First release

LICENSE

@@ -0,0 +1,80 @@
+Modlishka Public Source License
+
+The Modlishka software (henceforth referred to simply as "Modlishka") is dual-licensed - Copyright 2018 Modlishka Team.
+
+Cases that include commercialization of Modlishka require a commercial, non-free license. Otherwise, Modlishka can be used without charge under the terms set out below.
+
+1. Definitions
+
+1.1 “License” means this document.
+1.2 “Contributor” means each individual or legal entity that creates, contributes to the creation of, or owns Modlishka.
+1.3 “Modlishka Team” means Modlishka’s core developer (Piotr Duszyński) and an updated list of whom can be found within the CREDITS file.
+
+2. Commercialization
+
+A commercial use is one intended for commercial advantage or monetary compensation.
+
+Example cases of commercialization are:
+
+ - Using Modlishka to provide commercial managed/Software-as-a-Service services.
+ - Distributing Modlishka as a commercial product or as part of one.
+ - Using Modlishka as a value added service/product.
+
+Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):
+
+ - Penetration testers (or penetration testing organizations) using Modlishka as part of their assessment toolkit.
+ - Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
+ - Using Modlishka to test your own systems.
+ - Any non-commercial use of Modlishka.
+
+If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us -> piotr[\at]duszynski.eu.
+
+We may grant commercial licenses at no monetary cost at our own discretion if the commercial usage is deemed by the Modlishka Team to significantly benefit Modlishka.
+
+Free-use Terms and Conditions;
+
+3. Redistribution
+
+Redistribution is permitted under the following conditions:
+
+ - Unmodified License is provided with Modlishka.
+ - Unmodified Copyright notices are provided with Modlishka.
+ - Does not conflict with the commercialization clause.
+
+4. Copying
+
+Copying is permitted so long as it does not conflict with the Redistribution clause.
+
+5. Modification
+
+Modification is permitted so long as it does not conflict with the Redistribution clause.
+
+6. Contributions
+
+Any Contributions assume the Contributor grants the Modlishka Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.
+
+7. Support
+
+Modlishka is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the Modlishka Team.
+
+8. Disclaimer of Warranty
+
+Modlishka is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Modlishka is free of defects, merchantable, fit for a particular purpose or non-infringing.
+
+9. Limitation of Liability
+
+To the extent permitted under Law, Modlishka is provided under an AS-IS basis. The Modlishka Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of Modlishka's actions, failure, bugs and/or any other interaction between Modlishka and end-equipment, computers, other software or any 3rd party, end-equipment, computer, people or services.
+
+10. Disclaimer
+
+Running Modlishka against websites without prior mutual consent may be illegal in your country. The Modlishka Team accept no liability and are not responsible for any misuse or damage caused by Modlishka.
+
+11. Trademark
+
+This License does not grant the use of the "Modlishka" trademark or the use of the Modlishka logo.
+
+
+Note:
+
+This License is based on the "WPScan" License, with the consent of the WPScan Team.
+This project is using MIT, BSD licensed libraries and libraries copyrighted by "The Go Authors" : "Copyright (c) 2009 The Go Authors. All rights reserved."

Makefile

@@ -0,0 +1,46 @@
+MAIN_FILE=main.go
+TEST_FILE=main_test.go
+BINARY_NAME=proxy
+BINARY_LINUX=$(BINARY_NAME)_linux
+BINARY_WINDOWS=$(BINARY_NAME)_windows
+BINARY_BSD=$(BINARY_NAME)_freebsd
+
+GO=go
+GOBUILD=$(GO) build
+GOCLEAN=$(GO) clean
+GOTEST=$(GO) test
+GOGET=$(GO) get
+
+.DEFAULT_GOAL := all
+.PHONY: test
+
+DIST_DIR=dist
+TEST_DIR=
+all: test build
+build:
+	$(GOBUILD) -ldflags "-s -w" -o $(DIST_DIR)/$(BINARY_NAME)   $(MAIN_FILE)
+test:
+	$(GOTEST) -v $(MAIN_FILE) $(TEST_FILE)
+clean:
+	$(GOCLEAN)
+	rm -f $(DIST_DIR)/$(BINARY_NAME)
+	rm -f $(DIST_DIR)/$(BINARY_LINUX)
+	rm -f $(DIST_DIR)/$(BINARY_WINDOWS)
+	rm -f $(DIST_DIR)/$(BINARY_BSD)
+
+deps:
+	$(GOGET) ./..
+
+
+build_linux: test linux
+build_freebsd: test freebsd
+build_windows: test windows
+
+linux:
+	GOOS=linux GOARCH=amd64 $(GOBUILD) -ldflags "-s -w" -o $(DIST_DIR)/$(BINARY_LINUX)  $(MAIN_FILE)
+
+windows:
+	GOOS=windows GOARCH=amd64 $(GOBUILD) -ldflags "-s -w" -o $(DIST_DIR)/$(BINARY_WINDOWS)  $(MAIN_FILE)
+
+freebsd:
+	GOOS=freebsd GOARCH=amd64 $(GOBUILD) -ldflags "-s -w" -o $(DIST_DIR)/$(BINARY_BSD)  $(MAIN_FILE)

config/config.go

@@ -0,0 +1,182 @@
+/**
+
+    "Modlishka" Reverse Proxy.
+
+    Copyright 2018 (C) Piotr Duszyński piotr[at]duszynski.eu. All rights reserved.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+    You should have received a copy of the Modlishka License along with this program.
+
+**/
+
+package config
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"flag"
+	"github.com/drk1wi/Modlishka/log"
+	"io/ioutil"
+	"os"
+)
+
+type Options struct {
+	PhishingDomain       *string `json:"phishingDomain"`
+	ListeningPort        *string `json:"listeningPort"`
+	ListeningAddress     *string `json:"listeningAddress"`
+	Target               *string `json:"target"`
+	TargetRes            *string `json:"targetResources"`
+	TargetRules          *string `json:"targetRules"`
+	JsRules              *string `json:"jsRules"`
+	TerminateTriggers    *string `json:"terminateTriggers"`
+	TerminateRedirectUrl *string `json:"terminateRedirectUrl"`
+	TrackingCookie       *string `json:"trackingCookie"`
+	TrackingParam        *string `json:"trackingParam"`
+	UseTls               *bool   `json:"useTls"`
+	Debug                *bool   `json:"debug"`
+	LogPostOnly          *bool   `json:"logPostOnly"`
+	DisableSecurity      *bool   `json:"disableSecurity"`
+	LogFile              *string `json:"log"`
+	Plugins              *string `json:"plugins"`
+	*TLSConfig
+}
+
+type TLSConfig struct {
+	TLSCertificate *string `json:"cert"`
+	TLSKey         *string `json:"certKey"`
+	TLSPool        *string `json:"certPool"`
+}
+
+var (
+	C = Options{
+		PhishingDomain:   flag.String("phishingDomain", "", "Phishing domain to create - Ex.: target.co"),
+		ListeningPort:    flag.String("listeningPort", "443", "Listening port"),
+		ListeningAddress: flag.String("listeningAddress", "127.0.0.1", "Listening address"),
+		Target:           flag.String("target", "", "Main target to proxy - Ex.: https://target.com"),
+		TargetRes: flag.String("targetRes", "",
+			"Comma separated list of target subdomains that need to pass through the reverse proxy - example: static.target.com"),
+		TerminateTriggers: flag.String("terminateTriggers", "",
+			"Comma separated list of URLs from target's origin which will trigger session termination"),
+		TerminateRedirectUrl: flag.String("terminateUrl", "",
+			"URL to redirect the client after session termination triggers"),
+		TargetRules: flag.String("rules", "",
+			"Comma separated list of 'string' patterns and their replacements. Example base64(new):base64(old),"+
+				"base64(newer):base64(older)"),
+		JsRules: flag.String("jsRules", "", "Comma separated list of URL patterns and JS base64 encoded payloads that will be injected. Example google.com:base64(alert(1)),..,etc"),
+
+		TrackingCookie: flag.String("trackingCookie", "id", "Name of the HTTP cookie used to track the victim"),
+		TrackingParam:  flag.String("trackingParam", "id", "Name of the HTTP parameter used to track the victim"),
+
+		UseTls:          flag.Bool("tls", false, "Enable TLS"),
+		Debug:           flag.Bool("debug", false, "Print debug information"),
+		DisableSecurity: flag.Bool("disableSecurity", false, "Disable security features like anti-SSRF. Disable at your own risk."),
+
+		LogPostOnly: flag.Bool("postOnly", false, "Log only HTTP POST requests"),
+		LogFile:     flag.String("log", "", "Local file to which fetched requests will be written (appended)"),
+
+		Plugins: flag.String("plugins", "all", "Comma separated list of enabled plugin names"),
+	}
+
+	s = TLSConfig{
+		TLSCertificate: flag.String("cert", "", "base64 encoded TLS certificate"),
+		TLSKey:         flag.String("certKey", "", "base64 encoded TLS certificate key"),
+		TLSPool:        flag.String("certPool", "", "base64 encoded Certification Authority certificate"),
+	}
+
+	JSONConfig = flag.String("config", "", "JSON configuration file. Convenient instead of using command line switches.")
+)
+
+func ParseConfiguration() Options {
+
+	flag.Parse()
+
+	// Parse JSON for config
+	if len(*JSONConfig) > 0 {
+		C.parseJSON(*JSONConfig)
+	}
+
+	// Process TLS configuration
+	C.TLSConfig = &s
+
+	// we can assume that if someone specified one of the following cmd line parameters then he should define all of them.
+	if len(*s.TLSCertificate) > 0 || len(*s.TLSKey) > 0 || len(*s.TLSPool) > 0 {
+
+		// Handle TLS Certificates
+		if *C.UseTls {
+			if len(*C.TLSCertificate) > 0 {
+				decodedCertificate, err := base64.StdEncoding.DecodeString(*C.TLSCertificate)
+				if err == nil {
+					*C.TLSCertificate = string(decodedCertificate)
+
+				}
+
+			}
+
+			if len(*C.TLSKey) > 0 {
+				decodedCertificateKey, err := base64.StdEncoding.DecodeString(*C.TLSKey)
+				if err == nil {
+					*C.TLSKey = string(decodedCertificateKey)
+				}
+			}
+
+			if len(*C.TLSPool) > 0 {
+				decodedCertificatePool, err := base64.StdEncoding.DecodeString(*C.TLSPool)
+				if err == nil {
+					*C.TLSPool = string(decodedCertificatePool)
+				}
+			}
+		}
+
+	}
+
+	return C
+}
+
+func (c *Options) parseJSON(file string) {
+
+	ct, err := os.Open(file)
+	defer ct.Close()
+	if err != nil {
+		log.Fatalf("Error opening JSON configuration (%s): %s . Terminating.", file, err)
+	}
+
+	ctb, _ := ioutil.ReadAll(ct)
+	err = json.Unmarshal(ctb, &c)
+	if err != nil {
+		log.Fatalf("Error unmarshalling JSON configuration (%s): %s . Terminating.", file, err)
+	}
+
+	err = json.Unmarshal(ctb, &s)
+	if err != nil {
+		log.Fatalf("Error unmarshalling JSON configuration (%s): %s . Terminating.", file, err)
+	}
+
+	C.TLSConfig = &s
+
+}
+
+func (c *Options) VerifyConfiguration() {
+
+	if *c.UseTls == false {
+
+		if len(*c.PhishingDomain) == 0 || len(*c.PhishingDomain) == 0 {
+			log.Warningf("Missing required configuration to start the proxy . Terminating.")
+			log.Warningf("TIP: You will need to specify at least the following parameters to serve the page over HTTP: phishing and target.")
+			flag.PrintDefaults()
+			os.Exit(1)
+		}
+	}
+
+	if *c.UseTls == true {
+		if len(*c.PhishingDomain) == 0 || len(*c.PhishingDomain) == 0 || c.TLSCertificate == nil || c.TLSKey == nil {
+			log.Warningf("Missing required configuration to start the proxy . Terminating.")
+			log.Warningf("Tip: You will need to specify at least the following parameters to serve the page over HTTPS : phishing, target, cert and certKey.")
+			flag.PrintDefaults()
+			os.Exit(1)
+		}
+	}
+
+}