hadojae / data Goto Github PK

empty form action shouldn't always be skipped

<form id="credentials" method="post" action="">
        <div id="cred_userid_container" class="login_textfield textfield">
            <span class="input_field textfield">
                <label for="cred_userid_inputtext" class="no_display" aria-hidden="true">User account</label>
                <div class="input_border">

If visiting a suspected phishing page and it turns out to be an opendir, try to navigate through the opendir

Seems like this may not get reset properly, also there are some other popups i need to account for and deal with:

--

[+] Popup alert observed: http://aboutthegirl.co.uk is requesting your username and password. The site says: “Secure directory”

[-] This looks like it might be a tech support scam user/password popup, leaving it alone.

[+] Screencapped http://bigstore-sale.com/alert/error.html as 20170523-072514-virustotal-bigstore-sale.com.png

--

[+] Popup alert observed: A script on this page may be busy, or it may have stopped responding. You can stop the script now, open the script in the debugger, or let the script continue.

Script: chrome://browser/content/tabbrowser.xml:761

[+] Popup Alert observed, bypassing...

--

[+] Popup alert observed: http://bunt.truncomp.com is requesting your username and password. WARNING: Your password will not be sent to the website you are currently visiting!

Need to make modifications to the processing of the obfuscation_multimail function

-l (logs)
-p (pcaps)
-s (screencaps)

Add option to cycle through proxies in both bullyblinder and bucklegripper.

Alternatively, explore if there is a way to utilize some vpn services (PIA) without lots of networking changes.

No plan to add a tor option, as I don't believe that's what tor should be used for. If someone wants to wrap in tor, that would be easy enough to wrap in the command line anyways.

Could be interesting to seed actual accounts into bullyblinder for monitoring / tracking purposes

It could be interesting to be able to specify a percentage of real to fake information

It could be useful to read in a csv of u/p to allow for multiple real accounts to be utilized.

It would be useful to log which sites each u/p combo has been submitted to

eg.

python bullyblinder.py -i eth0 --user [email protected] --password mycorppass --ratio 30 --uplog submitted_sites.log -r phish_sites.txt

Traceback (most recent call last):
File "bullyblinder.py", line 1224, in
response = br.submit()
File "/usr/local/lib/python2.7/dist-packages/mechanize/_mechanize.py", line 683, in submit
return self.open(self.click(*args, **kwds))
File "/usr/local/lib/python2.7/dist-packages/mechanize/_mechanize.py", line 674, in click
return self._add_referer_header(request)
File "/usr/local/lib/python2.7/dist-packages/mechanize/_mechanize.py", line 206, in _add_referer_header
scheme = request.get_type()
File "/usr/local/lib/python2.7/dist-packages/mechanize/_urllib2_fork.py", line 187, in get_type
raise ValueError("unknown url type: %s" % self.__original)
ValueError: unknown url type: ../loginsetup.php

or snort i guess. :)

eg.
python bullyblinder.py -i eth0 -u http://phish.com/phish.htm --suri

Add support for

• office docs (doc/docx/xls/xlsx/etc)
• txt
• web
• ?

If our first url doesnt give us a form, go up one dir or try folder default and try again

eg.

First
http://www.blah.com/bdfh/dfh/index3.htm

No form, try folder default

Second
http://www.blah.com/bdfh/dfh/index3.htm

If given path is a folder, go up a dir

First
http://www.blah.com/bdfh/dfh/

Second
http://www.blah.com/bdfh/

kinda old, just need to test

Currently commented out, reimplement, needs logging first

Line 18, in the "sudo pip" command, there is a typo; the last package to be installed via pip is listed as lmxl, but should be "lxml".

Capturing on 'eth0'
Traceback (most recent call last):
File "/home/$user/bullyblinder.py", line 1110, in
if br.geturl().startswith("http"):
File "build/bdist.linux-x86_64/egg/mechanize/_mechanize.py", line 334, in geturl
mechanize._mechanize.BrowserStateError: not viewing any document

Capturing on 'eth0'
Traceback (most recent call last):
File "/home/$user/bullyblinder.py", line 1136, in
response = redirs_and_obfuscations(page, current_url)
File "/home/$user/bullyblinder.py", line 429, in redirs_and_obfuscations
elif br.title() and 'ameli.fr' in br.title():
File "/usr/local/lib/python2.7/dist-packages/mechanize/_mechanize.py", line 459, in title
raise BrowserStateError("not viewing HTML")
mechanize._mechanize.BrowserStateError: not viewing HTML

Hi,

OS: Ubuntu

So when i try and use bucklegripper on a URL (URL is in links.txt) i get this error message in response:
sudo python bucklegripper.py -r links.txt
[sudo] password for user:

.: BUCKLEGRIPPER v0.1 https://github.com/hadojae/DATA :.

[+] Beginning processing of links.txt

[+] Processing http://gateway-taxid-38573.gucaoa.com/returnGB77GS183R
Traceback (most recent call last):
File "bucklegripper.py", line 320, in
main()
File "bucklegripper.py", line 315, in main
mainloop(full, headers, user_agent, source)
File "bucklegripper.py", line 228, in mainloop
selenium_result = do_selenium(full, user_agent, domain, source)
File "bucklegripper.py", line 65, in do_selenium
browser.set_page_load_timeout(15)
File "/usr/local/lib/python2.7/dist-packages/selenium/webdriver/remote/webdriver.py", line 818, in set_page_load_timeout
'type': 'page load'})
File "/usr/local/lib/python2.7/dist-packages/selenium/webdriver/remote/webdriver.py", line 308, in execute
self.error_handler.check_response(response)
File "/usr/local/lib/python2.7/dist-packages/selenium/webdriver/remote/errorhandler.py", line 194, in check_response
raise exception_class(message, screen, stacktrace)
selenium.common.exceptions.WebDriverException: Message: timeouts

I have used bucklegripper several times in the past to scan other URLs but this one always pops up with this error.

Anyone know of a fix?
Edit: DONT visit the webpage that I have tried scanning. This is a known phishing site.

Explore the usefulness of Implementing additional types of hashing first that would precede the need to hash via screencap unless a match is not found. This would be for the purpose of attempting to identify known phish templates

1. ssdeep hash on the raw html content
2. ssdeep hash on the dom contents
3. ssdeep hash of first 250 and last 250 lines of html content

When running slickshoes.sh, the script fails to create (and thus clean up) pdf_links.tmp

This can be fixed by adding the following code to line 16 of slickshoes.sh: touch pdf_links.tmp

Add a processing flag to accept a static file from disk as the input for the form filling for the purposes of dealing with email attachments. This should also utilize rewritten python logic for slickshoes.

This processing method should also support an optional password flag.

Initial commit should have support for PDF, HTML, and Email - (eml/msg)

Commonly see many unescapes in a single page, need to be able to account for decoding more than one

Traceback (most recent call last):
File "/home/$USER/bullyblinder.py", line 1107, in
page = response.read()
File "/usr/local/lib/python2.7/dist-packages/mechanize/_response.py", line 190, in read
self.__cache.write(self.wrapped.read())
File "/usr/lib/python2.7/socket.py", line 355, in read
data = self._sock.recv(rbufsize)
File "/usr/lib/python2.7/httplib.py", line 588, in read
return self._read_chunked(amt)
File "/usr/lib/python2.7/httplib.py", line 648, in _read_chunked
value.append(self._safe_read(amt))
File "/usr/lib/python2.7/httplib.py", line 703, in _safe_read
chunk = self.fp.read(min(amt, MAXAMOUNT))
File "/usr/lib/python2.7/socket.py", line 384, in read
data = self._sock.recv(left)
socket.timeout: timed out

same functionality as in bucklegripper -r