DATA – Credential Phish Analysis and Automation

Credential Phish Analysis and Automation

BUCKLEGRIPPER (py)

  • Given a suspected phishing url or file of line separated urls, visit, screenshot, and scrape for interesting files.
  • Requirements can be installed by running or reviewing install_bucklegripper_deps.sh
usage: bucklegripper.py [-h] [-u URL] [-s SOURCE] [-r READFILE] [-a USERAGENT]

Visit a suspected phishing page, screenshot it and pillage it for phishing
archives

optional arguments:
-h, --help show this help message and exit
-u URL, --url URL Url to visit
-s SOURCE, --source SOURCE
Apply a source to where this url came from
-r READFILE, --readfile READFILE
Read in a file of URLs one per line
-a USERAGENT, --useragent USERAGENT
Custom User-Agent

Example of reading in a single url

$ python bucklegripper.py -s openphish -u http://ift.tt/2sDG0GR 

.: BUCKLEGRIPPER v0.1 http://ift.tt/2s4tO4V :.

[+] Processing http://ift.tt/2sDG0GR
[+] Screencapped http://ift.tt/2sDG0GR as 20170503-032950-openphish-http://ift.tt/2sDWjUi
[+] Found Zip file at http://ift.tt/2s4zSL3
[+] Saved http://ift.tt/2s4zSL3 as 20170503-032950-openphish-http://ift.tt/2sDZgEq
[+] Found Opendir at http://ift.tt/2s4HA7Z
[+] Found php file: http://ift.tt/2sE1ZNW
[+] Found Opendir at http://ift.tt/2s4oTRQ
[+] Saved http://ift.tt/2s4zSL3 as 20170503-032951-openphish-http://ift.tt/2sDZgEq
[+] Found Opendir at http://ift.tt/2sDNiut
[+] Found Opendir at http://ift.tt/2s49IYF
[+] Found Opendir at http://ift.tt/2sEfQUw

Example of reading in a file of line separated urls

$ python bucklegripper.py -s openphish -r ../../test_urls.txt

.: BUCKLEGRIPPER v0.1 http://ift.tt/2s4tO4V :.

[+] Beginning processing of ../../test_urls.txt

[+] Processing http://ift.tt/2s4Hz3V
[+] Screencapped http://ift.tt/2s4Hz3V as 20170503-010034-openphish-onjasela.net.png

[+] Processing http://ift.tt/2sDPDWl
[+] Screencapped http://ift.tt/2sDPDWl as 20170503-010053-openphish-suesschool.com.png
[+] Found Opendir at http://ift.tt/2s4HTQ4
[+] Found php file: http://ift.tt/2sDPDWl
[+] Found php file: http://ift.tt/2sE218w
[+] Found php file: http://ift.tt/2s4v34n
[+] Found Opendir at http://ift.tt/2sE25Fd
[+] Found php file: http://ift.tt/2s4nFpp
[+] Found php file: http://ift.tt/2sEkwtM
[+] Found php file: http://ift.tt/2s4ztrS
[+] Found Zip file at http://ift.tt/2sDW1g1
[+] Saved http://ift.tt/2sDW1g1 as 20170503-010125-openphish-suesschool.com-yahoologin.zip
[+] Found Opendir at http://ift.tt/2s4zWKG

[+] Processing http://ift.tt/2sDBSXt
[+] Screencapped http://ift.tt/2sDBSXt as 20170503-010138-openphish-communitypartnersjc.org.png

[+] Processing http://ift.tt/2s4yOXm
[+] Screencapped http://ift.tt/2s4yOXm as 20170503-010148-openphish-ytrdesh.com.png

...continues...

BULLYBLINDER (py)

  • While capturing a pcap visit a suspected phishing page. Handle redirectors and obfuscation to find a web form. Scrape the form and make educated guesses at what should be entered into the fields. Submit the form and repeat.
  • Requirements can be installed by running or reviewing install_bullyblinder_deps.sh
usage: bullyblinder.py [-h] -u URL [-a USERAGENT] -i INTERFACE

Visit a suspected phishing page and attempt form filling while getting a pcap

optional arguments:
-h, --help show this help message and exit
-u URL, --url URL Url to visit
-a USERAGENT, --useragent USERAGENT
Custom User-Agent to use
-i INTERFACE, --interface INTERFACE
Interface to tell tshark to listen on

Example Usage

$ python bullyblinder.py -i eth0 -u http://ift.tt/2sDSO08

.: BULLYBLINDER v0.1 http://ift.tt/2s4tO4V :.

[+] Preparing pcap: 20170503-033243-http://ift.tt/2s4zT1z

[+] Processing http://ift.tt/2sDSO08

[+] Submitting POST
[+] Control: <HiddenControl(hidCflag=1)>, Control.Type: hidden, Control.Name: hidCflag, Control.ID: hidCflag
[+] Control: <SelectControl(<None>=[])>, Control.Type: select, Control.Name: None, Control.ID: None
[+] Control: <SelectControl(<None>=[*0])>, Control.Type: select, Control.Name: None, Control.ID: None
[+] Control: <SelectControl(<None>=[*1])>, Control.Type: select, Control.Name: None, Control.ID: None
[+] Control: <SelectControl(<None>=[*2])>, Control.Type: select, Control.Name: None, Control.ID: None
[+] Control: <SelectControl(<None>=[*3])>, Control.Type: select, Control.Name: None, Control.ID: None
[+] Control: <SelectControl(<None>=[*4])>, Control.Type: select, Control.Name: None, Control.ID: None
[+] Control: <TextControl(Email=shannonjudith@gmail.com)>, Control.Type: email, Control.Name: Email, Control.ID: Email
[+] Control: <PasswordControl(Passwd=696969)>, Control.Type: password, Control.Name: Passwd, Control.ID: Passwd
[+] Control: <SubmitControl(signIn=Sign in to view attachment) (readonly)>, Control.Type: submit, Control.Name: signIn, Control.ID: signIn
[+] Control: <CheckboxControl(PersistentCookie=[yes])>, Control.Type: checkbox, Control.Name: PersistentCookie, Control.ID: PersistentCookie
[+] Control: <HiddenControl(rmShown=1) (readonly)>, Control.Type: hidden, Control.Name: rmShown, Control.ID: None

[-] No form found, checking for redirectors and obfuscation.

[+] Found js window.location or document.location, processing the redir

[+] http://ift.tt/JpZz7W appears to be a legitimate website.

[+] Complete! Submitted 1 form(s)

[+] Url Request Chain:
http://ift.tt/2sEktOC
--http://ift.tt/2sEktOC

SLICKSHOES (sh)

  • A basic bash script that pulls urls out of pdfs in streams or in clear view.
  • The only argument to the script is the path to a folder containing the pdfs you want to process.
  • REQUIRES pdf-parser.py from http://ift.tt/2gwAXkC location to be set in first line of script

Example Usage

$ ./slickshoes.sh ~/PDFs/
http://ift.tt/2sDQ4Qe
http://ift.tt/2s4IMYC
http://ift.tt/2sDSP4c
http://ift.tt/2s4jlXk
http://ift.tt/2sDFZ5L
http://ift.tt/2s4yQ1q
http://ift.tt/2sDSPBe
http://ift.tt/2s4yQys
http://ift.tt/2sDSQ8g
...continues...

*PINCHERSOFPERIL and BULLYBUSTER are WIP
DATA scripts are a constant work in progress. Feedback, issues, and additions are welcomed.
Proper python packages will be created once suffecient testing and features have been added and more bugs have been squashed.

Troubleshooting
If you have pcap writing issues, use this to fixup dumpcap perms, observed when using some VPS

sudo chgrp YOUR_USER /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

Be sure to disable NIC features when capturing traffic run this as root. Checksum errors will cause all sorts of nightmares.

# for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done

from KitPloit – PenTest Tools! http://ift.tt/2sEab0D

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s