Last active
February 18, 2024 20:00
-
-
Save lawndoc/f5afb2a9920d9e19700392834e36f2a1 to your computer and use it in GitHub Desktop.
Punish Phisher
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import argparse | |
| import grequests | |
| import random | |
| import requests | |
| import string | |
| import sys | |
| from urllib.request import urlopen | |
| def spam_creds( | |
| user_agents:list, | |
| usernames:list, | |
| domains:list, | |
| passwords:list, | |
| url:list, | |
| schema:str = "email:{},password:{}", | |
| count:int = 1000000, | |
| fizzbuzz:bool = True, # sprinkle in numbers for more realistic usernames | |
| testing:bool = False # test single request for validity | |
| ): | |
| ua_sz = len(user_agents) | |
| un_sz = len(usernames) | |
| dm_sz = len(domains) | |
| pw_sz = len(passwords) | |
| for i in list(range(count)): | |
| header = { | |
| 'User-Agent': "'" + user_agents[random.randrange(0,ua_sz)] + "'", | |
| } | |
| email = usernames[random.randrange(0,un_sz)] | |
| if fizzbuzz: | |
| if i % 3 == 0: | |
| email += str(random.randrange(0,9)) | |
| if i % 5 == 0: | |
| email += str(random.randrange(0,9)) | |
| if i % 7 == 0: | |
| email += str(random.randrange(0,9)) | |
| if i % 11 == 0: | |
| email += str(random.randrange(0,9)) | |
| email = email + "@" + domains[random.randrange(0,dm_sz)] | |
| password = passwords[random.randrange(0,pw_sz)] | |
| data = "{" + schema.format(email, password) + "}" | |
| if not testing: | |
| try: | |
| r = grequests.post(url, data = data, allow_redirects=False, headers=header) | |
| except requests.exceptions.RequestException as e: | |
| print(f"Exception: {e}\nContinuing...") | |
| continue | |
| print(f"{str(i)}/{count} - {email}:{password}") | |
| else: | |
| print(f"URL - {url}") | |
| print(f"HEADER - {header}") | |
| print(f"BODY - {data}") | |
| r = requests.post(url, data = {schema[0]:email,schema[1]:password}, allow_redirects=False, headers=header) | |
| print(f"[{r.status_code}] - {email}:{password}") | |
| if __name__ == "__main__": | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument("-a", "--user-agents", help="file containing list of user agents") | |
| parser.add_argument("-c", "--count", help="how many fake credentials to post", type=int, default=1000000) | |
| parser.add_argument("-d", "--domain", help="create fake email addresses from a specific domain") | |
| parser.add_argument("-e", "--email-schema", help="name of the email parameter passed to the URL", default="email") | |
| parser.add_argument("-f", "--extra-fields", help="extra fields required in the POST request") | |
| parser.add_argument("-p", "--password-schema", help="name of the password parameter passed to the URL", default="password") | |
| parser.add_argument("-t", "--testing", help="test a single request for validity", action="store_true") | |
| parser.add_argument("url", help="URL where the phishing page POSTs credentials") | |
| args = parser.parse_args() | |
| if not args.user_agents: | |
| print("error: the following arguments are required: --user-agents") | |
| exit(1) | |
| if args.user_agents == "-": | |
| # Get user agent list from stdin (ex: ua -t computer -l 100 | ...) | |
| user_agents = [user_agent.strip() for user_agent in sys.stdin] | |
| else: | |
| with open(args.user_agents, "r") as f: | |
| user_agents = [user_agent.strip() for user_agent in f.readlines.split("\n")] | |
| usernames = [name.decode().strip() for name in urlopen("https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/Names/names.txt")] | |
| passwords = [password.decode().strip() for password in urlopen("https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/hak5.txt")] | |
| if args.domain: | |
| domains = [args.domain] | |
| fizzbuzz = False | |
| else: | |
| # frequency analysis from https://corp.inntopia.com/email-domain-update-2017/ | |
| domains = \ | |
| (["gmail.com"] * 29) + \ | |
| (["yahoo.com"] * 17) + \ | |
| (["hotmail.com"] * 10) + \ | |
| (["aol.com"] * 7) + \ | |
| (["comcast.com"] * 4) + \ | |
| ["live.com"] + \ | |
| ["outlook.com"] + \ | |
| ["msn.com"] + \ | |
| ['protonmail.com'] | |
| fizzbuzz = True | |
| schema = args.email_schema + ":{}, " + args.password_schema + ":{}" | |
| if args.extra_fields: | |
| schema += ", " + args.extra_fields | |
| if args.testing: | |
| count = 1 | |
| else: | |
| count = args.count | |
| try: | |
| spam_creds(user_agents, usernames, domains, passwords, args.url, schema, count, fizzbuzz, args.testing) | |
| except KeyboardInterrupt: | |
| sys.exit(130) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
spam_creds.py
Spam a phishing page form with a million fake credentials in seconds.
user agents
Currently needs to be a fed a list of user agents.
from file:
python3 spam_creds.py 'https://www.example.com/submit.php' -u user_agents.txtfrom stdin via projectdiscovery/useragent:
pip requirements
additional options
Use
-hto see all command line options.