StalkPhish is a tool created for searching into free OSINT databases for specific phishing kits URL.

More, StalkPhish is designed to try finding phishing kits sources. Some scammers can’t or don’t remove their phishing kit sources when they deploy it. You can try to find these sources to extract some useful information as: e-mail addresses where is send stolen data, some more information about scammer or phishing kit developer.

From there you can extend your knowledge about the threat and organizations, and get much useful information for your investigations.

Features

• find URL where a phishing kit is deployed (from OSINT databases)
• find if the phishing kit is still up and running
• generate hash of page
• try to download phishing kit sources (trying to find .zip file)
• use a hash of the phishing kit archive to identify the kit and threat
• extract e-mails found in phishing kit
• use timestamps for history
• can use HTTP or SOCKS5 proxy (for downloads)
• add just one url at a time into database
• store AS number in database

Also read: PhishX – Spear Phishing Tool

OSINT modules

• urlscan.io search API
• urlquery.net search web crawler
• Phishtank free OSINT feed (with or without API key)
• Openphish free OSINT feed

Requirements

• Python 3
• BeautifulSoup4
• requests
• PySocks
• lxml

Upgrade StalkPhish to 0.9.6

Database schema changed (one more time 🙂 for adding the ASnumber, a page hash, and a new column which contains e-mails extracted from Phishing kit’s zip, you can modify your existing database like this:

$ sqlite3 db/StalkPhish.sqlite3 (take care to adapt your tables names)
sqlite> ALTER TABLE StalkPhish ADD COLUMN page_hash TEXT;
sqlite> ALTER TABLE StalkPhish ADD COLUMN ASN TEXT;
sqlite> ALTER TABLE StalkPhishInvestig ADD COLUMN extracted_emails TEXT;

Upgrade StalkPhish v0.9 to v0.9.2 (or later)

To update StalPhish v0.9 database, please change your DB schema, to add a new column, like this:

$ sqlite3 db/StalkPhish.sqlite3
sqlite> ALTER TABLE Investigation_Table_Name ADD COLUMN PageTitle TEXT;

Install

Install the requirements

pip3 install -r requirements.txt

Help

$ ./StalkPhish.py -h

  _____ _        _ _    _____  _     _     _
 / ____| |      | | |  |  __ \| |   (_)   | |    
| (___ | |_ __ _| | | _| |__) | |__  _ ___| |__  
 \___ \| __/ _` | | |/ /  ___/| '_ \| / __| '_ \ 
 ____) | || (_| | |   <| |    | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\|    |_| |_|_|___/_| |_|

-= StalkPhish - The Phishing Kit stalker - v0.9.6 =-


    -h --help       Prints this help
    -c --config     Configuration file to use (mandatory)
    -G --get        Try to download zip file containing phishing kit sources (long and noisy)
    -N --nosint         Don't use OSINT databases
    -u --url        Add only one URL

Basic usage

$ ./StalkPhish.py -c conf/example.conf 

  _____ _        _ _    _____  _     _     _
 / ____| |      | | |  |  __ \| |   (_)   | |    
| (___ | |_ __ _| | | _| |__) | |__  _ ___| |__  
 \___ \| __/ _` | | |/ /  ___/| '_ \| / __| '_ \ 
 ____) | || (_| | |   <| |    | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\|    |_| |_|_|___/_| |_|

-= StalkPhish - The Phishing Kit stalker - v0.9.6 =-

2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Database: ./test/db/StalkPhish.sqlite3
2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Main table: StalkPhish
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Files directory: ./test/files/
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Download directory: ./test/dl/
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050

2019-06-18 21:01:16,236 - StalkPhish.py - INFO - Proceeding to OSINT modules launch
2019-06-18 21:01:19,102 - urlscan.py - INFO - Searching for 'paypal'...
2019-06-18 21:01:27,460 - urlscan.py - INFO - https://icovil.com/ icovil.com 51.255.74.219 https://urlscan.io/result/25f6bd07-6fac-49af-a6b3-17cbd5fa937c Tue Jun 18 21:01:19 2019 200
2019-06-18 21:01:30,747 - urlscan.py - INFO - http://www.mcseaonline.org/?page_id=4911 www.mcseaonline.org 108.166.135.154 https://urlscan.io/result/a37700f1-86fd-41b2-8c16-5e9b693b7ac8 Tue Jun 18 21:01:27 2019 200
t/38327c8b-a1b9-4919-8037-ddf88238c16c Tue Jun 18 21:03:13 2019 timeout
2019-06-18 21:03:25,836 - urlquery.py - INFO - http://www.killerknuts.com/ www.killerknuts.com 107.180.58.58 https://urlquery.net/report/d9d48c99-dfe5-4002-8a8a-08d44d71ffc2 Tue Jun 18 21:03:20 2019 timeout
2019-06-18 21:03:33,757 - urlquery.py - INFO - https://www.crowdholding.com/ www.crowdholding.com 34.214.183.67 https://urlquery.net/report/b9a09c39-50df-4709-a709-bbcb897c7b96 Tue Jun 18 21:03:25 2019 timeout
2019-06-18 21:03:46,524 - urlquery.py - INFO - http://downlinebooster.ontraport.com/c/s/JZH/jc8b/6/ji/xlj/6hq0Nr/zWarhzzuCJ/P/P/P downlinebooster.ontraport.com 209.170.211.179 https://urlquery.net/report/dc3aa6b1-be7b-409b-8890-7dad962d6063 Tue Jun 18 21:03:33 2019 200
[...]

Advanced usage (find phishing kits sources)

$ ./StalkPhish.py -c conf/example.conf -G -N

  _____ _        _ _    _____  _     _     _
 / ____| |      | | |  |  __ \| |   (_)   | |    
| (___ | |_ __ _| | | _| |__) | |__  _ ___| |__  
 \___ \| __/ _` | | |/ /  ___/| '_ \| / __| '_ \ 
 ____) | || (_| | |   <| |    | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\|    |_| |_|_|___/_| |_|

-= StalkPhish - The Phishing Kit stalker - v0.9.6 =-

2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Database: ./test/db/StalkPhish.sqlite3
2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Main table: StalkPhish
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Files directory: ./test/files/
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Download directory: ./test/dl/
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050

2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Starting trying to download phishing kits sources...
2019-06-18 20:56:55,086 - download.py - INFO - [200] http://donnarogersimagery.com/wp-includes/pomo/login.alibaba.com/
2019-06-18 20:56:56,925 - download.py - INFO - Alibaba Manufacturer Directory - Suppliers, Manufacturers, Exporters &amp; Importers
2019-06-18 20:56:56,934 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes.zip
2019-06-18 20:57:00,663 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes/pomo.zip
2019-06-18 20:57:04,709 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes/pomo/login.alibaba.com.zip
2019-06-18 20:57:12,643 - download.py - INFO - [DL ] Found archive, downloaded it as: ./test/dl/http__donnarogersimagery.com_wp-includes_pomo_login.alibaba.com.zip
2019-06-18 20:57:12,677 - download.py - INFO - [Email] Found: shaddyokoh@hotmail.com
[...]

SQLite3 database schema

$ sqlite3 ./db/StalkPhish.sqlite3 .schema
CREATE TABLE StalkPhish (siteURL TEXT NOT NULL PRIMARY KEY, siteDomain TEXT, IPaddress TEXT, SRClink TEXT, time TEXT, lastHTTPcode TEXT, StillInvestig TEXT, StillTryDownload TEXT, page_hash TEXT, ASN TEST);
CREATE TABLE StalkPhishInvestig (siteURL TEXT NOT NULL PRIMARY KEY, siteDomain TEXT, IPaddress TEXT, ZipFileName TEXT, ZipFileHash TEXT, FirstSeentime TEXT, FirstSeenCode TEXT, LastSeentime TEXT, LastSeenCode TEXT, PageTitle TEXT, extracted_emails TEXT);

SQLite3 ‘main’ table sample example

$ sqlite3 ./db/StalkPhish.sqlite3 'select * from StalkPhish'
https://detoerreoejne.dk/|detoerreoejne.dk|145.239.118.80|https://urlscan.io/result/5b34a3c8-5737-43a4-aad1-87730aff71a8|Tue Jun 18 19:46:25 2019|200||Y|a65b00058ccc76657864fa74accaac5c0b46fa04|16276
https://www.facebook.com/PayPal/?_rdc=1&_rdr|www.facebook.com|157.240.21.35|https://urlscan.io/result/6a0cb6d9-193a-4581-899b-1a24f77ad941|Tue Jun 18 19:46:29 2019|200||Y|14014fdef8dc11407fc4985dc2f35ab73d9cf4b0|32934
https://medium.com/@jhonrabig/watch-ambitions-season-1-episode-1-online-free-720px-9e3eebeab5e4|medium.com|104.16.120.127|https://urlquery.net/report/eb23e4fc-8684-400b-b0e4-df044c5914da|Tue Jun 18 19:46:40 2019|200||Y|27049fba4d5aea74e94b237213e93f33c8e90ee2|13335
https://www.casualfilms.com/|www.casualfilms.com|104.17.128.180|https://urlquery.net/report/c39f40fb-c72f-493d-9b3b-867cbf855659|Tue Jun 18 19:46:43 2019|200||Y|8dfbac8bddd37bb719bf34e7aa60b22714af6b88|13335
https://filecloud.filecloudonline.com/url/j4dja8pupuydjwiz?shareto=secure_message@icradvisor.com|filecloud.filecloudonline.com|34.197.99.39|https://urlquery.net/report/b6ea7ed4-1e77-4688-bd5f-fcb093d5ef62|Tue Jun 18 19:46:45 2019|200||Y|ebddf102f6ac72be2632a5778daf3848509a8901|14618

SQLite3 ‘investigation’ table sample example

$ sqlite3 ./db/StalkPhish.sqlite3 'select * from StalkPhishInvestig'
http://crm.simumak.com/custom/MDP1/aHR0cHM6Ly9jZnNwYXJ0LmltcG90cy5nb3/aWEyLXp1LW1hcGkvamF2YXguZmFjZXMucmVzb3VyY2UvY29tcG9uZW50cy5jc3MueGh0bWw/bG49cHJpbWVmYWNlcyZ2PTYuMQ/Formulaire/72ce7|crm.simumak.com|199.89.53.193|||Sun Jun 16 01:03:24 2019|200|||Particuliers | authentification|
http://muviarts.in/ourtime/ourtimepge|muviarts.in|104.18.54.33|http__muviarts.in_ourtime_ourtimepge.zip|afd48d3db735e861f6a048132b62a4deecfc32a89269b192edbc709563855417|Sun Jun 16 01:03:33 2019|200|Sun Jun 16 01:03:33 2019|200|OurTime.com - The 50+ Single Network|youremailname@domain.com, rzult@otbox.ag
http://twitter-signin.com/|twitter-signin.com|96.47.237.56|||Sun Jun 16 01:03:42 2019|200|||เข้าสู่ระบบทวิตเตอร์ / ทวิตเตอร์|
https://servymain.cl/wp/wp-content/uploads/DP|servymain.cl|200.63.103.27|||Sun Jun 16 01:03:56 2019|200|||Dropbox | Access your documents from any device|

Configuration file

I invite you to read the conf/example.conf file for precise tuning configuration. Some configurable parameters are:

• search: External source keywords to search for
• log_file: The logging file (the path and file will be created if don’t exist)
• Kits_download_Dir: Directory to store downloaded phishing kits archives
• sqliteDB_tablename: Main database table
• sqliteDB_Investig_tablename: Investigation table with useful information for investigations
• http_proxy: HTTP/Socks5 proxy to use for downloads
• UAfile: HTTP user-agents file to use for phishing kits HTTP Get information

Docker

Build an start the container with docker-composer:

$ cd docker/
$ docker-compose up --build -d

The container is configured to keep interesting files into the host’s /tmp directory.

You can now execute shell and launch StalkPhish:

$ docker exec -ti stalkphish sh
/ # cd /opt/StalkPhish/stalkphish/
/opt/StalkPhish/stalkphish # ./StalkPhish.py -c conf/example.conf

Demo video

ReelPhish – A Real-Time Two-Factor Phishing Tool