Modlishka
A powerful and flexible HTTP reverse proxy.
It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows it to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client. What exactly does this mean? In short, it simply has a lot of potential, that can be used in many use case scenarios...
From the security perspective, Modlishka can be currently used to:
- Support ethical phishing penetration tests with a transparent and automated reverse proxy component that has a universal 2FA “bypass” support.
- Wrap legacy websites with TLS layer, confuse crawler bots and automated scanners, etc.
Modlishka was written as an attempt to overcome standard reverse proxy limitations and as a personal challenge to see what is possible with sufficient motivation and a bit of extra research time. The achieved results appeared to be very interesting and the tool was initially released and later updated with an aim to:
- Highlight currently used two factor authentication (2FA) scheme weaknesses, so adequate security solutions can be created and implemented by the industry.
- Support other projects that could benefit from a universal and transparent reverse proxy.
- Raise community awareness about modern phishing techniques and strategies and support penetration testers in their daily work.
Modlishka was primarily written for security related tasks. Nevertheless, it can be helpful in other, non-security related, usage scenarios.
Features:
- Point-and-click HTTP and HTTPS reverse proxying of an arbitrary domain/s.
- Full control of "cross" origin TLS traffic flow from your users browsers (without a requirement of installing any additional certificate on the client).
- Easy and fast configuration through command line options and JSON configuration files.
- Pattern based JavaScript payload injection.
- Wrapping websites with an extra "security": TLS wrapping, authentication, relevant security headers, etc.
- Stripping websites of all encryption and security headers.
- Stateless design. Can be scaled up easily to handle an arbitrary amount of traffic.
- Can be extended easily with your ideas through modular plugins.
- Automatic test TLS certificate generation plugin for the proxy domain.
- Written in Go, so it works basically on all platforms and architectures: Windows, OSX, Linux, BSD supported...
- Support for majority of 2FA authentication schemes.
- Practical implementation of the "Client Domain Hooking" attack. Supported with a diagnostic plugin.
- User credential harvesting.
- Web panel plugin with a summary of automatically collected credentials and one-click user session impersonation module.
- No website templates.