httphish
Quick phishing website HTTP server demo in Python 3 - httphish.py
🐍
Disclaimer
This script only serves to be an example of how technically unsophisticated phishing attacks really are. Thus, it is for educational purposes only. It would be better used as an educational demo than as a pentester's tool, as it lacks many features and more complex websites don't work (see bottom).
Features
Only one Python 3 script with no dependencies!
Log all GET/POST data sent by visitors (such as login credentials).
Quickly implement other known phishing techniques :
Redirect users to the original website when a form is filled.
Inject an autofill phisher into each user-fillable forms on the page. Please see anttiviljami's demo for more details.
Prefill fields from URL parameters.
Inject a page-wide Javascript keylogger.
The wget command is currently required to download websites, so this feature only works on Linux. I will probably eventually add OS detection and use Invoke-WebRequest from PowerShell on Windows, but for now, please download websites manually. (Pull requests are welcome!)
How to use
Install
Clone this git repository to download the necessary files and run the script:
git clone https://github.com/thom-s/httphish
cd httphish
sudo python3 httphish.py
Update
Update this frequently as it is under active development and new modules are frequently added.
cd httphish
git pull
Demo
Video is out-of-date as some modules are missing.
Prompts
Setup
Whether you want to download the webpage with wget or if you have manually saved it to the /web folder.
If you use wget it will also ask you :
The full URL to download (ex: http://www.github.com/login)
Whether to use the default user agent for wget or enter a custom one. (You can see the default one in the code)
If you want to manually download it, simply create a folder named web next to the script and save index.html in it.
The IP/domain to redirect all GET/POST requests to. If any files cannot be served statically, it will redirect (HTTP 308) the request there. (ex: www.github.com)
Whether to edit index.html with a custom action="" path, which will return HTTP 303 instead of the default 308.
This will force the browser to do a GET request intead of forwarding the POST request.
If this is done, the POST request will be saved to logs/forms.txt
Optional modules
You will then be asked if you want to use any of the following modules :
Whether to inject autofill phishing into index.html
Please see anttiviljami's demo for more details.
You can edit the phished fields in config/autofill.html
Whether to prefill fields with GET parameters.
Use the following URL syntax : 127.0.0.1/index.html#id=value&id2=value2
You can see the script injected in config/form_prefill.js
Whether to inject a page-wide Javascript keylogger.
Saves all keys page-wide to /logs/keys.txt
HTTP Server
You will then be prompted to press Enter to launch the HTTP server.
Browse to your own IP address (or localhost) and you will see a cloned version of the website.
When you are done, press CTRL+C to close the HTTP server and end the script.
Before running it again, simply run cleanup.py to delete the /web and logs folders :
sudo python3 cleanup.py
Logs
All logs are saved in the logs folder, which will be created when the script launches. The following files will be saved :
logs/forms.txt : If a custom HTTP 303 redirect is chosen, all the POST data received will be written there.
logs/post.txt : All POST data received.
logs/get.txt : All GET data received.
logs/logs.txt : Every info output by this script.
logs/keys.txt : Every keys stored by the optional JavaScript keylogger module.
Takeaways
What system administrators can take away from this, is how technically simple convincing phishing attacks can be. Thankfully, a combination of security measures should be able to stop these attacks :
Email spam filters
Two factor authentication
User security training
These methods combined with other common network security measures will be able to mitigate any security incidents related to phishing.
Troubleshooting
Currently, this script only works on simple pages with
logins. It might also work on some dynamically loaded pages if they aren't too complex.Some websites that do not work when you automatically download them might work if you manually save them.
Some websites won't respond to requests directed to their IP, so try entering the domain instead (or vice-versa).
Some lazy-loaded content simply doesn't work.
If a website doesn't work, use inspect element and look under the network tab. The issue is probably some dynamic requests being broken because the site is too complex.
In some cases, this can be fixed by changing the IP/domain to redirect GET/POST requests to.
In most cases, you would have to manually modify the files and choose to not automatically download the file.
Website examples
Working websites
Working websites will generally have very simple login forms and not much dynamically loaded content. Here are some I tested.
Partially working websites
These sites will work, but some content might not get loaded.
Broken websites
For most broken websites, dynamically loaded content will be the issue. Here's some websites I found did not work.
17万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
