使用httphish.py能快速克隆网站并启动HTTP服务器发布该网站
使用httphish.py能快速克隆网站并启动HTTP服务器发布该网站
Python Web爬虫
共73Star
详细介绍
httphish
Quick phishing website HTTP server demo in Python 3 - httphish.py
Disclaimer
This script only serves to be an example of how technically unsophisticated phishing attacks really are. Thus, it is for educational purposes only. It would be better used as an educational demo than as a pentester's tool, as it lacks many features and more complex websites don't work (see bottom).
Features
- Only one Python 3 script with no dependencies!
- Log all GET/POST data sent by visitors (such as login credentials).
- Quickly implement other known phishing techniques :
- Redirect users to the original website when a form is filled.
- Inject an autofill phisher into each user-fillable forms on the page. Please see anttiviljami's demo for more details.
- Prefill
<input>
fields from URL parameters. - Inject a page-wide Javascript keylogger.
The wget
command is currently required to download websites, so this feature only works on Linux. I will probably eventually add OS detection and use Invoke-WebRequest from PowerShell on Windows, but for now, please download websites manually. (Pull requests are welcome!)
How to use
Install
Clone this git repository to download the necessary files and run the script:
git clone https://github.com/thom-s/httphish
cd httphish
sudo python3 httphish.py
Update
Update this frequently as it is under active development and new modules are frequently added.
cd httphish
git pull
Demo
Video is out-of-date as some modules are missing.
Prompts
Setup
- Whether you want to download the webpage with
wget
or if you have manually saved it to the/web
folder.- If you use
wget
it will also ask you :- The full URL to download (ex:
http://www.github.com/login
) - Whether to use the default user agent for wget or enter a custom one. (You can see the default one in the code)
- The full URL to download (ex:
- If you want to manually download it, simply create a folder named
web
next to the script and save index.html in it.
- If you use
- The IP/domain to redirect all GET/POST requests to. If any files cannot be served statically, it will redirect (HTTP 308) the request there. (ex:
www.github.com
) - Whether to edit
index.html
with a customaction=""
path, which will return HTTP 303 instead of the default 308.- This will force the browser to do a GET request intead of forwarding the POST request.
- If this is done, the POST request will be saved to
logs/forms.txt
Optional modules
You will then be asked if you want to use any of the following modules :
- Whether to inject autofill phishing into
index.html
- Please see anttiviljami's demo for more details.
- You can edit the phished fields in config/autofill.html
- Whether to prefill fields with GET parameters.
- Use the following URL syntax :
127.0.0.1/index.html#id=value&id2=value2
- You can see the script injected in config/form_prefill.js
- Use the following URL syntax :
- Whether to inject a page-wide Javascript keylogger.
- Saves all keys page-wide to
/logs/keys.txt
- Injects the config/page_keylogger.js script
- Saves all keys page-wide to
HTTP Server
You will then be prompted to press Enter to launch the HTTP server.
Browse to your own IP address (or localhost) and you will see a cloned version of the website.
When you are done, press CTRL+C to close the HTTP server and end the script.
Before running it again, simply run cleanup.py to delete the /web
and logs
folders :
sudo python3 cleanup.py
Logs
All logs are saved in the logs
folder, which will be created when the script launches. The following files will be saved :
logs/forms.txt
: If a custom HTTP 303 redirect is chosen, all the POST data received will be written there.logs/post.txt
: All POST data received.logs/get.txt
: All GET data received.logs/logs.txt
: Every info output by this script.logs/keys.txt
: Every keys stored by the optional JavaScript keylogger module.
Takeaways
What system administrators can take away from this, is how technically simple convincing phishing attacks can be. Thankfully, a combination of security measures should be able to stop these attacks :
- Email spam filters
- Two factor authentication
- User security training
These methods combined with other common network security measures will be able to mitigate any security incidents related to phishing.
Troubleshooting
Currently, this script only works on simple pages with <form>
logins. It might also work on some dynamically loaded pages if they aren't too complex.
- Some websites that do not work when you automatically download them might work if you manually save them.
- Some websites won't respond to requests directed to their IP, so try entering the domain instead (or vice-versa).
- Some lazy-loaded content simply doesn't work.
- If a website doesn't work, use inspect element and look under the network tab. The issue is probably some dynamic requests being broken because the site is too complex.
- In some cases, this can be fixed by changing the IP/domain to redirect GET/POST requests to.
- In most cases, you would have to manually modify the files and choose to not automatically download the file.
Website examples
Working websites
Working websites will generally have very simple login forms and not much dynamically loaded content. Here are some I tested.
- http://www.github.com/login
- http://www.linkedin.com/
- http://www.facebook.com
- http://old.reddit.com/login
Partially working websites
These sites will work, but some content might not get loaded.
Broken websites
For most broken websites, dynamically loaded content will be the issue. Here's some websites I found did not work.
-
0 Star
-
0 Star
-
2001 Star
-
0 Star
-
340 Star
-
387 Star
-
1393 Star