Home

Awesome

..Modlishka..

Modlishka is a powerful and flexible HTTP reverse proxy. It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows it to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client. What exactly does this mean? In short, it simply has a lot of potential, that can be used in many use case scenarios...

From the security perspective, Modlishka can be currently used to:

Modlishka was written as an attempt to overcome standard reverse proxy limitations and as a personal challenge to see what is possible with sufficient motivation and a bit of extra research time. The achieved results appeared to be very interesting and the tool was initially released and later updated with an aim to:

Modlishka was primarily written for security related tasks. Nevertheless, it can be helpful in other, non-security related, usage scenarios.

Features

Key features of Modlishka include:

General:

Security related:

Proxying In Action (2FA bypass)

"A picture is worth a thousand words":

Modlishka in action against an example two factor authentication scheme (SMS based bypass proof-of-concept) :

https://vimeo.com/308709275

Installation

Latest source code version can be fetched from here (zip) or here (tar).

Fetch the code with 'go install' :

$ go install github.com/drk1wi/Modlishka@latest

Compile manually:

$ git clone https://github.com/drk1wi/Modlishka.git
$ cd Modlishka
$ make

alt text

# ./dist/proxy -h


Usage of ./dist/proxy:
      
  -cert string
    	base64 encoded TLS certificate
  
  -certKey string
    	base64 encoded TLS certificate key
  
  -certPool string
    	base64 encoded Certification Authority certificate
  
  -config string
    	JSON configuration file. Convenient instead of using command line switches.
      
  -controlCreds string
      Username and password to protect the credentials page.  user:pass format
      
  -controlURL string
      URL to view captured credentials and settings. (default "SayHello2Modlishka")
      
  -credParams string
      	Credential regexp with matching groups. e.g. : base64(username_regex),base64(password_regex)

  -debug
    	Print debug information
  
  -disableSecurity
    	Disable proxy security features like anti-SSRF. 'Here be dragons' - disable at your own risk.
  
  -dynamicMode
      	Enable dynamic mode for 'Client Domain Hooking'
  
  -forceHTTP
     	Strip all TLS from the traffic and proxy through HTTP only

  -forceHTTPS
     	Strip all clear-text from the traffic and proxy through HTTPS only
 
  -jsRules string
    	Comma separated list of URL patterns and JS base64 encoded payloads that will be injected - e.g.: target.tld:base64(alert(1)),..,etc
  
  -listeningAddress string
    	Listening address - e.g.: 0.0.0.0  (default "127.0.0.1")
  
  -log string
    	Local file to which fetched requests will be written (appended)
  
  -plugins string
    	Comma seperated list of enabled plugin names (default "all")
  
  -proxyAddress string
	    Proxy that should be used (socks/https/http) - e.g.: http://127.0.0.1:8080 
     
  -proxyDomain string
    	Proxy domain name that will be used - e.g.: proxy.tld
  
  -postOnly
    	Log only HTTP POST requests
  
  -rules string
      	Comma separated list of 'string' patterns and their replacements - e.g.: base64(new):base64(old),base64(newer):base64(older)

  -target string
    	Target domain name  - e.g.: target.tld
     
  -targetRes string
    	Comma separated list of domains that were not translated automatically. Use this to force domain translation - e.g.: static.target.tld 
  
  -terminateTriggers string
    	Session termination: Comma separated list of URLs from target's origin which will trigger session termination
    		
  -terminateUrl string
    	URL to which a client will be redirected after Session Termination rules trigger
  
  -trackingCookie string
    	Name of the HTTP cookie used to track the client (default "id")
  
  -trackingParam string
    	Name of the HTTP parameter used to track the client (default "id")

Commercial Usage

Modlishka is licensed under this License.

For commercial, legitimate applications, please contact the author for the appropriate licensing arrangements.

Credits

Author: Modlishka was designed and implemented by Piotr Duszyński (@drk1wi). All rights reserved.

See the list of contributors who participated in this project.

Disclaimer

This tool is made only for educational purposes and can be used in legitimate penetration tests or research only. Author does not take any responsibility for any actions taken by its users.