Thursday, January 11, 2018

Python script search open directories for Phishing Kits and Malware

original version from 1/11/2018
https://pastebin.com/raw/Ed2fmmNj

new version from 11/1/2018
https://pastebin.com/raw/Xj5VK0Mb

old version 11/29/2018
https://pastebin.com/raw/dhJusnX4

new version 11/30/2018
https://pastebin.com/raw/T4aA5UhU

from urllib.request import urlopen
from urllib.request import urlretrieve
import re
import sys
import os
filepath = 'urls.txt'
with open(filepath) as fp:
 theurl = fp.readline()
 while theurl:
  if(not theurl.startswith('http')):
   if(":443" in theurl):
    theurl = 'https://' + theurl.strip()
   else:
    theurl = 'http://' + theurl.strip()
  theurl = theurl.strip()
  if(theurl.endswith("/") or theurl.endswith("\\")):
   theurl = theurl[:-1]
  stopnow = 0
  while stopnow == 0:
   try:
    domain = theurl.split("//")[-1].split("/")[0]
    currentfolder = theurl.split("/")[-1]
    try:
     if not theurl.endswith(".zip") and (len(theurl.split("//")[-1].split("/")) > 1):
      zipfile = domain + "___" + currentfolder + ".zip"
      phishkit = theurl + ".zip"
      urlretrieve(phishkit, zipfile)
      print("phishkit," + phishkit)
    except Exception as e:
     print("failedphishkit," + phishkit + "(" + str(e) + ")")
    html = urlopen(theurl, timeout=3)
    val = html.read()
    titles = re.findall(r'(?i)<title>(.*?)</title>',str(val))
    if len(titles) > 0:
     if titles[0].startswith('Index of'):
      print("opendir," + theurl + "(" + titles[0] + ")")
      zipfiles = re.findall(r'(?i)href\=\"[^\"]+\.zip\"\>',str(val))
      if len(zipfiles) > 0:
       for zipfile in zipfiles:
        zipfile = zipfile.replace('\"', '').replace('href=', '').replace('>','').replace("&amp;", "&")
        if theurl.endswith('/'):
         phishkit = theurl + zipfile
        else:
         phishkit = theurl + "/" + zipfile
        try:
         zipfile = domain + "___" + zipfile
         urlretrieve(phishkit, zipfile)
         print("phishkit," + phishkit)
        except Exception as e:
         print("failedphishkit," + phishkit + "(" + str(e) + ")")
      exefiles = re.findall(r'(?i)href\=\"[^\"]+\.exe\"\>',str(val))
      if len(exefiles) > 0:
       for exefile in exefiles:
        exefile = exefile.replace('\"', '').replace('href=', '').replace('>','').replace("&amp;", "&")
        if theurl.endswith('/'):
         malware = theurl + exefile
        else:
         malware = theurl + "/" + exefile
        try:
         urlretrieve(malware, exefile)
         print("malware," + malware)
        except Exception as e:
         print("failedmalware," + malware + "(" + str(e) + ")")
      panels = re.findall(r'(?i)href\=\"(panel|webpanel|fre\.php)\"\>',str(val))
      if len(panels) > 0:
       for panel in panels:
        panel = panel.replace('\"', '').replace('href=' ,'').replace('>', '').replace("&amp;", "&")
        if theurl.endswith('/'):
         panelurl = theurl + panel
        else:
         panelurl = theurl + "/" + panel
        print("panel," + panelurl)
     else:
      print("webpage," + theurl + "(" + titles[0] + ")")
    theurl = re.sub(r'\/[^\/]*$', '', theurl)
    if theurl.endswith('http:/') or theurl.endswith('https:/'):
     stopnow = 1
   except Exception as e:
    if "no host given" in str(e):
     stopnow = 1
    else:
     print("failedurl," + theurl + "(" + str(e) + ")")
     theurl = re.sub(r'\/[^\/]*$', '', theurl)
  theurl = fp.readline()

1 comment: