t4d / Stalkphish
Licence: agpl-3.0
StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.
Stars: ✭ 256
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Stalkphish
Dnstwist
Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
Stars: ✭ 3,124 (+1120.31%)
Mutual labels: osint, phishing, threat-hunting, threat-intelligence
Threatingestor
Extract and aggregate threat intelligence.
Stars: ✭ 439 (+71.48%)
Mutual labels: osint, threat-hunting, threat-intelligence, threatintel
Malware Feed
Bringing you the best of the worst files on the Internet.
Stars: ✭ 69 (-73.05%)
Mutual labels: infosec, threat-hunting, threat-intelligence, threatintel
OSINT-Brazuca
Repositório criado com intuito de reunir informações, fontes(websites/portais) e tricks de OSINT dentro do contexto Brasil.
Stars: ✭ 508 (+98.44%)
Mutual labels: osint, threat-hunting, threatintel, threat-intelligence
Chatter
internet monitoring osint telegram bot for windows
Stars: ✭ 123 (-51.95%)
Mutual labels: osint, infosec, threat-intelligence, threatintel
Spiderfoot
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Stars: ✭ 6,882 (+2588.28%)
Mutual labels: osint, infosec, threatintel, threat-intelligence
MurMurHash
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Stars: ✭ 79 (-69.14%)
Mutual labels: phishing, infosec, threatintel, threat-intelligence
Opensquat
Detection of phishing domains and domain squatting. Supports permutations such as homograph attack, typosquatting and bitsquatting.
Stars: ✭ 149 (-41.8%)
Mutual labels: osint, phishing, threat-hunting, threat-intelligence
Analyst Arsenal
A toolkit for Security Researchers
Stars: ✭ 112 (-56.25%)
Mutual labels: osint, infosec, threat-hunting, threat-intelligence
Phishing catcher
Phishing catcher using Certstream
Stars: ✭ 1,232 (+381.25%)
Mutual labels: osint, phishing, threat-intelligence, threatintel
Intelowl
Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale
Stars: ✭ 2,114 (+725.78%)
Mutual labels: osint, threat-hunting, threat-intelligence, threatintel
censys-recon-ng
recon-ng modules for Censys
Stars: ✭ 29 (-88.67%)
Mutual labels: osint, threat-hunting, threatintel, threat-intelligence
Osweep
Don't Just Search OSINT. Sweep It.
Stars: ✭ 225 (-12.11%)
Mutual labels: osint, threat-hunting, threat-intelligence
Mihari
A helper to run OSINT queries & manage results continuously
Stars: ✭ 239 (-6.64%)
Mutual labels: osint, threat-hunting, threat-intelligence
ThreatIntelligence
Tracking APT IOCs
Stars: ✭ 23 (-91.02%)
Mutual labels: threat-hunting, threatintel, threat-intelligence
Misp Training
MISP trainings, threat intel and information sharing training materials with source code
Stars: ✭ 185 (-27.73%)
Mutual labels: osint, threat-intelligence, threatintel
mail to misp
Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.
Stars: ✭ 61 (-76.17%)
Mutual labels: threat-hunting, threatintel, threat-intelligence
IronNetTR
Threat research and reporting from IronNet's Threat Research Teams
Stars: ✭ 36 (-85.94%)
Mutual labels: threat-hunting, threatintel, threat-intelligence
YAFRA
YAFRA is a semi-automated framework for analyzing and representing reports about IT Security incidents.
Stars: ✭ 22 (-91.41%)
Mutual labels: threat-hunting, threatintel, threat-intelligence
Urlcrazy
Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
Stars: ✭ 150 (-41.41%)
Mutual labels: osint, infosec, phishing
StalkPhish
StalkPhish - The Phishing kits stalker
StalkPhish is a tool created for searching into free OSINT databases for specific phishing kits URL. More, StalkPhish is designed to try finding phishing kits sources. Some scammers can't or don't remove their phishing kit sources when they deploy it. You can try to find these sources to extract some useful information as: e-mail addresses where is send stolen data, some more information about scammer or phishing kit developer. From there you can extend your knowledge about the threat and organizations, and get much useful information for your investigations.
Features
- find URL where a phishing kit is deployed (from OSINT databases)
- find if the phishing kit is still up and running
- generate hash of page
- try to download phishing kit sources (trying to find .zip file)
- use a hash of the phishing kit archive to identify the kit and threat
- extract e-mails found in phishing kit
- use timestamps for history
- can use HTTP or SOCKS5 proxy (for downloads)
- add just one url at a time into database
- store AS number in database
OSINT modules
- urlscan.io search API
- urlquery.net search web crawler
- Phishtank free OSINT feed (with or without API key)
- Openphish free OSINT feed
- PhishStats search API
- Phishing.Database free OSINT feed
Requirements
- Python 3
- BeautifulSoup4
- cfscrape
- requests
- PySocks
- lxml
Join us
You can join us on Keybase: https://keybase.io/team/stalkphish channel 'stalkphish'!
Upgrade StalkPhish from <0.9.6
Database schema changed (one more time :) for adding the ASnumber, a page hash, and a new column which contains e-mails extracted from Phishing kit's zip, you can modify your existing database like this:
$ sqlite3 db/StalkPhish.sqlite3 (take care to adapt your tables names)
sqlite> ALTER TABLE StalkPhish ADD COLUMN page_hash TEXT;
sqlite> ALTER TABLE StalkPhish ADD COLUMN ASN TEXT;
sqlite> ALTER TABLE StalkPhishInvestig ADD COLUMN extracted_emails TEXT;
Upgrade StalkPhish v0.9 to v0.9.2 (or later)
To update StalPhish v0.9 database, please change your DB schema, to add a new column, like this:
$ sqlite3 db/StalkPhish.sqlite3
sqlite> ALTER TABLE Investigation_Table_Name ADD COLUMN PageTitle TEXT;
Install
Install the requirements
pip3 install -r requirements.txt
Help
$ ./StalkPhish.py -h
_____ _ _ _ _____ _ _ _
/ ____| | | | | | __ \| | (_) | |
| (___ | |_ __ _| | | _| |__) | |__ _ ___| |__
\___ \| __/ _` | | |/ / ___/| '_ \| / __| '_ \
____) | || (_| | | <| | | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\| |_| |_|_|___/_| |_|
-= StalkPhish - The Phishing Kit stalker - v0.9.8-2 =-
-h --help Prints this help
-c --config Configuration file to use (mandatory)
-G --get Try to download zip file containing phishing kit sources (long and noisy)
-N --nosint Don't use OSINT databases
-u --url Add only one URL
-s --search Search for a specific string on OSINT modules
Basic usage
$ ./StalkPhish.py -c conf/example.conf
_____ _ _ _ _____ _ _ _
/ ____| | | | | | __ \| | (_) | |
| (___ | |_ __ _| | | _| |__) | |__ _ ___| |__
\___ \| __/ _` | | |/ / ___/| '_ \| / __| '_ \
____) | || (_| | | <| | | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\| |_| |_|_|___/_| |_|
-= StalkPhish - The Phishing Kit stalker - v0.9.8-2 =-
2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Database: ./test/db/StalkPhish.sqlite3
2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Main table: StalkPhish
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Files directory: ./test/files/
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Download directory: ./test/dl/
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050
2019-06-18 21:01:16,236 - StalkPhish.py - INFO - Proceeding to OSINT modules launch
2019-06-18 21:01:19,102 - urlscan.py - INFO - Searching for 'paypal'...
2019-06-18 21:01:27,460 - urlscan.py - INFO - https://icovil.com/ icovil.com 51.255.74.219 https://urlscan.io/result/25f6bd07-6fac-49af-a6b3-17cbd5fa937c Tue Jun 18 21:01:19 2019 200
2019-06-18 21:01:30,747 - urlscan.py - INFO - http://www.mcseaonline.org/?page_id=4911 www.mcseaonline.org 108.166.135.154 https://urlscan.io/result/a37700f1-86fd-41b2-8c16-5e9b693b7ac8 Tue Jun 18 21:01:27 2019 200
t/38327c8b-a1b9-4919-8037-ddf88238c16c Tue Jun 18 21:03:13 2019 timeout
2019-06-18 21:03:25,836 - urlquery.py - INFO - http://www.killerknuts.com/ www.killerknuts.com 107.180.58.58 https://urlquery.net/report/d9d48c99-dfe5-4002-8a8a-08d44d71ffc2 Tue Jun 18 21:03:20 2019 timeout
2019-06-18 21:03:33,757 - urlquery.py - INFO - https://www.crowdholding.com/ www.crowdholding.com 34.214.183.67 https://urlquery.net/report/b9a09c39-50df-4709-a709-bbcb897c7b96 Tue Jun 18 21:03:25 2019 timeout
2019-06-18 21:03:46,524 - urlquery.py - INFO - http://downlinebooster.ontraport.com/c/s/JZH/jc8b/6/ji/xlj/6hq0Nr/zWarhzzuCJ/P/P/P downlinebooster.ontraport.com 209.170.211.179 https://urlquery.net/report/dc3aa6b1-be7b-409b-8890-7dad962d6063 Tue Jun 18 21:03:33 2019 200
[...]
Advanced usage (try to 'G'et phishing kit zipfile, 'N'o OSINT search)
$ ./StalkPhish.py -c conf/example.conf -G -N
_____ _ _ _ _____ _ _ _
/ ____| | | | | | __ \| | (_) | |
| (___ | |_ __ _| | | _| |__) | |__ _ ___| |__
\___ \| __/ _` | | |/ / ___/| '_ \| / __| '_ \
____) | || (_| | | <| | | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\| |_| |_|_|___/_| |_|
-= StalkPhish - The Phishing Kit stalker - v0.9.8-2 =-
2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Database: ./test/db/StalkPhish.sqlite3
2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Main table: StalkPhish
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Files directory: ./test/files/
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Download directory: ./test/dl/
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Starting trying to download phishing kits sources...
2019-06-18 20:56:55,086 - download.py - INFO - [200] http://donnarogersimagery.com/wp-includes/pomo/login.alibaba.com/
2019-06-18 20:56:56,925 - download.py - INFO - Alibaba Manufacturer Directory - Suppliers, Manufacturers, Exporters & Importers
2019-06-18 20:56:56,934 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes.zip
2019-06-18 20:57:00,663 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes/pomo.zip
2019-06-18 20:57:04,709 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes/pomo/login.alibaba.com.zip
2019-06-18 20:57:12,643 - download.py - INFO - [DL ] Found archive, downloaded it as: ./test/dl/http__donnarogersimagery.com_wp-includes_pomo_login.alibaba.com.zip
2019-06-18 20:57:12,677 - download.py - INFO - [Email] Found: [email protected]
[...]
Search usage (Search without touching your configuration file search keyword)
$ ./StalkPhish.py -c conf/example.conf -s office365
_____ _ _ _ _____ _ _ _
/ ____| | | | | | __ \| | (_) | |
| (___ | |_ __ _| | | _| |__) | |__ _ ___| |__
\___ \| __/ _` | | |/ / ___/| '_ \| / __| '_ \
____) | || (_| | | <| | | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\| |_| |_|_|___/_| |_|
-= StalkPhish - The Phishing Kit stalker - v0.9.8-2 =-
2019-09-10 17:58:03,141 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2019-09-10 17:58:03,142 - StalkPhish.py - INFO - Database: ./db/StalkPhish.sqlite3
2019-09-10 17:58:03,142 - StalkPhish.py - INFO - Main table: StalkPhish
2019-09-10 17:58:03,210 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2019-09-10 17:58:03,279 - StalkPhish.py - INFO - Files directory: ./files/
2019-09-10 17:58:03,279 - StalkPhish.py - INFO - Download directory: ./dl/
2019-09-10 17:58:03,280 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050
2019-09-10 17:58:03,280 - StalkPhish.py - INFO - Proceeding to OSINT modules launch
2019-09-10 17:58:04,640 - urlscan.py - INFO - Searching for 'office365'...
2019-09-10 17:58:06,862 - urlscan.py - INFO - https://audio209-secondary.z11.web.core.windows.net/xoaksAOKmadjMAoakdamOjasmOADFjoam.xml/VM-memo-ref-29899uo.wav.html%3F audio209-secondary.z11.web.core.windows.net 52.239.146.65 https://urlscan.io/result/f3d6d738-83e5-486b-92d0-f7acd3fc992f Tue Sep 10 17:58:04 2019 404
2019-09-10 17:58:09,427 - urlscan.py - INFO - https://gzbnmd.com/aut1/accounts/active/MTU2ODEyODk2NDJiYmRiNGExNWJjMWUxNDI5YjliYWIzZmJlMjFhMjQ0M2M0OGQ0N2I6a3NjaHViZXJ0QG10Lmdvdg%3D%3D gzbnmd.com 199.188.200.253 https://urlscan.io/result/f95e6302-5d13-4c45-b69e-12de6c5bc06e Tue Sep 10 17:58:06 2019 200
[...]
SQLite3 database schema
$ sqlite3 ./db/StalkPhish.sqlite3 .schema
CREATE TABLE StalkPhish (siteURL TEXT NOT NULL PRIMARY KEY, siteDomain TEXT, IPaddress TEXT, SRClink TEXT, time TEXT, lastHTTPcode TEXT, StillInvestig TEXT, StillTryDownload TEXT, page_hash TEXT, ASN TEST);
CREATE TABLE StalkPhishInvestig (siteURL TEXT NOT NULL PRIMARY KEY, siteDomain TEXT, IPaddress TEXT, ZipFileName TEXT, ZipFileHash TEXT, FirstSeentime TEXT, FirstSeenCode TEXT, LastSeentime TEXT, LastSeenCode TEXT, PageTitle TEXT, extracted_emails TEXT);
SQLite3 'main' table sample example
$ sqlite3 ./db/StalkPhish.sqlite3 'select * from StalkPhish'
https://detoerreoejne.dk/|detoerreoejne.dk|145.239.118.80|https://urlscan.io/result/5b34a3c8-5737-43a4-aad1-87730aff71a8|Tue Jun 18 19:46:25 2019|200||Y|a65b00058ccc76657864fa74accaac5c0b46fa04|16276
https://www.facebook.com/PayPal/?_rdc=1&_rdr|www.facebook.com|157.240.21.35|https://urlscan.io/result/6a0cb6d9-193a-4581-899b-1a24f77ad941|Tue Jun 18 19:46:29 2019|200||Y|14014fdef8dc11407fc4985dc2f35ab73d9cf4b0|32934
https://medium.com/@jhonrabig/watch-ambitions-season-1-episode-1-online-free-720px-9e3eebeab5e4|medium.com|104.16.120.127|https://urlquery.net/report/eb23e4fc-8684-400b-b0e4-df044c5914da|Tue Jun 18 19:46:40 2019|200||Y|27049fba4d5aea74e94b237213e93f33c8e90ee2|13335
https://www.casualfilms.com/|www.casualfilms.com|104.17.128.180|https://urlquery.net/report/c39f40fb-c72f-493d-9b3b-867cbf855659|Tue Jun 18 19:46:43 2019|200||Y|8dfbac8bddd37bb719bf34e7aa60b22714af6b88|13335
https://filecloud.filecloudonline.com/url/[email protected]|filecloud.filecloudonline.com|34.197.99.39|https://urlquery.net/report/b6ea7ed4-1e77-4688-bd5f-fcb093d5ef62|Tue Jun 18 19:46:45 2019|200||Y|ebddf102f6ac72be2632a5778daf3848509a8901|14618
SQLite3 'investigation' table sample example
$ sqlite3 ./db/StalkPhish.sqlite3 'select * from StalkPhishInvestig'
http://crm.simumak.com/custom/MDP1/aHR0cHM6Ly9jZnNwYXJ0LmltcG90cy5nb3/aWEyLXp1LW1hcGkvamF2YXguZmFjZXMucmVzb3VyY2UvY29tcG9uZW50cy5jc3MueGh0bWw/bG49cHJpbWVmYWNlcyZ2PTYuMQ/Formulaire/72ce7|crm.simumak.com|199.89.53.193|||Sun Jun 16 01:03:24 2019|200|||Particuliers | authentification|
http://muviarts.in/ourtime/ourtimepge|muviarts.in|104.18.54.33|http__muviarts.in_ourtime_ourtimepge.zip|afd48d3db735e861f6a048132b62a4deecfc32a89269b192edbc709563855417|Sun Jun 16 01:03:33 2019|200|Sun Jun 16 01:03:33 2019|200|OurTime.com - The 50+ Single Network|[email protected], [email protected]
http://twitter-signin.com/|twitter-signin.com|96.47.237.56|||Sun Jun 16 01:03:42 2019|200|||เข้าสู่ระบบทวิตเตอร์ / ทวิตเตอร์|
https://servymain.cl/wp/wp-content/uploads/DP|servymain.cl|200.63.103.27|||Sun Jun 16 01:03:56 2019|200|||Dropbox | Access your documents from any device|
Configuration file
I invite you to read the conf/example.conf file for precise tuning configuration. Some configurable parameters are:
- search: External source keywords to search for
- log_file: The logging file (the path and file will be created if don't exist)
- Kits_download_Dir: Directory to store downloaded phishing kits archives
- sqliteDB_tablename: Main database table
- sqliteDB_Investig_tablename: Investigation table with useful information for investigations
- http_proxy: HTTP/Socks5 proxy to use for downloads
- UAfile: HTTP user-agents file to use for phishing kits HTTP Get information
Docker
Build an start the container with docker-composer:
$ cd docker/
$ docker-compose up --build -d
The container is configured to keep interesting files into the host's /tmp directory.
You can now execute shell and launch StalkPhish:
$ docker exec -ti stalkphish sh
/ # cd /opt/StalkPhish/stalkphish/
/opt/StalkPhish/stalkphish # ./StalkPhish.py -c conf/example.conf
Demo video
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].