Modlishka - Reverse Proxy - Bypass 2FA

[Mutt]

In this article, I propose to consider a method for stealing user credentials using reverse-proxy technology, which will allow us to bypass two-factor authentication.

To do this, we will use and customize a tool quite well known in certain circles called Modlishka.

Modlishka is a powerful and flexible reverse HTTP proxy. It implements a completely new and interesting browser-based approach to handling HTTP traffic flow that allows multi-domain targeted traffic, both TLS and non-TLS, to be transparently proxied across a single domain without the need to install any additional certificate on the client.

What exactly does this mean? In short, it just has a lot of potential that can be used in many use cases.

From a security point of view, Modlishka can currently be used to:

• Conduct ethical phishing penetration tests using a transparent and automated reverse proxy component with universal support for two-factor authentication.
• Automatic cache poisoning of HTTP 301 browsers and permanent capture of URLs, without TLS.
• Diagnostics and interception of HTTP traffic of browser applications from the point of view of the Client Domain Hooking attack.
• Wrapping legacy websites in TLS, obfuscating bots, automatic crawlers, etc.

Modlishka was written as an attempt to overcome the standard limitations of a reverse proxy and as a personal challenge to see what is possible with enough motivation and little extra research time.

The results achieved were very interesting and the tool was initially released and then updated to:

• Highlight the weaknesses of the current two-factor authentication (2FA) scheme so that adequate security solutions can be created and implemented in the industry.
• Support other projects that might benefit from a generic and transparent reverse proxy.
• Raise community awareness of modern phishing techniques and strategies and support penetration testers in their daily work.

Modlishka was primarily written for security related tasks. However, it can be useful in other non-security use cases. Effective proxying!

Features
General:

• Point-and-click HTTP and HTTPS reverse proxying of an arbitrary domain.
• Full control over cross-origin TLS traffic flow from your users' browsers (without having to install any additional certificates on the client).
• Easy and fast configuration using command line parameters and JSON configuration files.
• Template-based JavaScript payload injection.
• Wrapping websites with additional "security": TLS wrapping, authentication, matching security headers, etc.
• Removing websites from all encryption and security headers (back to 90s MITM style).
• Stateless design. Can be easily scaled to handle any amount of traffic — for example, through a DNS load balancer.
• Can be easily extended with your ideas with modular plugins.
• TLS certificate autotest plugin for proxy domain (self-signed CA certificate required)
• Written in Go, so it works on almost all platforms and architectures: Windows, OSX, Linux, BSD supported.

Safety related:

• Support for most 2FA authentication schemes (out of the box).
• Practical implementation of the Client Domain Hooking attack. Supported by a diagnostic plugin.
• Collecting user credentials (with context based on the IDs passed in the URL parameter).
• A web panel plugin with a summary of automatically collected credentials and a one-click user session impersonation module (proof-of-concept / beta).
• No website templates (just point Modlishka to the target domain - in most cases it will be processed automatically without additional manual configuration).

Installation
The latest source code can be downloaded here (zip) or here (tar).

Get the code with go get:

go get -u github.com/drk1wi/Modlishka

We carry out a test run:

Modlishka

The output is more informative than practical, but it indicates that there were no errors during the installation.

We check the work of the reverse proxy server directly, run the following command:

Modlishka -config /usr/local/Projects/pkg/mod/github.com/drk1wi/\[email protected]/templates/google.com_gsuite.json

As an argument, specify the default google.com config

When we go to the local address of the server where Modlishka is running, we should receive a redirect to the Google start page.

This is achieved as follows:

The page we are requesting contains:

<a href="http://google.com"> Found </a>

Accordingly, the response from the server will look like this:

Moving on, we create an SSL certificate:

openssl genrsa -out MyRootCA.key 2048

openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem

As a result, we have two files:

Copy the contents of these files to autocert.go

Putting it back together.

make

Then you need to import the certificate into the user's browser (we do this in a test environment), below we will analyze the setup with a dedicated server, and "clean" phishing.

We imagine that everything went perfectly, and you can send a phishing link to the user.

Before we start, we need to take a look at the templates in the Modlishka directory. We have only two templates available:

• Google
• Microsoft

I can tell right away that the default templates available to us from Google and Microsoft will not work, so we just have to learn how to make our own templates.

The beauty of Modlishka is that we don't have to tediously write our own clone of the site, or do something like phislets with Evilginx. The template is a json file, just copy it and change it to fit your needs.

Five key parameters need to be changed:

• "target"
• "trackingCookie"
• "log"
• "credParams"
• "plugins"

"target"
- Target site.

"trackingCookie"

- Name of the parameter that stores the session token:
"log" - The name of the file where logs will be sent.
"credParams" - Here it is necessary to place, in Base64-encoded form, parameter names + reusular expressions that will characterize the entered characters.

We intercept the authorization request on the site:

We are interested in two parameters here:

• login
• password

We write regular expressions like:

• login = ((?: \ w + [\. \ - \ _]) {0,} \ w +) &
• password = ((?: \ w + [\. \ - \ _]) {0,} \ w +) &

And we encode it all in Base64:

• bG9naW49KCg / Olx3K1tcLlwtXF9dKXswLH1cdyspJg ==, cGFzc3dvcmQ9KCg / Olx3K1tcLlwtXF9dKXswLH1cdyspJg == "

We drop it all into our new json template.
"plugins"

- Turn on all available plugins - "all" Run Modlishka with the following command:

./proxy -config /usr/local/Projects/pkg/mod/github.com/drk1wi/\[email protected]/templates/protey.json

Now, when following the link:

https://loopback.modlishka.io

We go to the target site, where we enter credentials, which are successfully transmitted to the attacker:

In addition, in the Modlishka control panel at:

http://loopback.modlishka.io/SayHello2Modlishka

We get control over the victim's session, this is the principle of bypassing 2FA, we have complete control over the session by receiving data about the user's session.

Looks good, but what if the attacker has no way to add the certificate to the victim's browser?
Let's try to figure it out.
First, let's go back to editing the configuration file. Let's add some realism to what is happening.

The victim should be redirected to somewhere after logging in, which could be a real forum account, for example. For demonstration purposes, we will consider this option.

"terminateRedirectUrl": "https://protey.net"

Then we need a server with a "white" IP address, which will host Modlishka, you can use a router + forward ports if the IP "white" is static.
We will assume that you already have all this and are configured. We buy a consonant domain, try to mimic the target site as much as possible.
In my case, it is non-flesh-free - phishing.protey.net

Next, we will get a certificate for it, you can buy it, but LetsEncrypt will also work for tests.

certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok -d '* .phishing.protey.net' -d phishing.protey.net

Following the instructions, add a TXT record and get the entire set of certificates.

We are interested in two files:

• fullchain.pem
• privkey.pem

Copy them to the Modlishka folder.

Let's go back to the config file, parameters:

"cert"
"certKey"

Accept values in one line, for this you need to slightly change the certificate files:

sed -i ': a; N; $! ba; s / \ n / \\ n / g' privkey.pem
sed -i ': a; N; $! ba; s / \ n / \\ n / g' fullchain.pem

Then we just copy their contents, and substitute them in the parameters, so that it looks like this:

A few more changes to the configuration file:

"proxyDomain": "phishing.protey.net",

"trackingParam": "ident" - In order to save the victim's cookie.
"terminateTriggers": "/ whats-new /", - There is no need to keep the victim constantly through a proxy, we create a trigger that, when going to the "What's new" page, will terminate the session and redirect the user to a legitimate site.

Make sure that everything is ready for phishing:

• Server with Modlishka, router with white static IP, port forwarding, etc.
• Domain purchased.
• Certificates received.
• There are no errors in the config file.

Launch Modlishka and share the link with the user whose credentials we would like to receive.

./proxy -config /usr/local/Projects/pkg/mod/github.com/drk1wi/\[email protected]/templates/protey.json

The result will be intercepted user credentials and then redirecting the user to the real site.

In the Modlishka control console, we get all the necessary information about the user's session:

Conclusion: A very simple, versatile and flexible tool, definitely useful.

 

[nomorelies]

In this article, I propose to consider a method for stealing user credentials using reverse - proxy technology, which will allow us to bypass two-factor authentication.

To do this, we will use and customize a tool that is quite famous in certain circles called Modlishka.

Modlishka is a powerful and flexible HTTP reverse proxy. It implements a completely new and interesting browser-based HTTP traffic stream processing approach that allows you to transparently proxy multi-domain targeted traffic, both TLS and non-TLS, through a single domain without the need to install any additional certificate on the client.

What exactly does this mean? In short, it just has a lot of potential that can be used in many use cases.

From a security point of view, Modlishka can currently be used to:

• Conducting ethical phishing penetration tests using a transparent and automatic reverse proxy component with universal support for two-factor authentication.
• Automatic HTTP 301 browser cache poisoning and permanent URL capture, no TLS.
• Diagnostics and interception of HTTP traffic of browser applications in terms of the "Client Domain Hooking" attack.
• Wrapping legacy websites in TLS to obfuscate bots, automated crawlers, etc.

Modlishka was written as an attempt to overcome the standard reverse proxy limitations and as a personal challenge to see what's possible with enough motivation and a little extra research time.

The results achieved were very interesting and the tool was initially released and then updated to:

• Highlight the weaknesses of the currently used two-factor authentication (2FA) scheme so that adequate security solutions can be created and implemented in the industry.
• Support other projects that could benefit from a universal and transparent reverse proxy.
• Raise community awareness of modern phishing techniques and strategies and support penetration testers in their daily work.

Modlishka was primarily written for security related tasks. However, it may be useful in other non-security use cases.

Effective proxying!

Features

General:

• Point-and-click HTTP and HTTPS reverse proxying of an arbitrary domain.
• Full control over the flow of cross-origin TLS traffic from your users' browsers (without the need to install any additional certificates on the client).
• Easy and fast configuration with command line options and JSON configuration files.
• Template-based JavaScript payload injection.
• Wrapping websites with additional "security": TLS wrapping, authentication, appropriate security headers, etc.
• Removing websites from all encryption and security headers (back to 90s MITM style).
• Stateless design. Can be easily scaled to handle an arbitrary amount of traffic - for example, through a DNS load balancer.
• Can be easily extended to your ideas with modular plugins.
• TLS certificate auto test plugin for proxy domain (requires self-signed CA certificate)
• Written in Go, so it works on almost all platforms and architectures: Windows, OSX, Linux, BSD is supported.

Security related:

• Support for most 2FA authentication schemes (out of the box).
• Practical implementation of the "Client Domain Hooking" attack. Supported by the diagnostic plugin.
• Collection of user credentials (with context based on IDs passed in URL parameter).
• A web panel plugin with a summary of auto-collected credentials and a one-click user session impersonation module (proof-of-concept / beta).
• No website templates (just point Modlishka to the target domain - in most cases it will be processed automatically without additional manual configuration).

Installation & Usage


The latest version of the source code can be downloaded here (zip) or here (tar).

Get the code with go get:

CODE:Copy to clipboard
go get -u github.com/drk1wi/Modlishka
Let's do a test run:
CODE:Copy to clipboard
Modlishka
The output is more informative than practical, but it does indicate that there were no installation errors.

We check the operation of the reverse proxy server directly, execute the following command:
CODE:Copy to clipboard
Modlishka -config /usr/local/Projects/pkg/mod/github.com/drk1wi/\![email protected]/templates/google.com_gsuite.json

• As an argument, specify the default config google.com

When going to the local address of the server where Modlishka is running, we should get a redirect to the Google start page.

This is achieved in the following way.

The page we are requesting contains:
CODE:Copy to clipboard
<a href="http://google.com">Found</a>
Moving on, we create an SSL certificate:
CODE:Copy to clipboard
openssl genrsa -out MyRootCA.key 2048
CODE:Copy to clipboard
openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem
As a result, we have two files.

Copy the contents of these files to autocert.go.

We collect again.
CODE:Copy to clipboard
make
Then you need to import the certificate into the user's browser (we are doing this in a test environment), below we will analyze the setup with a dedicated server, and "pure" phishing.

We imagine that everything went perfectly, and you can send a phishing link to the user.

Before we get started, we need to take a look at templates in the Modlishka directory. We have only two templates available:

• Google
• Microsoft

I can say right away that the default Google and Microsoft templates available to us will not work, so we just have to learn how to make our own templates.

The beauty of Modlishka is that we don't have to tediously write our own clone of the site, or do something like phislets with Evilginx.

The template is a json file, just copy it and change it to fit your needs.

Five key parameters need to be changed:

• "target"
• "trackingCookie"
• "log"
• "credParams"
• "plugins"

"target" - Target site.

"trackingCookie" - The name of the parameter that stores the session token:
"log" - The name of the file where the logs will fall.
"credParams" - Here it is necessary to place in Base64 encoded form the parameter names + regular expressions that will characterize the input characters.

We intercept the authorization request on the site.

Here we are interested in two parameters:

• login
• password

We write regular expressions like this:

• login=((?:\w+[\.\-\_]){0,}\w+)&
• password=((?:\w+[\.\-\_]){0,}\w+)&

And encode it all in Base64:

• bG9naW49KCg/Olx3K1tcLlwtXF9dKXswLH1cdyspJg==,cGFzc3dvcmQ9KCg/Olx3K1tcLlwtXF9dKXswLH1cdyspJg=="

Throw it all into our new json template.

"plugins" - Enable all available plugins - "all"

Launch Modlishka with the following command:
CODE:Copy to clipboard
./proxy -config /usr/local/Projects/pkg/mod/github.com/drk1wi/\![email protected]/templates/protey.json
Now when you click on the link:
CODE:Copy to clipboard

https://loopback.modlishka.io

We get to the target site, where we enter the credentials, which are successfully transmitted to the attacker.

In addition, in the Modlishka control panel at:
CODE:Copy to clipboard

http://loopback.modlishka.io/SayHello2Modlishka

We gain control over the victim's session, this is the principle of bypassing 2FA, we completely control the session by obtaining data about the user's session.

Looks good, but what if the attacker doesn't have the ability to add the certificate to the victim's browser?

Let's try to figure it out.

First, let's go back to editing the configuration file. Let's add some realism to what is happening.

The victim should be redirected to somewhere after logging in, which could be a real forum account, for example. For demonstration purposes, we will consider this option.
CODE:Copy to clipboard
"terminateRedirectUrl": "https://google.com"
Then we need a server with a "white" IP address where Modlishka will be located, you can use a router + forward ports if the IP is "white" static.

We will assume that you already have all this and are configured. We buy a consonant domain, we try to mimic the target site as much as possible.

In my case, this is a non-flag - phishing.protey.net

Next, we will get a certificate for it, you can buy it, but LetsEncrypt will also work for tests.
CODE:Copy to clipboard
certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok -d '*.phishing.protey.net' -d phishing.protey.net
Following the instructions, add a TXT record and get the entire set of certificates.

We are interested in two files:

• fullchain.pem
• privkey.pem

Copy them to the folder with Modlishka.

Let's go back to the configuration file, parameters:
CODE:Copy to clipboard
"cert"
"certKey"
They take values in one line, for this you need to slightly change the certificate files:
CODE:Copy to clipboard
sed -i ':a;N;$!ba;s/\n/\\n/g' privkey.pem
sed -i ':a;N;$!ba;s/\n/\\n/g' fullchain.pem
Then we just copy their contents and substitute them in the parameters so that it looks like this:

A few more edits to the configuration file:
"proxyDomain": "phishing.protey.net",
"trackingParam": "ident" - To save the victim's cookies.
"terminateTriggers": "/whats-new/", - There is no need to keep the victim constantly through a proxy, we create a trigger that, when going to the "What's new" page, will terminate the session and redirect the user to a legitimate site.

We make sure that we are ready for phishing:

• Server with Modlishka, router with white static IP, port forwarding, etc.
• Bought a domain.
• Certificates received.
• There are no errors in the config file.

We launch Modlishka and share the link with the user whose credentials we would like to receive.
CODE:Copy to clipboard
./proxy -config /usr/local/Projects/pkg/mod/github.com/drk1wi/\![email protected]/templates/protey.json
The result will be intercepted user credentials and then redirecting the user to the real site.

In the Modlishka management console, we get all the necessary information about the user's session.

Conclusion: A very simple, versatile and flexible tool, definitely useful.