StalkPhish v0.9.8-3 releases: The Phishing kits stalker

by do son · Published July 1, 2019 · Updated October 10, 2021

StalkPhish

StalkPhish is a tool created for searching into free OSINT databases for specific phishing kits URL. More, StalkPhish is designed to try finding phishing kits sources. Some scammers can’t or don’t remove their phishing kit sources when they deploy it. You can try to find these sources to extract some useful information as e-mail addresses where is send stolen data, some more information about scammer or phishing kit developer. From there you can extend your knowledge about the threat and organizations, and get much useful information for your investigations.

Features

find URL where a phishing kit is deployed (from OSINT databases)
find if the phishing kit is still up and running
generate hash of page
try to download phishing kit sources (trying to find .zip file)
use a hash of the phishing kit archive to identify the kit and threat
extract e-mails found in phishing kit
use timestamps for history
can use HTTP or SOCKS5 proxy (for downloads)
add just one url at a time into the database
store AS number in the database

Changelog v0.9.8-3

urlscan.io API key management

OSINT modules

urlscan.io search API
urlquery.net search web crawler
Phishtank free OSINT feed
Openphish free OSINT feed

Install

git clone https://github.com/t4d/StalkPhish.git
cd StalkPhish
pip3 install -r requirements.txt

Configuration file

Some configurable parameters are:

search: External source keywords to search for
log_file: The logging file (the path and file will be created if don’t exist)
Kits_download_Dir: Directory to store downloaded phishing kits archives
sqliteDB_tablename: Main database table
sqliteDB_Investig_tablename: Investigation table with useful information for investigations
http_proxy: HTTP/Socks5 proxy to use for downloads
UAfile: HTTP user-agents file to use for phishing kits HTTP Get information

Basic usage

$ ./StalkPhish.py -c conf/example.conf 



  _____ _        _ _    _____  _     _     _

 / ____| |      | | |  |  __ \| |   (_)   | |    

| (___ | |_ __ _| | | _| |__) | |__  _ ___| |__  

 \___ \| __/ _` | | |/ /  ___/| '_ \| / __| '_ \ 

 ____) | || (_| | |   <| |    | | | | \__ \ | | |

|_____/ \__\__,_|_|_|\__\|    |_| |_|_|___/_| |_|



-= StalkPhish - The Phishing Kit stalker - v0.9 =-



2018-01-28 14:43:31,892 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf

2018-01-28 14:43:31,893 - StalkPhish.py - INFO - Database: ./db/StalkPhish.sqlite3

2018-01-28 14:43:31,894 - StalkPhish.py - INFO - Main table: StalkPhish

2018-01-28 14:43:31,903 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig

2018-01-28 14:43:31,912 - StalkPhish.py - INFO - Files directory: ./files/

2018-01-28 14:43:31,912 - StalkPhish.py - INFO - Download directory: ./dl/

2018-01-28 14:43:31,913 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050



2018-01-28 14:43:31,913 - StalkPhish.py - INFO - Proceeding to OSINT modules launch

2018-01-28 14:43:34,406 - urlscan.py - INFO - Searching for 'webmail'...

2018-01-28 14:43:36,394 - urlscan.py - INFO - http://finvic.org.au/wp-admin/network/webmail2/webmail/webmail.php finvic.org.au 27.121.64.82 https://urlscan.io/result/065e1ee4-9872-4c77-a12c-67b4f1c394fe Sun Jan 28 14:43:34 2018 200

2018-01-28 14:43:39,732 - urlscan.py - INFO - https://www.futures.com.tw/components/webmail/po/optus/page2.htm www.futures.com.tw 103.1.220.17 https://urlscan.io/result/fbd0e09a-635d-4a48-b023-dca4576a8031 Sun Jan 28 14:43:37 2018 500

2018-01-28 14:43:40,766 - urlscan.py - INFO - http://digidom.com/Mailbox/webmail.php digidom.com 69.89.31.123 https://urlscan.io/result/3e0624d6-279d-4d3e-81ff-ea5720608ced Sun Jan 28 14:43:39 2018 200

2018-01-28 14:43:42,212 - urlscan.py - INFO - http://finvic.org.au/wp-content/themes/webmail2/webmail/webmail.php finvic.org.au 27.121.64.82 https://urlscan.io/result/9ed37b75-2dd2-4458-832a-0d72a6bccde4 Sun Jan 28 14:43:40 2018 200

Advanced usage (find phishing kits sources)

$ ./StalkPhish.py -c conf/example.conf -G -N



  _____ _        _ _    _____  _     _     _

 / ____| |      | | |  |  __ \| |   (_)   | |    

| (___ | |_ __ _| | | _| |__) | |__  _ ___| |__  

 \___ \| __/ _` | | |/ /  ___/| '_ \| / __| '_ \ 

 ____) | || (_| | |   <| |    | | | | \__ \ | | |

|_____/ \__\__,_|_|_|\__\|    |_| |_|_|___/_| |_|



-= StalkPhish - The Phishing Kit stalker - v0.9 =-



2018-01-28 14:45:23,072 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf

2018-01-28 14:45:23,073 - StalkPhish.py - INFO - Database: ./db/StalkPhish.sqlite3

2018-01-28 14:45:23,073 - StalkPhish.py - INFO - Main table: StalkPhish

2018-01-28 14:45:23,074 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig

2018-01-28 14:45:23,074 - StalkPhish.py - INFO - Files directory: ./files/

2018-01-28 14:45:23,074 - StalkPhish.py - INFO - Download directory: ./dl/

2018-01-28 14:45:23,074 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050



2018-01-28 14:45:24,593 - download.py - INFO - [200] http://finvic.org.au/wp-admin/network/webmail2/webmail/webmail.php

2018-01-28 14:45:24,607 - download.py - INFO - trying http://finvic.org.au/wp-admin.zip

2018-01-28 14:45:30,318 - download.py - INFO - trying http://finvic.org.au/wp-admin/network.zip

2018-01-28 14:45:36,063 - download.py - INFO - trying http://finvic.org.au/wp-admin/network/webmail2.zip

2018-01-28 14:45:37,333 - download.py - INFO - [DL ] Found archive, downloaded it as: ./dl/http__finvic.org.au_wp-admin_network_webmail2.zip

2018-01-28 14:45:37,341 - download.py - INFO - trying http://finvic.org.au/wp-admin/network/webmail2/webmail.zip

2018-01-28 14:45:42,647 - download.py - INFO - trying http://finvic.org.au/wp-admin/network/webmail2/webmail/webmail.php.zip

2018-01-28 14:45:51,024 - download.py - INFO - [500] https://www.futures.com.tw/components/webmail/po/optus/page2.htm

2018-01-28 14:45:51,819 - download.py - INFO - [200] http://digidom.com/Mailbox/webmail.php

2018-01-28 14:45:51,832 - download.py - INFO - trying http://digidom.com/Mailbox.zip

2018-01-28 14:45:52,744 - download.py - INFO - trying http://digidom.com/Mailbox/webmail.php.zip

2018-01-28 14:45:55,071 - download.py - INFO - [200] http://finvic.org.au/wp-content/themes/webmail2/webmail/webmail.php

2018-01-28 14:45:55,079 - download.py - INFO - trying http://finvic.org.au/wp-content.zip

Demo

Copyright (C) t4d

Source: https://github.com/t4d/

StalkPhish v0.9.8-3 releases: The Phishing kits stalker

Search

Brilliantly

Content & Links