Modlishka
No description available.
The Lens
Mitmproxy intercepts, inspects, and modifies HTTP/HTTPS traffic between your applications and the internet in real time. It's a tool that demonstrates why SMS and TOTP-based 2FA aren't as secure as people think.
Fully free. No paid tier. This is a security research tool, not a commercial product. Set it up, point it at a target domain, and it automatically mirrors the real site while capturing everything the user types, including one-time 2FA codes.
The catch: this is a double-edged sword. It's designed for authorized penetration testing only. Using it against targets without permission is illegal. The project hasn't been actively maintained, and modern phishing-resistant methods like WebAuthn/passkeys defeat it entirely. If you're a defender, this tool shows you exactly why you should be pushing your org toward hardware security keys instead of SMS codes.
Free vs Self-Hosted vs Paid
fully freeFully open source. No paid tier, no hosted version, no commercial offering.
**Zero cost.** You need a VPS ($5/mo), a domain, and a TLS certificate (free via Let's Encrypt). Total operational cost: ~$5-10/mo during an active engagement.
**Context:** Commercial phishing simulation platforms (KnowBe4, Proofpoint) charge $10-25/user/year and include training content, reporting, and compliance features. Modlishka is a raw technical tool. No reporting dashboard, no user training, no compliance templates. It tests the mechanism, not the organization.
Free. Security research tool with no commercial offering.
Similar Tools
About
- Owner
- drk1wi (Organization)
- Stars
- 5,304
- Forks
- 946
Explore Further
More tools in the directory
Get tools like this delivered weekly
The Open Source Drop — the best new open source tools, analyzed. Free.