Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Phishing Attacks. Show all posts
Showing posts with label Phishing Attacks. Show all posts

Sunday, March 4, 2018

An Unicode Domain Phishing Generator for IDN Homograph Attack - EvilURL v2.0


Generate unicode evil domains for IDN Homograph Attack and detect them.

PREREQUISITES
  • python 3.x for evilurl3.py
TESTED ON: Kali Linux - ROLLING EDITION

CLONE
git clone https://github.com/UndeadSec/EvilURL.git

RUNNING
cd EvilURL
python3 evilurl.py

CHANGELOG
  • Full script updated to Python 3.x
    { Python 2.x support closed }
  • CheckURL Module.
    { Now you can check if an url is evil.
    Now you can check connection from an evil url. }
  • Better interactivity.
    { Better interface and design. }

VIDEO DEMO



Share:

Sunday, January 7, 2018

People tracker on the Internet (The evolution of phishing attacks) OSINT - Trape


Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.

Some benefits
  • One of its most enticing functions is the remote recognition of sessions. You can know where a person has logged in, remotely. This occurs through a Bypass made to the Same Origin Policy (SOP)
  • Currently you can try everything from a web interface. (The console, becomes a preview of the logs and actions)
  • Registration of victims, requests among other data are obtained in real time.
  • If you get more information from a person behind a computer, you can generate a more direct and sophisticated attack. Trape was used at some point to track down criminals and know their behavior.
  • You can do real time phishing attacks
  • Simple hooking attacks
  • Mapping
  • Important details of the objective
  • Capturing credentials
  • Open Source Intelligence (OSINT)

Recognizes the sessions of the following services
  • Facebook
  • Twitter
  • VK
  • Reddit
  • Gmail
  • tumblr
  • Instagram
  • Github
  • Bitbucket
  • Dropbox
  • Spotify
  • PayPal
  • Amazon

How to use it
First unload the tool.
git clone https://github.com/boxug/trape.git
cd trape
python trape.py -h
If it does not work, try to install all the libraries that are located in the file requirements.txt
pip install -r requirements.txt
Example of execution
Example: python trape.py --url http://example.com --port 8080
  • In the option --url you must put the lure, can be a news page, an article something that serves as a presentation page.
  • In the --port option you just put the port where you want it to run
  • Do you like to monitor your people? Everything is possible with Trape
  • Do you want to perform phishing attacks? Everything is possible with Trape
  • In the Files directory, located on the path: /static/files here you add the files with .exe extension or download files sent to the victim.

Here are some simple videos to use:
Spanish: https://www.youtube.com/watch?v=ptyuCQmMKiQ
English: https://www.youtube.com/watch?v=FdwyIZhUx3Y
At an international security event in Colombia, called DragonJAR Security Conference 2017, a demonstration was made before the launch. You can watch the video here: https://www.youtube.com/watch?v=vStSEsznxgE

Disclaimer
This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.
We are totally convinced that if we teach how vulnerable things are, we can make the Internet a safer place.

Developers or participants
The following people are part of the core of development and research in Boxug.
This development and others, the participants will be mentioned with name, Twitter and charge.


Share:

Thursday, December 1, 2016

Phishing Campaign Toolkit - King Phisher 1.5.2



King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet very flexible architecture allowing full control over both emails and server content. King Phisher can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials.
King Phisher is only to be used for legal applications when the explicit permission of the targeted organization has been obtained.
Get the latest stable version from the GitHub Releases Page or use git to checkout the project from source.
For instructions on how to install, please see the INSTALL.md file. After installing, for instructions on how to get started please see the wiki .

Feature Overview
  • Run multiple phishing campaigns simultaneously
  • Send email with embedded images for a more legitimate appearance
  • Optional Two-Factor authentication
  • Credential harvesting from landing pages
  • SMS alerts regarding campaign status
  • Web page cloning capabilities
  • Integrated Sender Policy Framework (SPF) checks
  • Geo location of phishing visitors
  • Send email with calendar invitations

Plugins
Both the client and server can be extended with functionality provided by plugins. A small number of plugins are packaged with King Phisher and additional ones are available in the Plugins repository .

Template Files
Template files for both messages and server pages can be found in the separate King Phisher Templates repository . Any contributions regarding templates should also be submitted via a pull request to the templates repository.

Message Template Variables
The client message templates are formatted using the Jinja2 templating engine and support a number of variables. These are included here as a reference, check the templates wiki page for comprehensive documentation.
Variable Name Variable Value
client.company_name The target's company name
client.email_address The target's email address
client.first_name The target's first name
client.last_name The target's last name
client.message_id The unique tracking identifier (this is the same as uid)
sender.email The email address in the "Source Email (MIME)" field
sender.friendly_alias The value of the "Friendly Alias" field
sender.reply_to The value of the "Reply To" field
url.tracking_dot URL of an image used for message tracking
url.webserver Phishing server URL with the uid parameter
url.webserver_raw Phishing server URL without any parameters
tracking_dot_image_tag The tracking image in a preformatted <img /> tag
uid The unique tracking identifier (this is the same as client.message_id)
The uid is the most important, and must be present in links that the messages contain.

Documentation
Documentation for users of the application is provided on the project's wiki page . This includes steps to help new users get started with their first campaigns. Additional technical documentation intended for developers is kept seperate as outlined in section below.

Code Documentation
King Phisher uses Sphinx for internal technical documentation. This documentation can be generated from source with the command sphinx-build -b html docs/source docs/html . The latest documentation is kindly hosted on ReadTheDocs at king-phisher.readthedocs.io .

License
King Phisher is released under the BSD 3-clause license, for more details see the LICENSE file.

Credits
Special Thanks (QA / Beta Testing):
  • Jake Garlie - jagar
  • Jeremy Schoeneman - Shad0wman
  • Ken Smith - p4tchw0rk
  • Brianna Whittaker
King Phisher Development Team:


Share:

Tuesday, May 10, 2016

HTTP Server for Phishing - Weeman v1.7



HTTP server for phishing in python. (and framework) Usually you will want to run Weeman with DNS spoof attack. (see dsniff, ettercap).

Press
  • 1.7 - is out 25-03-2016
  • Added profiles
  • Weeman framework 0.1 is out !!!
  • Added command line options.
  • Beautifulsoup dependency removed.

Weeman will do the following steps:
  1. Create fake html page.
  2. Wait for clients
  3. Grab the data (POST).
  4. Try to login the client to the original page

The framework

You can use weeman with modules see examples in modules/ , just run the command framework to access the framework.

Write a module for the framework

If you want to write a module please read the modules/. Soon I will write docs for the API.


Profiles

You can load profiles in weeman, for example profile for mobile site and profile for desktop site.
./weeman.py -p mobile.localhost.profile

Requirements
  • Python <= 2.7.

Platforms
  • Linux (any)
  • Mac (Tested)
  • Windows (Not supported)

Contributing

Contributions are very welcome!
  1. fork the repository
  2. clone the repo (git clone git@github.com :USERNAME/weeman.git)
  3. make your changes
  4. Add yourself in contributors.txt
  5. push the repository
  6. make a pull request
Thank you - and happy contributing!


Share:

Saturday, February 20, 2016

Open-Source Phishing Toolkit - Gophish



Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.

One-Click Installation

Download and Extract the ZIP - Gophish binaries are provided for most platforms
Run the Binary Gophish is a standalone, portable binary with static assets.
That's It. - Gophish is now available on http://localhost:3333. Login with admin:gophish

Point-and-Click Phishing

Beautiful Web UI A full web UI makes creating simulated phishing campaigns easy.
Pixel-Perfect Phishing Create pixel-perfect emails and landing pages from scratch or by importing them directly into gophish.

Automate Phishing Campaigns

RESTful API - Gophish is built from the ground-up with a fully-featured JSON API.
Automated Training Use your favorite language or API utility to manage every aspect of your phishing training automatically.


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition