Last active
March 6, 2023 04:59
-
-
Save paced/f5d9008d9eb86a4c1d8a0fc035a94bc7 to your computer and use it in GitHub Desktop.
Feed random data to phishers to make their forms useless. For academic purposes only.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"""Feed random data to some host in an attempt to throw off phishers.""" | |
# This attack is best carried out via a distributed network or several | |
# concurrent IP addresses. Use a VPN if available. | |
import urllib2, urllib | |
import json | |
import time | |
import random | |
# Modify payload and target. | |
cookie = "PHPSESSID=example" | |
host = "https://example.com" | |
userHeaders = { | |
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) ' + \ | |
'Gecko/20100101 Firefox/12.0', | |
'Referrer':'https://google.com', | |
} | |
# The 'name' attribute as shown in the HTML, sent as key in HTTP POST request. | |
unameType = "username" | |
pwnameType = "password" | |
# Specify filenames for random username/password lists. | |
# For usernames:https://github.com/maryrosecook/commonusernames | |
# For passwords: https://wiki.skullsecurity.org/Passwords | |
userfile = "filename/here" | |
passfile = "filename/here" | |
# Then read them in as lists. | |
userlist = list() | |
passlist = list() | |
with open(userfile) as f: | |
for i in f: | |
userlist.append(i) | |
with open(passfile) as f: | |
for i in f: | |
passlist.append(i) | |
# Perform attack. | |
print(" -- Attack initialised, starting... --") | |
for i in range(100): | |
# Fake "stealth" inputs by randomly staggering attacks. | |
time.sleep(random.randint(1,20)) | |
# Create the payload and send it. | |
fakeUser = random.choice(userlist).rstrip() | |
fakePass = random.choice(passlist).rstrip() | |
data = urllib.urlencode({unameType: fakeUser, pwnameType: fakePass}) | |
req = urllib2.Request(host, data, headers=userHeaders) | |
req.add_header("Cookie", cookie) | |
try: | |
resp = urllib2.urlopen(req) | |
except Execption as e: | |
print("Failed, reason: " + e.message) | |
print(" > Sent fake request with data '" + \ | |
str(fakeUser) + "': '" + str(fakePass) + "'.") | |
print(" -- Attack completed. --") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment