• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2019
  • July
  • 2
  • StalkPhish – Harvesting Phishing Kits for Investigations.

StalkPhish – Harvesting Phishing Kits for Investigations.

July 2, 2019 Comments Off on StalkPhish – Harvesting Phishing Kits for Investigations.
how to use stalkphish reverse lookup a scammer stalkphish tutorial trace a phisher trace a scammer

StalkPhish is a tool created for searching into free OSINT databases for specific phishing kits URL.

More, StalkPhish is designed to try finding phishing kits sources. Some scammers can’t or don’t remove their phishing kit sources when they deploy it. You can try to find these sources to extract some useful information as: e-mail addresses where is send stolen data, some more information about scammer or phishing kit developer.

From there you can extend your knowledge about the threat and organizations, and get much useful information for your investigations.

Features

  • find URL where a phishing kit is deployed (from OSINT databases)
  • find if the phishing kit is still up and running
  • generate hash of page
  • try to download phishing kit sources (trying to find .zip file)
  • use a hash of the phishing kit archive to identify the kit and threat
  • extract e-mails found in phishing kit
  • use timestamps for history
  • can use HTTP or SOCKS5 proxy (for downloads)
  • add just one url at a time into database
  • store AS number in database
Also read: PhishX – Spear Phishing Tool

OSINT modules

  • urlscan.io search API
  • urlquery.net search web crawler
  • Phishtank free OSINT feed (with or without API key)
  • Openphish free OSINT feed

Requirements

  • Python 3
  • BeautifulSoup4
  • requests
  • PySocks
  • lxml

Upgrade StalkPhish to 0.9.6

Database schema changed (one more time 🙂 for adding the ASnumber, a page hash, and a new column which contains e-mails extracted from Phishing kit’s zip, you can modify your existing database like this:

$ sqlite3 db/StalkPhish.sqlite3 (take care to adapt your tables names)
sqlite> ALTER TABLE StalkPhish ADD COLUMN page_hash TEXT;
sqlite> ALTER TABLE StalkPhish ADD COLUMN ASN TEXT;
sqlite> ALTER TABLE StalkPhishInvestig ADD COLUMN extracted_emails TEXT;

Upgrade StalkPhish v0.9 to v0.9.2 (or later)

To update StalPhish v0.9 database, please change your DB schema, to add a new column, like this:

$ sqlite3 db/StalkPhish.sqlite3
sqlite> ALTER TABLE Investigation_Table_Name ADD COLUMN PageTitle TEXT;

Install

Install the requirements

pip3 install -r requirements.txt

Help

$ ./StalkPhish.py -h

  _____ _        _ _    _____  _     _     _
 / ____| |      | | |  |  __ \| |   (_)   | |    
| (___ | |_ __ _| | | _| |__) | |__  _ ___| |__  
 \___ \| __/ _` | | |/ /  ___/| '_ \| / __| '_ \ 
 ____) | || (_| | |   <| |    | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\|    |_| |_|_|___/_| |_|

-= StalkPhish - The Phishing Kit stalker - v0.9.6 =-


    -h --help       Prints this help
    -c --config     Configuration file to use (mandatory)
    -G --get        Try to download zip file containing phishing kit sources (long and noisy)
    -N --nosint         Don't use OSINT databases
    -u --url        Add only one URL

Basic usage

$ ./StalkPhish.py -c conf/example.conf 

  _____ _        _ _    _____  _     _     _
 / ____| |      | | |  |  __ \| |   (_)   | |    
| (___ | |_ __ _| | | _| |__) | |__  _ ___| |__  
 \___ \| __/ _` | | |/ /  ___/| '_ \| / __| '_ \ 
 ____) | || (_| | |   <| |    | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\|    |_| |_|_|___/_| |_|

-= StalkPhish - The Phishing Kit stalker - v0.9.6 =-

2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Database: ./test/db/StalkPhish.sqlite3
2019-06-18 21:01:16,234 - StalkPhish.py - INFO - Main table: StalkPhish
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Files directory: ./test/files/
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Download directory: ./test/dl/
2019-06-18 21:01:16,235 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050

2019-06-18 21:01:16,236 - StalkPhish.py - INFO - Proceeding to OSINT modules launch
2019-06-18 21:01:19,102 - urlscan.py - INFO - Searching for 'paypal'...
2019-06-18 21:01:27,460 - urlscan.py - INFO - https://icovil.com/ icovil.com 51.255.74.219 https://urlscan.io/result/25f6bd07-6fac-49af-a6b3-17cbd5fa937c Tue Jun 18 21:01:19 2019 200
2019-06-18 21:01:30,747 - urlscan.py - INFO - http://www.mcseaonline.org/?page_id=4911 www.mcseaonline.org 108.166.135.154 https://urlscan.io/result/a37700f1-86fd-41b2-8c16-5e9b693b7ac8 Tue Jun 18 21:01:27 2019 200
t/38327c8b-a1b9-4919-8037-ddf88238c16c Tue Jun 18 21:03:13 2019 timeout
2019-06-18 21:03:25,836 - urlquery.py - INFO - http://www.killerknuts.com/ www.killerknuts.com 107.180.58.58 https://urlquery.net/report/d9d48c99-dfe5-4002-8a8a-08d44d71ffc2 Tue Jun 18 21:03:20 2019 timeout
2019-06-18 21:03:33,757 - urlquery.py - INFO - https://www.crowdholding.com/ www.crowdholding.com 34.214.183.67 https://urlquery.net/report/b9a09c39-50df-4709-a709-bbcb897c7b96 Tue Jun 18 21:03:25 2019 timeout
2019-06-18 21:03:46,524 - urlquery.py - INFO - http://downlinebooster.ontraport.com/c/s/JZH/jc8b/6/ji/xlj/6hq0Nr/zWarhzzuCJ/P/P/P downlinebooster.ontraport.com 209.170.211.179 https://urlquery.net/report/dc3aa6b1-be7b-409b-8890-7dad962d6063 Tue Jun 18 21:03:33 2019 200
[...]

Advanced usage (find phishing kits sources)

$ ./StalkPhish.py -c conf/example.conf -G -N

  _____ _        _ _    _____  _     _     _
 / ____| |      | | |  |  __ \| |   (_)   | |    
| (___ | |_ __ _| | | _| |__) | |__  _ ___| |__  
 \___ \| __/ _` | | |/ /  ___/| '_ \| / __| '_ \ 
 ____) | || (_| | |   <| |    | | | | \__ \ | | |
|_____/ \__\__,_|_|_|\__\|    |_| |_|_|___/_| |_|

-= StalkPhish - The Phishing Kit stalker - v0.9.6 =-

2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Database: ./test/db/StalkPhish.sqlite3
2019-06-18 20:56:52,818 - StalkPhish.py - INFO - Main table: StalkPhish
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Files directory: ./test/files/
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Download directory: ./test/dl/
2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050

2019-06-18 20:56:52,819 - StalkPhish.py - INFO - Starting trying to download phishing kits sources...
2019-06-18 20:56:55,086 - download.py - INFO - [200] http://donnarogersimagery.com/wp-includes/pomo/login.alibaba.com/
2019-06-18 20:56:56,925 - download.py - INFO - Alibaba Manufacturer Directory - Suppliers, Manufacturers, Exporters &amp; Importers
2019-06-18 20:56:56,934 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes.zip
2019-06-18 20:57:00,663 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes/pomo.zip
2019-06-18 20:57:04,709 - download.py - INFO - trying http://donnarogersimagery.com/wp-includes/pomo/login.alibaba.com.zip
2019-06-18 20:57:12,643 - download.py - INFO - [DL ] Found archive, downloaded it as: ./test/dl/http__donnarogersimagery.com_wp-includes_pomo_login.alibaba.com.zip
2019-06-18 20:57:12,677 - download.py - INFO - [Email] Found: [email protected]
[...]

SQLite3 database schema

$ sqlite3 ./db/StalkPhish.sqlite3 .schema
CREATE TABLE StalkPhish (siteURL TEXT NOT NULL PRIMARY KEY, siteDomain TEXT, IPaddress TEXT, SRClink TEXT, time TEXT, lastHTTPcode TEXT, StillInvestig TEXT, StillTryDownload TEXT, page_hash TEXT, ASN TEST);
CREATE TABLE StalkPhishInvestig (siteURL TEXT NOT NULL PRIMARY KEY, siteDomain TEXT, IPaddress TEXT, ZipFileName TEXT, ZipFileHash TEXT, FirstSeentime TEXT, FirstSeenCode TEXT, LastSeentime TEXT, LastSeenCode TEXT, PageTitle TEXT, extracted_emails TEXT);

SQLite3 ‘main’ table sample example

$ sqlite3 ./db/StalkPhish.sqlite3 'select * from StalkPhish'
https://detoerreoejne.dk/|detoerreoejne.dk|145.239.118.80|https://urlscan.io/result/5b34a3c8-5737-43a4-aad1-87730aff71a8|Tue Jun 18 19:46:25 2019|200||Y|a65b00058ccc76657864fa74accaac5c0b46fa04|16276
https://www.facebook.com/PayPal/?_rdc=1&_rdr|www.facebook.com|157.240.21.35|https://urlscan.io/result/6a0cb6d9-193a-4581-899b-1a24f77ad941|Tue Jun 18 19:46:29 2019|200||Y|14014fdef8dc11407fc4985dc2f35ab73d9cf4b0|32934
https://medium.com/@jhonrabig/watch-ambitions-season-1-episode-1-online-free-720px-9e3eebeab5e4|medium.com|104.16.120.127|https://urlquery.net/report/eb23e4fc-8684-400b-b0e4-df044c5914da|Tue Jun 18 19:46:40 2019|200||Y|27049fba4d5aea74e94b237213e93f33c8e90ee2|13335
https://www.casualfilms.com/|www.casualfilms.com|104.17.128.180|https://urlquery.net/report/c39f40fb-c72f-493d-9b3b-867cbf855659|Tue Jun 18 19:46:43 2019|200||Y|8dfbac8bddd37bb719bf34e7aa60b22714af6b88|13335
https://filecloud.filecloudonline.com/url/[email protected]|filecloud.filecloudonline.com|34.197.99.39|https://urlquery.net/report/b6ea7ed4-1e77-4688-bd5f-fcb093d5ef62|Tue Jun 18 19:46:45 2019|200||Y|ebddf102f6ac72be2632a5778daf3848509a8901|14618

SQLite3 ‘investigation’ table sample example

$ sqlite3 ./db/StalkPhish.sqlite3 'select * from StalkPhishInvestig'
http://crm.simumak.com/custom/MDP1/aHR0cHM6Ly9jZnNwYXJ0LmltcG90cy5nb3/aWEyLXp1LW1hcGkvamF2YXguZmFjZXMucmVzb3VyY2UvY29tcG9uZW50cy5jc3MueGh0bWw/bG49cHJpbWVmYWNlcyZ2PTYuMQ/Formulaire/72ce7|crm.simumak.com|199.89.53.193|||Sun Jun 16 01:03:24 2019|200|||Particuliers | authentification|
http://muviarts.in/ourtime/ourtimepge|muviarts.in|104.18.54.33|http__muviarts.in_ourtime_ourtimepge.zip|afd48d3db735e861f6a048132b62a4deecfc32a89269b192edbc709563855417|Sun Jun 16 01:03:33 2019|200|Sun Jun 16 01:03:33 2019|200|OurTime.com - The 50+ Single Network|[email protected], [email protected]
http://twitter-signin.com/|twitter-signin.com|96.47.237.56|||Sun Jun 16 01:03:42 2019|200|||เข้าสู่ระบบทวิตเตอร์ / ทวิตเตอร์|
https://servymain.cl/wp/wp-content/uploads/DP|servymain.cl|200.63.103.27|||Sun Jun 16 01:03:56 2019|200|||Dropbox | Access your documents from any device|

Configuration file

I invite you to read the conf/example.conf file for precise tuning configuration. Some configurable parameters are:

  • search: External source keywords to search for
  • log_file: The logging file (the path and file will be created if don’t exist)
  • Kits_download_Dir: Directory to store downloaded phishing kits archives
  • sqliteDB_tablename: Main database table
  • sqliteDB_Investig_tablename: Investigation table with useful information for investigations
  • http_proxy: HTTP/Socks5 proxy to use for downloads
  • UAfile: HTTP user-agents file to use for phishing kits HTTP Get information

Docker

Build an start the container with docker-composer:

$ cd docker/
$ docker-compose up --build -d

The container is configured to keep interesting files into the host’s /tmp directory.

You can now execute shell and launch StalkPhish:

$ docker exec -ti stalkphish sh
/ # cd /opt/StalkPhish/stalkphish/
/opt/StalkPhish/stalkphish # ./StalkPhish.py -c conf/example.conf

Demo video

StalkPhish v0.9.6 running video

ReelPhish – A Real-Time Two-Factor Phishing Tool

Post navigation

Dockernymous – Create a Whonix-like gateway environment with Docker Containers
Most Important Mobile Application Penetration Testing Cheat sheet with Tools & Resources for Security Professionals

Related Articles

PyBeacon - A Collection Of Scripts For Dealing With Cobalt Strike Beacons In Python

PyBeacon – A Collection Of Scripts For Dealing With Cobalt Strike Beacons In Python

- Hack Tools
March 4, 2021
SharpSphere - .NET Project For Attacking vCenter

SharpSphere – .NET Project For Attacking vCenter

- Hack Tools
March 4, 2021
dockle: Container Image Linter for Security

dockle: Container Image Linter for Security

- Hack Tools
March 4, 2021
hacker gadgets
hacker phone covers

Recent Posts

PyBeacon - A Collection Of Scripts For Dealing With Cobalt Strike Beacons In Python

PyBeacon – A Collection Of Scripts For Dealing With Cobalt Strike Beacons In Python

March 4, 2021
CVE-2021-21978: VMware View Planner Remote Code Execution Vulnerability Alert

CVE-2021-21978: VMware View Planner Remote Code Execution Vulnerability Alert

March 4, 2021
SharpSphere - .NET Project For Attacking vCenter

SharpSphere – .NET Project For Attacking vCenter

March 4, 2021
remote denial of server

CVE-2021-26708: Linux kernel vulnerabilities enabled local privilege escalation alert

March 4, 2021
dockle: Container Image Linter for Security

dockle: Container Image Linter for Security

March 4, 2021
vulnerable active directory

DynamicLabs: Windows & Active Directory Exploitation

March 4, 2021

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs
ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook
Twitter
Google-plus
Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW