Categories: Kali Linux

CredSniper – Phishing Framework Written Python and Jinja2

Easily launch a new phishing site fully presented with SSL and capture credentials along with 2FA tokens using CredSniper. The API provides secure access to the currently captured credentials which can be consumed by other applications using a randomly generated API token.

CredSniper Benefits

  • Fully supported SSL via Let’s Encrypt
  • Exact login form clones for realistic phishing
  • Any number of intermediate pages
    • (i.e. Gmail login, password and two-factor pages then a redirect)
  • Supports phishing 2FA tokens
  • API for integrating credentials into other applications
  • Easy to personalize using a templating framework

Also Read Androl4b – Android Security Virtual Machine

Basic Usage

usage: credsniper.py [-h] –module MODULE [–twofactor] [–port PORT] [–ssl] [–verbose] –final FINAL –hostname HOSTNAME

optional arguments:
  -h, --help           show this help message and exit
  --module MODULE      phishing module name - for example, "gmail"
  --twofactor          enable two-factor phishing
  --port PORT          listening port (default: 80/443)
  --ssl                use SSL via Let's Encrypt
  --verbose            enable verbose output
  --final FINAL        final url the user is redirected to after phishing is done
  --hostname HOSTNAME  hostname for SSL

Credentials

.cache : Temporarily store username/password when phishing 2FA

.sniped : Flat-file storage for captured credentials and other information

API End-point

  • View Credentials (GET) https://<phish site>/creds/view?api_token=<api token>
  • Mark Credential as Seen (GET) https://<phish site>/creds/seen/<cred_id>?api_token=<api token>
  • Update Configuration (POST) https://<phish site>/config
 {
    'enable_2fa': true,
    'module': 'gmail',
    'api_token': 'some-random-string'
 }

Modules

All modules can be loaded by passing the --module <name> command to CredSniper. These are loaded from a directory inside /modules. CredSniper is built using Python Flask and all the module HTML templates are rendered using Jinja2.

  • Gmail: The latest Gmail login cloned and customized to trigger/phish all forms of 2FA
    1. modules/gmail/gmail.py: Main module loaded w/ –module gmail
    2. modules/gmail/templates/error.html: Error page for 404’s
    3. modules/gmail/templates/login.html: Gmail Login Page
    4. modules/gmail/templates/password.html: Gmail Password Page
    5. modules/gmail/templates/authenticator.html: Google Authenticator 2FA page
    6. modules/gmail/templates/sms.html: SMS 2FA page
    7. modules/gmail/templates/touchscreen.html: Phone Prompt 2FA page

GMAIL UPDATE: Google requires a backup form of 2FA when using U2F. Bypassing U2F is possible by forcing one of the fall-back options instead of prompting the user to use their U2F device. CredSniper attempts to force SMS if it’s available otherwise it forces TOTP. For security savvy victims, they may be weary if they are prompted for the SMS or TOTP token instead of their U2F device.

  • Example: An example module that demonstrates standard phishing w/ 2FA tokens
    1. modules/example/example.py: Main module loaded w/ –module example
    2. modules/example/templates/login.html: Standard login form
    3. modules/example/templates/twofactor.html: Standard 2FA token form

 

R K

Recent Posts

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

2 hours ago

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…

2 hours ago

My Awesome List : Tools And Their Functions

"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…

2 hours ago

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…

2 hours ago

Chrome Browser Exploitation, Part 1 : Introduction To V8 And JavaScript Internals

The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…

2 hours ago

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…

5 hours ago