Social Attacker是第一个开源的多站点自动化社交媒体钓鱼框架。它允许你通过处理目标的连接和消息,在大规模范围内自动化钓鱼社交媒体用户。
你只需向Social Attacker提供钓鱼邮件和目标配置文件列表(通过手动或Social Mapper)。然后,在你设置的时间范围内,它会尝试连接到该目标,如果目标接受,则会向它们发送钓鱼邮件。另外,它还可以收刮(scrape)目标的公共配置文件历史,并使用基本的消息生成来创建一个特定于该人的个人消息,作为向所有目标发送相同网络钓鱼的替代方案。
Social Attacker支持以下社交媒体平台:
VKontakte
其他特性包括:
组织的名称,通过LinkedIn搜索
一个命名图像文件夹
一个CSV文件,其中包含在线图像的名称和URL
Social Attackers的使用类似于Social Mapper,因此如果你熟悉该工具,应该很容易就能上手。
Social Attacker主要针对的是渗透测试人员和红队队员,他们可以使用它来对目标社交媒体配置文件进行网络钓鱼。以下是为大家提供的一些简单思路:
创建详细的HTML报告,显示你的组织员工如何对添加它们的随机帐户做出反应,并向他们发送链接以点击各种社交媒体平台。
“Friend”并连接到你的目标,这样你就可以直接向他们发送植入或宏文档的链接。最近的统计显示,社交媒体用户点击链接和打开文档的几率是通过电子邮件发送的用户的两倍多。
为各个社交媒体网站创建自定义的网络钓鱼活动。将它们重定向到看上去更加正式和逼真的登录表单凭据获取界面,或是由你控制的托管exploitkit或Metasploits浏览器自动执行的站点。
通过一些虚假的优惠活动或优惠券,骗取用户的电子邮件和电话号码,以用于后续进一步的钓鱼攻击活动。
由于这是一个基于Python的工具,理论上它应该在Linux,ChromeOS(开发者模式)和macOS上运行。主要的依赖项有Firefox,Selenium和Geckodriver。请按照以下四个步骤安装并设置该工具:
1. 安装最新版本的Mac OS Mozilla Firefox:
https://www.mozilla.org/en-GB/firefox/new/
或对于Debian/Kali(Ubuntu除外)获取Firefox的非ESR版本:
sudo add-apt-repository ppa:mozillateam/firefox-next && sudo apt update && sudo apt upgrade
确保新版本的Firefox在path中。如果不在请手动添加它。
2. 为你的操作系统安装Geckodriver,并确保它在path中。在Mac上你可以将它安装在/usr/local/bin下,在ChromeOS上你可以将它安装在/usr/local/bin下,在Linux上你可以将它安装在/usr/bin下。
在这里下载最新版的Geckodriver:
https://github.com/mozilla/geckodriver/releases
3. 安装所需的库:
在Linux和macOS上:
git clone https://github.com/Greenwolf/social_attacker
cd social_attacker/setup
python -m pip install --no-cache-dir -r requirements.txt
在Mac上查看setup/setup-mac.txt文件,以获取其他一些附加的xquartz安装说明。
4. 为Social Attacker提供登录社交媒体服务的凭据:
打开social_attacker.py并将社交媒体凭据输入到文件顶部的全局变量中。
5. 对于Facebook,请确保你提供凭据帐户的语言在运行期间设置为“English (US)”。此外,请确保你的所有帐户都正常工作,并且无需双因素身份验证即可登录。
Social Attacker使用必需和可选参数的组合从命令行运行。你可以指定选项,例如启用自定义网络钓鱼邮件生成(-mm),设置添加后网络钓鱼前的等待时间以及指定目标网站。
要启动工具,必须提供4个参数,即输入格式,输入文件或文件夹以及基本运行模式:
-f, --format : Specify the function to perform 'prepare'(gather LinkedIn connection degrees for a company), 'add'(everyone on list),'check'(who has accepted the request),'generate'(unique phish messages),'phish'(all that have accepted),'addphish'(Add & Phish everyone on list) or 'checkclicks'(to see who has clicked the links)
-i, --input : The name of the csv file containing links to profiles, must include columns with header titled "Full Name","LinkedIn","Facebook","Twitter","Vkontakte" or the social attacker csv with tracking IDs if using the checklicks option
此外,至少包括以下一个或多个要检查的社交媒体站点:
-a, --all : Selects all of the options below and phishes on every site that Social Attacker has credentials for
-fb, --facebook : Perform defined function on Facebook
-tw, --twitter : Perform defined function on Twitter
-li, --linkedin : Perform defined function on LinkedIn
-vk, --vkontakte : Perform defined function on VKontakte
除了以上的必选参数外,你还可以设置其他可选参数,为Social Mapper的运行方式添加其他自定义:
-m, --message : Sets the default message to send to each user as a phish.
-mm, --markovmessage: The phishing link to be appended to the end of a custom message generation attempt
-ml, --markovlength : The max length of custom message generation, best to keep short and snappy (default 140 chars)
-w, --wait : Set the time in hours between adding targets and sending them a phishing message when using the 'addphish' function. For example you may want to wait 24 or 48 hours to give targets time to accept connection requests.
-wl, --weblogs : The web logs generated by sa_server.py (social_attacker_server.log), which can be parsed to extract clicks and user agents. This is needed to generate a final HTML report.
以下是针对不同用例的几个运行示例:
Prepare your linkedin account for connecting to a company to help alleviate 3rd degree requirements
python3 social_attacker.py -f prepare -i "https://www.linkedin.com/company/example-company/" -li
Adding/Connecting to Facebook & LinkedIn users
python3 social_attacker.py -f add -i social_mapper_results.csv -fb -li
Checking which Facebook & LinkedIn user have accepted the connection and can be phished
python3 social_attacker.py -f check -i social_mapper_results.csv -fb -li
Phish users with set message. The string [TRACKING_ID] is overwritten for each phish with a unique 5 character HEX string to tracking purposes.
python3 social_attacker.py -f phish -i social_mapper_results.csv -fb -li -m "Hey come download this file https://greenwolf.com/macro.doc?t=[TRACKING_ID]"
Perform adding and phishing in one go, with delay between in hours(48h in this case for 2 days).
python3 social_attacker.py -f addphish -i social_mapper_results.csv -fb -li -w 48 -m "Hey come download this file https://greenwolf.com/macro.doc?t=[TRACKING_ID]"
Generate unique custom markov messages for each user based on timeline/post history (only for users who have accepted add requests). This is output to a csv file for review/editing, Where Markov cant be generated it is displayed with "-", these will be replaced with the set standard message (-m) when phishing later.
python3 social_attacker.py -f generate -i social_mapper_results.csv -fb -li
Same as above but set the max custom message length to 100 characters instead the default 140.
python3 social_attacker.py -f generate -i social_mapper_results.csv -fb -li -ml 100
Phish users by feeding in the csv output from the 'generate' command. Needs a -mm field with the link to be appended to the end of the message, or overwrite another link mid message. Also needs a default message to fall back to.
python3 social_attacker.py -f phish -i social_attacker_markov_results.csv -fb -li -mm "https://greenwolf.com/macro.doc?t=[TRACKING_ID]" -m "Hey come download this file https://greenwolf.com/macro.doc?t=[TRACKING_ID]"
Perform adding and phish in one go with custom markov messages enabled, no review process here though, enjoyed the twitterese & chaos!
python3 social_attacker.py -f addphish -i social_mapper_results.csv -fb -li -w 48 -mm "https://greenwolf.com/macro.doc?t=[TRACKING_ID]" -m "Hey come download this file https://greenwolf.com/macro.doc?t=[TRACKING_ID]"
Generate a final phishing html report. This displays has clicked on your links if you instructed social_attacker.py to include a [TRACKING_ID] in your phishing messages. It requires a specfic log output from sa_server.py, so make sure you are writing logs in the same format if you use IIS or Apache etc. Feed in your phishing results and this log file to generate your report. This function has features to discount automated crawlers which will poison your logs.
python3 social_attacker.py -f checkclicks -i social_attacker_phish_results.csv -wl apache-logs.txt
Social Attacker提供了一个轻量级的python HTTPS Web服务器,可以使用SSL证书进行设置(请参阅get-a-ssl-certificate.txt)。该服务器非常易于使用,例如,你可以将ssl证书放在与sa_server.py相同的目录中,它将覆盖web文件夹中的项目。
你还可以使用–file参数强制提供文件。例如,’–file macro.doc’将强制从这两个地址点击到macro.doc链接。
Server all items in the web folder on port 443
python3 sa_server.py -p 443
Force all visitors to download macro.doc
python3 sa_server.py -p 443 --file macro.doc
如果你希望使用其他服务器类型,同时生成HTML报告,则日志需要采用以下格式:
IP - datetime timezone - User Agent - Command Path
head -n 5 social_attacker_server.log
10.10.10.10 - 2019-06-18 01:46:29 GMT - User-Agent: curl/7.54.0 - GET /macro.doc
11.11.11.11 - 2019-06-18 02:09:32 GMT - User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3 - GET /macro.doc
12.12.12.12 - 2019-06-18 02:09:32 GMT - User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G920V Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36 - GET /
12.12.12.12 - 2019-06-18 02:09:32 GMT - User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G920V Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36 - GET /robots.txt
10.10.10.10 - 2019-06-18 02:09:32 GMT - User-Agent: curl/7.54.0 - GET /macro.doc
社交媒体网站经常会更改其页面格式和类名称,如果Social Attacker在特定网站上无法工作,请查看文档部分,以获取有关如何修复它的解答及建议。另外,你也可以随时向我们提交pull request,感谢支持!
*参考来源:GitHub,FB小编secist编译,转载请注明来自FreeBuf.COM