How to HACK GMAIL 2019 WITH 2FA BYPASS

After the hassle of phishing a target's gmail account details, the next thing a hacker worries about is how to not trigger the 2fa protection put in place by google to prevent hacks, with a tool like"modlishka" you can phish your targets gmail credentials as well as the 2fa verification code, wonder how? 


Modlishka is a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side).
Enjoy :-)

Features  


Some of the most important 'Modlishka' features :

  • Support for majority of 2FA authentication schemes (by design).
  • No website templates (just point Modlishka to the target domain - in most cases, it will be handled automatically).
  • Full control of "cross" origin TLS traffic flow from your victims browsers.
  • Flexible and easily configurable phishing scenarios through configuration options.
  • Pattern based JavaScript payload injection.
  • Striping website from all encryption and security headers (back to 90's MITM style).
  • User credential harvesting (with context based on URL parameter passed identifiers).
  • Can be extended with your ideas through plugins.
  • Stateless design. Can be scaled up easily for an arbitrary number of users - ex. through a DNS load balancer.
  • Web panel with a summary of collected credentials and user session impersonation (beta).
  • Written in Go.


Action
"A picture is worth a thousand words":
Modlishka in action against an example 2FA (SMS) enabled authentication scheme:


Note: google.com was chosen here just as a POC.

Installation
Latest source code version can be fetched from here (zip) or here (tar).
Fetch the code with 'go get' :


$ go get -u github.com/drk1wi/Modlishka
Compile the binary and you are ready to go:
$ cd $GOPATH/src/github.com/drk1wi/Modlishka/
$ make


# ./dist/proxy -h


Usage of ./dist/proxy:
      
  -cert string
     base64 encoded TLS certificate
  
  -certKey string
     base64 encoded TLS certificate key
  
  -certPool string
     base64 encoded Certification Authority certificate
  
  -config string
     JSON configuration file. Convenient instead of using command line switches.
  
  -credParams string
       Credential regexp collector with matching groups. Example: base64(username_regex),base64(password_regex)

  -debug
     Print debug information
  
  -disableSecurity
     Disable security features like anti-SSRF. Disable at your own risk.
  
  -jsRules string
     Comma separated list of URL patterns and JS base64 encoded payloads that will be injected. 
  
  -listeningAddress string
     Listening address (default "127.0.0.1")
  
  -listeningPort string
     Listening port (default "443")
  
  -log string
     Local file to which fetched requests will be written (appended)
  
  -phishing string
     Phishing domain to create - Ex.: target.co
  
  -plugins string
     Comma seperated list of enabled plugin names (default "all")
  
  -postOnly
     Log only HTTP POST requests
  
  -rules string
     Comma separated list of 'string' patterns and their replacements. 
  
  -target string
     Main target to proxy - Ex.: https://target.com
  
  -targetRes string
     Comma separated list of target subdomains that need to pass through the  proxy 
  
  -terminateTriggers string
     Comma separated list of URLs from target's origin which will trigger session termination
  
  -terminateUrl string
     URL to redirect the client after session termination triggers
  
  -tls
     Enable TLS (default false)
  
  -trackingCookie string
     Name of the HTTP cookie used to track the victim (default "id")
  
  -trackingParam string
     Name of the HTTP parameter used to track the victim (default "id")

Usage

  • Check out the wiki page for a more detailed overview of the tool usage.
  • FAQ (Frequently Asked Questions)
  • Blog post

Credits
Thanks for helping with the code goes to Giuseppe Trotta

6 comments:

  1. contact : elizabethjone146@gmail.com WhatsApp +18573255825 Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
    Do you need to retrieve your stolen bitcoin?
    Do you need to increase your credit score?
    Do you intend to upgrade your school grade?
    Do you need any information concerning any database.
    Do you need to retrieve deleted files?
    Do you need to clear your criminal records or DMV?
    Do you want to remove any site or link from any blog?
    you should contact this hacker, he is reliable and good at the hack jobs..
    contact : elizabethjone146@gmail.com WhatsApp +18573255825

    ReplyDelete
  2. I strongly recommend you consult internetwebport737 at gmail dot com or any hack related issues.I have used him a couple times and he has never disappointed me,His services include : bypassing social media security,Spying on accounts/cellphones,retrieving deleted text messages or accounts,bank account top ups,credit card top up, phone hack,whatsapp,facebook,hangout,wechat,snapchat etc. He is very good and his services are quite affordable, don’t hesitate to contact him. Via email, or via text +17853259842

    ReplyDelete
  3. Fake peoples on this comments section
    watch it before contact anyone

    https://scam-alert-report.blogspot.com/2019/02/scam-alert.html

    ReplyDelete
  4. best hacker I know a hacker who can help you spy on your cheating boyfriend's / girlfriend's / spouse phone, whatsapp, facebook, or other platforms just contact elizabethjone146@gmail.com
    WhatsApp +18573255825 he is the best out there, he is a professional, trustworthy hacker, he helped reveal my ex husband secret affairs, he also helped settle bank loans, thanks to him I am now a free woman , contact him and he will leave you happy then you can thank me late

    ReplyDelete

  5. Never settle for a cheating spouse. Contact elizabethjone146@gmail.com
    WhatsApp +18573255825 for any form of hack like
    1-DATABASE HACK.
    2-WHATSAPP HACK
    3-WEBSITE HACK
    4-TRACKING CALLS
    5-PHONE CLONE
    6-FACEBOOK HACK
    7-CHANGE SCHOOL GRADE
    8-ONLINE RECORDS CHANGES
    9-BANK ACCOUNT HACK
    10-ERASE CRIMINAL RECORDS
    11-ONLINE HACKING LECTURES
    12-WORLD PRESS BLOGS HACK
    13-CONTROL DEVICES REMOTELY HACK
    14-SALES OF DUMPS CARDS & CC OF ALL KIND
    15-RETRIVAL OF HACKED SOCIAL MEDIA ACCOUNTS
    16-INCREASE CREDIT SCORE
    i have used this hacker services more than 5 times and it has always worked try him and thank me later. Thanks to you Contact elizabethjone146@gmail.com
    WhatsApp +18573255825
    for all you have done for me

    ReplyDelete
  6. best hacker I know a hacker who can help you spy on your cheating boyfriend's / girlfriend's / spouse phone, whatsapp, facebook, or other platforms just contact elizabethjone146@gmail.com
    WhatsApp +18573255825 he is the best out there, he is a professional, trustworthy hacker, he helped reveal my ex husband secret affairs, he also helped settle bank loans, thanks to him I am now a free woman , contact him and he will leave you happy then you can thank me late

    ReplyDelete

Powered by Blogger.