Using python to get revenge on an evil phishing website!
Vložit
- čas přidán 26. 06. 2024
- Join this channel to get access to perks:
/ @cybrzone
this video shows how to use burpe suite to intercept post requests and then use python to flood POST requests to the malicious domain!
Code
github.com/CybrZone/phishkiller
czcams.com/video/FDiLptM1pQs/video.html UPDATE
2 easy upgrades to make their life much harder is generating unique emails and passwords, the other one is using asynchronous requests so you can send hundreds per second instead of one by one. If they're also checking what ip the data is coming from you'd also have to diversify that, otherwise it's extremely easy to filter out all the bogus requests.
Will use asynchronous requests next time.
a large proxy pool on automatic rotation above my pay grade
@@adambamf9365 lovely idea 😂
Also, would want to make it over random periods of time, so it wouldn't be easy to just remove the recent submissions
Not all heroes wear capes!
yes he is a legend
I really appreciate everyone that has/is contributing to the project. There is a lot of good in the world. Old family members of mine have been frauded in the past with similar things so I take these quite personally lol.
it would be perfect if you creat random emails everytime.
Yeah, that'd be amazing. Could easily do that too. lol
and spread it into multiple days so they can't just delete it conveniently. maybe add some variations too to make it harder
but you know the req comes from the same ip address?
@@antagonist4823 just use a rotating proxy
@@antagonist4823 this and same data... takes 1 query to clean the database...
Nice Video! One thing I notice is that everyone just floods forms with the same info over and over. The only problem is if they export the data into something like Microsoft Excel or Google Sheets they can very easily delete all of the data that you put in. What I would have done is created a list and have it randomly pick from a list of fake emails and passwords then submit it.
or iterate through a number of positions (10) to put a random letter from the alphabet + @ + again random + . + random domain.
same for the password. have fun filtering them :D
This is BEAUTIFUL. You could also pipe your traffic through proxychains with tor configured (super ez setup) and they wouldnt be able to filter you from their traffic even if they wanted
Do you have any pages with an easy tutorial?
Less likely, you'd be flooding the nodes and the traffic would be slower. He can use a spoofer tho
@alphacat9663 true this could possibly cause issues given tor is a bit slower than surface web. Crude solution would just be to put some time delays in. Or use non tor proxies. There big lists regularly updated on github. altho free proxies are quite slow too
Tor exit nodes are very easy to filter since their addresses are public information.
this was a super fun video ! love your sense of humor and how hacking can be used for good!
i dont know much python but these will really help:
1 - multi threading
2 - generate fake email:pass into a .txt , and split each line with ":" , then you can iterate over each line and get yourself an email and password and submit the request
3 - i doubt this goofy website will ever ban your ip , but its a possibility , in that case we can use proxies
Bro you can do this with python with library call faker it's generating fake data like names emails and passwords.
hey man love the video im a python lover and have seen people work on scripts like this so wanted to sit down and make a crazy one going to make a branch on your github with full credit of course love the vid keep it up :)
just checked the github, i love where this is going hahaha nice job
Just made a PR that adds dynamic user agents, async, and proxy support. Happy phishkilling
What would have been better is if you randomized the email and password for each request being sent. That way the people hosting it would have had to dig through thousands of fake details to even get access to someones account. Probably would do this using TOR aswell.
nice work but you should have used some randomly generated emails/password as getting rid of same responses would be super easy
I improved some parts of the script but can't publish my branch. Is it a Problem on my end or on the repo?
You may also do it with multithreading (if it have some cdn anti ddos protection, make some new proxy connections each time), and as some people wrote here in the comments, generate a new password and email.
Things like Gophish attach credentials to an ip address, wouldnt you need to be changing ip address every time for this to actually be effective?
You can optimize itt using Multi Threading with Threading library cuz that's builtin in python 3, that can cause much trouble to the Phisher Website, Even you can takedown that website using a DoS Script in python 3
Your channel may be dead, but you've won a subscriber now.❤
awesome video mate
This would be a fun project to learn python in and get some random fake user data api's in
Improvements you could do:
* Use a libary like faker to generate a fake email name@domain
* Better show progress, e.g. show a count
* Multi threading ( thx @VoltVentures )
Apart from that cool video
threading!!
@@VoltVentures yeah, I forgot. Great suggestion
I know its rate limited but could you not just send this request to intruder and load a password and username list as if you were going to brute force the login and send it? You can even tunnel Burp thought tor via proxychains. Am I wrong here? I am still learning.
You would probably also need to randomize the IP's sending requests, otherwise they could also filter out responses from your network. And as you said, obviously the data submitted would have to be more realistic as well. Oh and the user-agent..
Cool demo anyways though man 💜
true, this is just a basic demo anyway. Mainly showing burp suite. Hopefully this becomes a bigger project as other people are already contributing.
What about the user agent? Could you please tell something about that?
@@apoorvmitthu they could use .htaccess file to block specific user agents.
@@CybrZone Or just filter out all the user-agents that spammed the server with fake data too - either way its a nice demo to just teach the basic consept :)
@@CybrZone yes, but its not very good idea to "show" here on youtube very complex attacking codes - some people would be possible to do some bad things :) Every little bit experienced hacker will be possible to make this script more sofisticated, and add more functions!:) But yes, yours videos are very usefull and good! Keep doing it, and good luck :)
I had a similar one and what I did in the Python script was make the email and password random with random intervals between posting the data and also IP changes using auto IP changer. The reason was making it harder for them to delete the data from their database, assuming they used SQL-like databases. So eventually I posted so much data that they took down the whole link possibly to make a new one 😁😉
The module faker can create fake but realistic looking emails and passwords
You should make it add random entries, now they could filter out the duplicates
Ive been doing something similar with the phishing links I get, but with the faker library, and usually with more fields: name,email,password, credit card,address, etc
Great video! Glad to see someone using their skills for good. Just wondering if I can have your permission to make a video about this? and obviously give you credit, just added a function to generate random emails and a couple extra parameters for the different data keys. I also offered some guidance on where to find phishing links to experiment with. Let me know.
Of course, I’m doing an update video including some of this as well. Code has changed massively now thanks to everyone
Can they remove the entries after a particular time, so that they can still have the access to the already phished data?
yes they can , thats why its a good idea to not use multi threading or just keep doing some post requests from time to time , just because they wont notice it
nice work !;
I will contribute
Next time add a little bit of randomness so they cant get rid of it, like usa dictionary for email domains use a dictionary for local part and so on, Nice video BTW punish em real hard.😁😁
how you find the phishing links?
I like the idea of you wanting to stop scammers, but, using the same email address (especially an unrealistic one, as you took) and password is easily detectable. Not only that, as soon as the scammer sees, there's like 1000s of entries with that certain email, they will simply match and replace that data. Instead, you could be trying to work on a bot that randomizes the email and password everytime. Even better, would be emails that seem like they could be real, to make their life even harder. For example, you could take a list of first names and last names, and shuffle email addresses with that.
You should: Thread the requests & try to use php injection on form parts(email || password) :)
mybe add 'While True' for automation and then try temp mail for fake emails and a wordlist for pswrds
You could improve this by using the faker library to create realistic and varied submissions, which would be better than having all submissions the same, as the bad actor can easily bulk delete similar submissions
use threads to send multiple request per second
My friend i asked you for help and never reply
Theres a lot of malware in minecraft mods on youtube, because im pretty decent at reading bytecode (and most arent even hiding it) I also nuked quite a few urls, I remember one time the guy had django with debug so I saw the backend code with my ip throwing an error because it was blacklisted lol. I guess I wasn't the first person.
Love the video! Would love to help if there is any ideas or room to help in. Come from backend engineering background and recently decided to switch over onto the cybersecurity side hoping to one day be a top pen tester. Would be great to be of any help to anyone honestly and also welcome any help. So if you need help or anyone else wants to connect with like minded people lmk!
Liked it ❤
Bro there is an extra comma at line number 8
just use the intruder with numbers increasing till 1000 and this will sent him 1000 request to that endpoint .
it needs to be randomized or else they will just drop all the entries with the email or pass
Everybody gangsta untill a guy with kali linux starts recording and launching tools
And i have to say that i use arch btw
Lmao
cant u use threading for multiple sends
yep the updated code uses threading
legend! next time make them install a rootkit
I checked the repo, you didn’t include the url link in the repo…
Use threading to send more requests
thank you 👍
Hubieras usado multi hilos pero buen video😂
you should have randomized both the email and password, they can easily filter out everything but the credentials you were requesting to the server
good video though
imagine sending request with thousands of threads using the concurrent module
usually thats not a good idea.
depending on the website its usually better to have small amount of threads (10 20 )
@@emptycode1782 its just a scammer website. usually they dont have bot protection like cloudflare or smt. I had a similar situation before and I had no problem despite sending thousands of requests.
You should add random gmail generator and fake pass generator with random python libs, to insert the script into a while loop until you press a sigint or something like that hahahha
SELECT * FROM table WHERE ip = yours
class mate ,haha
you should have used random emails and passwords, otherwise it is easy to remove this spam from database
parsing a word list and adding random emails / passwords that way would be clutch
i love the idea, but you will need tens if not hundreds of those spamming instances in order to crash a website
You can just do while True and u can make credentials random
Yep code has seen afew improvements.
Will do an update video, now has threads, randomness of emails and names without relying on hardcoded list etc.
Also will have random user agents.
people have helped massively.
@@CybrZone Cool!
could have been more devastating if you generated random email strings, that way they cannot just identify which email is real or not, gg none the less
If you watched the entire video, that’s exactly what he said…. But he admitted his python skills weren’t that great and left it for anyone with more skill to modify and use as well…
@@anthonyschwartz6114 yeah chatgpt can code this script in 5 minutes