CredSniper是一个使用Python微框架Flask和Jinja2模板编写的网络钓鱼框架

CredSniper是一个使用python微框架Flask和Jinja2模板编写的网络钓鱼框架

CredSniper

OverviewBenefits Basic UsageInstallationScreenshotsGmail Module MaintainerContributing

Overview

Easily launch a new phishing site fully presented with SSL and capture credentials along with 2FA tokens using CredSniper. The API provides secure access to the currently captured credentials which can be consumed by other applications using a randomly generated API token.

Brought to you by:

Benefits

Fully supported SSL via Let's EncryptExact login form clones for realistic phishingAny number of intermediate pages (i.e. Gmail login, password and two-factor pages then a redirect) Supports phishing 2FA tokensAPI for integrating credentials into other applicationsEasy to personalize using a templating framework

Basic Usage

usage: credsniper.py [-h] --module MODULE [--twofactor] [--port PORT] [--ssl] [--verbose] --final FINAL --hostname HOSTNAME

optional arguments: -h, --help show this help message and exit --module MODULE phishing module name - for example, "gmail" --twofactor enable two-factor phishing --port PORT listening port (default: 80/443) --ssl use SSL via Let's Encrypt --verbose enable verbose output --final FINAL final url the user is redirected to after phishing is done --hostname HOSTNAME hostname for SSL

Credentials

.cache : Temporarily store username/password when phishing 2FA

.sniped : Flat-file storage for captured credentials and other information

API End-point

View Credentials (GET) https:///creds/view?api_token= Mark Credential as Seen (GET) https:///creds/seen/?api_token= Update Configuration (POST) https:///config

{ 'enable_2fa': true, 'module': 'gmail', 'api_token': 'some-random-string' }

Modules

All modules can be loaded by passing the --module command to CredSniper. These are loaded from a directory inside /modules. CredSniper is built using Python Flask and all the module HTML templates are rendered using Jinja2.

Gmail: The latest Gmail login cloned and customized to trigger/phish all forms of 2FA modules/gmail/gmail.py: Main module loaded w/ --module gmailmodules/gmail/templates/error.html: Error page for 404'smodules/gmail/templates/login.html: Gmail Login Pagemodules/gmail/templates/password.html: Gmail Password Pagemodules/gmail/templates/authenticator.html: Google Authenticator 2FA pagemodules/gmail/templates/sms.html: SMS 2FA pagemodules/gmail/templates/touchscreen.html: Phone Prompt 2FA page

GMAIL UPDATE: Google requires a backup form of 2FA when using U2F. Bypassing U2F is possible by forcing one of the fall-back options instead of prompting the user to use their U2F device. CredSniper attempts to force SMS if it's available otherwise it forces TOTP. For security savvy victims, they may be weary if they are prompted for the SMS or TOTP token instead of their U2F device.

Example: An example module that demonstrates standard phishing w/ 2FA tokens modules/example/example.py: Main module loaded w/ --module examplemodules/example/templates/login.html: Standard login formmodules/example/templates/twofactor.html: Standard 2FA token form

Installation

Ubuntu 16.04

You can install and run automatically with the following command:

$ git clone https://github.com/ustayready/CredSniper$ cd CredSniper~/CredSniper$ ./install.sh

Then, to run manually use the following commands:

~/$ cd CredSniper~/CredSniper$ source bin/activate(CredSniper) ~/CredSniper$ python credsniper.py --help

Note that Python 3 is required.

Screenshots

Gmail Module

Maintainer

CredSniper was originally created by Mike Felch (@ustayready)

Contributing

Create an issue to discuss your ideaFork CredSniper (https://github.com/ustayready/CredSniper/fork)Create your feature branch (git checkout -b my-new-feature)Commit your changes (git commit -am 'Add some feature')Push to the branch (git push origin my-new-feature)Create a new Pull Request

Bug reports, feature requests and patches are welcome.

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。