Branch: master
Find file Copy path
237cf20 Feb 17, 2019
2 contributors

Users who have contributed to this file

@drk1wi @0xflotus
163 lines (102 sloc) 5.39 KB


Modlishka is a flexible and powerful reverse proxy, that will take your ethical phishing campaigns to the next level.

It was realeased with an aim to:

  • help penetration testers to carry out an effective phishing campaign and reinforce the fact that serious threat can arise from phishing.
  • higlight current 2FA weaknesses, so adequate security solutions can be created and implemented soon.
  • raise community awareness about modern phishing techniques and strategies.
  • support other open source projects that require a universal reverse proxy.

Enjoy :-)


Some of the most important 'Modlishka' features :

  • Support for majority of 2FA authentication schemes (by design).
  • No website templates (just point Modlishka to the target domain - in most cases, it will be handled automatically).
  • Full control of "cross" origin TLS traffic flow from your victims browsers (through custom new techniques).
  • Flexible and easily configurable phishing scenarios through configuration options.
  • Pattern based JavaScript payload injection.
  • Striping website from all encryption and security headers (back to 90's MITM style).
  • User credential harvesting (with context based on URL parameter passed identifiers).
  • Can be extended with your ideas through plugins.
  • Stateless design. Can be scaled up easily for an arbitrary number of users - ex. through a DNS load balancer.
  • Web panel with a summary of collected credentials and user session impersonation (beta POC).
  • Backdoor free ;-) ...
  • Written in Go.


"A picture is worth a thousand words":

Modlishka in action against an example standard 2FA (SMS) enabled authentication scheme:

Watch the video

Note: was chosen here just as a proof of concept.


Latest source code version can be fetched from here (zip) or here (tar).

Fetch the code with 'go get' :

$ go get -u

Compile the binary and you are ready to go:

$ cd $GOPATH/src/
$ make

alt text

# ./dist/proxy -h

Usage of ./dist/proxy:
  -cert string
    	base64 encoded TLS certificate
  -certKey string
    	base64 encoded TLS certificate key
  -certPool string
    	base64 encoded Certification Authority certificate
  -config string
    	JSON configuration file. Convenient instead of using command line switches.
  -credParams string
      	Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex)

    	Print debug information
    	Disable security features like anti-SSRF. Disable at your own risk.
  -jsRules string
    	Comma separated list of URL patterns and JS base64 encoded payloads that will be injected. 
  -listeningAddress string
    	Listening address (default "")
  -listeningPort string
    	Listening port (default "443")
  -log string
    	Local file to which fetched requests will be written (appended)
  -phishing string
    	Phishing domain to create - Ex.:
  -plugins string
    	Comma seperated list of enabled plugin names (default "all")
    	Log only HTTP POST requests
  -target string
    	Main target to proxy - Ex.:
  -targetRules string
    	Comma separated list of 'string' patterns and their replacements. 
  -targetRes string
    	Comma separated list of target subdomains that need to pass through the  proxy 
  -terminateTriggers string
    	Comma separated list of URLs from target's origin which will trigger session termination
  -terminateUrl string
    	URL to redirect the client after session termination triggers
    	Enable TLS (default false)
  -trackingCookie string
    	Name of the HTTP cookie used to track the victim (default "id")
  -trackingParam string
    	Name of the HTTP parameter used to track the victim (default "id")


  • Check out the wiki page for a more detailed overview of the tool usage.
  • FAQ (Frequently Asked Questions)
  • Blog post

Commercial support

For ethical phishing campaigns :


Modlishka was made by Piotr Duszyński (@drk1wi). You can find the license here.


Thanks for helping with the code go to Giuseppe Trotta (@Giutro)


This tool is made only for educational purposes and can be only used in legitimate penetration tests. Author does not take any responsibility for any actions taken by its users.