System Of Cryptocurrencies

BlackEye | The Most Complete Phishing Tool with IP Details capturing Feature| Kali Linux

Brave browser | The Most Secure, Fast and Private browser for android

Bruteforce Instagram login with BruteSploit | Kali Linux

Bypass Antivirus and Create Persistent payload with CHAOS | Kali Linux

Canarytokens | The Best Honeypot Ever | Complete Setup Tutorial

Carbon Copy | A Tool to create Spoofed Certificate of Websites | Kali Linux

Complete Guide- How To Install Kali Linux on Vmware Workstation Pro

Canarytokens | The Best Honeypot Ever | Complete Setup Tutorial

Carbon Copy | A Tool to create Spoofed Certificate of Websites | Kali Linux

BlackEye | The Most Complete Phishing Tool with IP Details capturing Feature| Kali Linux

How To Hack Any Android Smartphone With just an Tricky SMS | Kali Linux