Modlishka – An Open Source Phishing Tool With 2FA Authentication

Modlishka is a versatile and strong opposite proxy, that may take your phishing campaigns to the following stage (with minimum effort required out of your aspect).
Enjoy 🙂

Some of crucial ‘Modlishka’ options :

  • Support for majority of 2FA authentication schemes (via design).
  • No website online templates (simply level Modlishka to the objective area – normally, it’s going to be treated mechanically).
  • Full keep watch over of “move” foundation TLS visitors glide out of your sufferers browsers.
  • Flexible and simply configurable phishing situations via configuration choices.
  • Pattern based totally JavaScript payload injection.
  • Striping website online from all encryption and safety headers (again to 90’s MITM taste).
  • User credential harvesting (with context in response to URL parameter handed identifiers).
  • Can be prolonged together with your concepts via plugins.
  • Stateless design. Can be scaled up simply for an arbitrary choice of customers – ex. via a DNS load balancer.
  • Web panel with a abstract of gathered credentials and consumer consultation impersonation (beta).
  • Written in Go.

right here (zip) or right here (tar).
Fetch the code with ‘pass get’ :

$ pass get -u

Compile the binary and you are prepared to move:

$ cd $GOPATH/src/
$ make

# ./dist/proxy -h

Usage of ./dist/proxy:

-cert string
base64 encoded TLS certificates

-certKey string
base64 encoded TLS certificates key

-certPool string
base64 encoded Certification Authority certificates

-config string
JSON configuration document. Convenient as an alternative of the usage of command line switches.

-credParams string
Credential regexp collector with matching teams. Example: base64(username_regex),base64(password_regex)

Print debug knowledge

Disable security measures like anti-SSRF. Disable at your personal chance.

-jsRules string
Comma separated listing of URL patterns and JS base64 encoded payloads that shall be injected.

-listeningAddress string
Listening deal with (default "")

-listeningPort string
Listening port (default "443")

-log string
Local document to which fetched requests shall be written (appended)

-phishing string
Phishing area to create - Ex.:

-plugins string
Comma seperated listing of enabled plugin names (default "all")

Log best HTTP POST requests

-rules string
Comma separated listing of 'string' patterns and their replacements.

-target string
Main goal to proxy - Ex.:

-targetRes string
Comma separated listing of goal subdomains that wish to go during the proxy

-terminateTriggers string
Comma separated listing of URLs from goal's foundation which is able to cause consultation termination

-terminateUrl string
URL to redirect the buyer after consultation termination triggers

Enable TLS (default false)

-trackingCookie string
Name of the HTTP cookie used to trace the sufferer (default "identity")

-trackingParam string
Name of the HTTP parameter used to trace the sufferer (default "identity")


  • Check out the wiki web page for a extra detailed evaluation of the instrument utilization.
  • FAQ (Frequently Asked Questions)
  • Blog publish

Thanks for serving to with the code pass to Giuseppe Trotta (@Giutro)

Download Modlishka

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).