Phishruffus - Intelligent threat hunter and phishing servers

[Fi8sVrs]

Phishruffus - Intelligent threat hunter and phishing servers

Phishruffus is a tool designed for the identification of DNS servers and Internet threats used for the illegal practice of phishing.

https://lab.insightsecurity.com.br/phishruffus-intelligent-threat-hunter-and-phishing-servers/

 

Usage:

./phishruffus.py --listdns dns_servers.txt --timeout 5

Example:

https://asciinema.org/a/144460

 

 

Download: Phishruffus-master.zip

or:

git clone https://github.com/jh00nbr/Phishruffus.git

 

Mirror:

phishruffus.py

Spoiler

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# -------------------------------------------------
# Author: Jhonathan Davi A.K.A jh00nbr
# Insightl4b: lab.insightsecurity.com.br
# jh00nbr: http://jhonathandavi.com.br
# Github: github.com/jh00nbr
# Twitter @jh00nbr
# -------------------------------------------------

import requests,json,argparse,subprocess,sys,dns.resolver,os.path
from datetime import datetime

__colors__ = {'MAGENTA':'\033[35mMagenta','BLUE': '\033[34m', 'OK' : '\033[92m', 'ERRO' : '\033[91m', 'WARNING' : '\033[93m', 'UNDERLINE':'\033[4m','ENDC' : '\033[0m'}

parser = argparse.ArgumentParser(prog='Phishruffus v1.0')
parser.add_argument("-l", "--listdns", help="Set list file DNS Servers", default="dns_servers.conf", required=True)
parser.add_argument("-t", "--timeout", help="Set timeout", required=True)
args = parser.parse_args()
file_servers = args.listdns
timeout = args.timeout # Default time 4 secounds

if os.path.exists(file_servers):
	dns_servers = [_.strip() for _ in open(file_servers,"r").readlines()]
else:
	sys.exit(1)

white_list_bb = ['170.66.0', '170.66.1', '170.66.2', '170.66.3', '170.66.4', '170.66.5', '170.66.6', '170.66.7', '170.66.8', '170.66.9', '170.66.10', '170.66.11', '170.66.12', '170.66.13', '170.66.14', '170.66.15', '170.66.16', '170.66.17', '170.66.18', '170.66.19', '170.66.20', '170.66.21', '170.66.22', '170.66.23', '170.66.24', '170.66.25', '170.66.26', '170.66.27', '170.66.28', '170.66.29', '170.66.30', '170.66.31', '170.66.32', '170.66.33', '170.66.34', '170.66.35', '170.66.36', '170.66.37', '170.66.38', '170.66.39', '170.66.40', '170.66.41', '170.66.42', '170.66.43', '170.66.44', '170.66.45', '170.66.46', '170.66.47', '170.66.48', '170.66.49', '170.66.50', '170.66.51', '170.66.52', '170.66.53', '170.66.54', '170.66.55', '170.66.56', '170.66.57', '170.66.58', '170.66.59', '170.66.60', '170.66.61', '170.66.62', '170.66.63', '170.66.64', '170.66.65', '170.66.66', '170.66.67', '170.66.68', '170.66.69', '170.66.70', '170.66.71', '170.66.72', '170.66.73', '170.66.74', '170.66.75', '170.66.76', '170.66.77', '170.66.78', '170.66.79', '170.66.80', '170.66.81', '170.66.82', '170.66.83', '170.66.84', '170.66.85', '170.66.86', '170.66.87', '170.66.88', '170.66.89', '170.66.90', '170.66.91', '170.66.92', '170.66.93', '170.66.94', '170.66.95', '170.66.96', '170.66.97', '170.66.98', '170.66.99', '170.66.100', '170.66.101', '170.66.102', '170.66.103', '170.66.104', '170.66.105', '170.66.106', '170.66.107', '170.66.108', '170.66.109', '170.66.110', '170.66.111', '170.66.112', '170.66.113', '170.66.114', '170.66.115', '170.66.116', '170.66.117', '170.66.118', '170.66.119', '170.66.120', '170.66.121', '170.66.122', '170.66.123', '170.66.124', '170.66.125', '170.66.126', '170.66.127', '170.66.128', '170.66.129', '170.66.130', '170.66.131', '170.66.132', '170.66.133', '170.66.134', '170.66.135', '170.66.136', '170.66.137', '170.66.138', '170.66.139', '170.66.140', '170.66.141', '170.66.142', '170.66.143', '170.66.144', '170.66.145', '170.66.146', '170.66.147', '170.66.148', '170.66.149', '170.66.150', '170.66.151', '170.66.152', '170.66.153', '170.66.154', '170.66.155', '170.66.156', '170.66.157', '170.66.158', '170.66.159', '170.66.160', '170.66.161', '170.66.162', '170.66.163', '170.66.164', '170.66.165', '170.66.166', '170.66.167', '170.66.168', '170.66.169', '170.66.170', '170.66.171', '170.66.172', '170.66.173', '170.66.174', '170.66.175', '170.66.176', '170.66.177', '170.66.178', '170.66.179', '170.66.180', '170.66.181', '170.66.182', '170.66.183', '170.66.184', '170.66.185', '170.66.186', '170.66.187', '170.66.188', '170.66.189', '170.66.190', '170.66.191', '170.66.192', '170.66.193', '170.66.194', '170.66.195', '170.66.196', '170.66.197', '170.66.198', '170.66.199', '170.66.200', '170.66.201', '170.66.202', '170.66.203', '170.66.204', '170.66.205', '170.66.206', '170.66.207', '170.66.208', '170.66.209', '170.66.210', '170.66.211', '170.66.212', '170.66.213', '170.66.214', '170.66.215', '170.66.216', '170.66.217', '170.66.218', '170.66.219', '170.66.220', '170.66.221', '170.66.222', '170.66.223', '170.66.224', '170.66.225', '170.66.226', '170.66.227', '170.66.228', '170.66.229', '170.66.230', '170.66.231', '170.66.232', '170.66.233', '170.66.234', '170.66.235', '170.66.236', '170.66.237', '170.66.238', '170.66.239', '170.66.240', '170.66.241', '170.66.242', '170.66.243', '170.66.244', '170.66.245', '170.66.246', '170.66.247', '170.66.248', '170.66.249', '170.66.250', '170.66.251', '170.66.252', '170.66.253', '170.66.254','201.33.0', '201.33.1', '201.33.2', '201.33.3', '201.33.4', '201.33.5', '201.33.6', '201.33.7', '201.33.8', '201.33.9', '201.33.10', '201.33.11', '201.33.12', '201.33.13', '201.33.14', '201.33.15', '201.33.16', '201.33.17', '201.33.18', '201.33.19', '201.33.20', '201.33.21', '201.33.22', '201.33.23', '201.33.24', '201.33.25', '201.33.26', '201.33.27', '201.33.28', '201.33.29', '201.33.30', '201.33.31', '201.33.32', '201.33.33', '201.33.34', '201.33.35', '201.33.36', '201.33.37', '201.33.38', '201.33.39', '201.33.40', '201.33.41', '201.33.42', '201.33.43', '201.33.44', '201.33.45', '201.33.46', '201.33.47', '201.33.48', '201.33.49', '201.33.50', '201.33.51', '201.33.52', '201.33.53', '201.33.54', '201.33.55', '201.33.56', '201.33.57', '201.33.58', '201.33.59', '201.33.60', '201.33.61', '201.33.62', '201.33.63', '201.33.64', '201.33.65', '201.33.66', '201.33.67', '201.33.68', '201.33.69', '201.33.70', '201.33.71', '201.33.72', '201.33.73', '201.33.74', '201.33.75', '201.33.76', '201.33.77', '201.33.78', '201.33.79', '201.33.80', '201.33.81', '201.33.82', '201.33.83', '201.33.84', '201.33.85', '201.33.86', '201.33.87', '201.33.88', '201.33.89', '201.33.90', '201.33.91', '201.33.92', '201.33.93', '201.33.94', '201.33.95', '201.33.96', '201.33.97', '201.33.98', '201.33.99', '201.33.100', '201.33.101', '201.33.102', '201.33.103', '201.33.104', '201.33.105', '201.33.106', '201.33.107', '201.33.108', '201.33.109', '201.33.110', '201.33.111', '201.33.112', '201.33.113', '201.33.114', '201.33.115', '201.33.116', '201.33.117', '201.33.118', '201.33.119', '201.33.120', '201.33.121', '201.33.122', '201.33.123', '201.33.124', '201.33.125', '201.33.126', '201.33.127', '201.33.128', '201.33.129', '201.33.130', '201.33.131', '201.33.132', '201.33.133', '201.33.134', '201.33.135', '201.33.136', '201.33.137', '201.33.138', '201.33.139', '201.33.140', '201.33.141', '201.33.142', '201.33.143', '201.33.144', '201.33.145', '201.33.146', '201.33.147', '201.33.148', '201.33.149', '201.33.150', '201.33.151', '201.33.152', '201.33.153', '201.33.154', '201.33.155', '201.33.156', '201.33.157', '201.33.158', '201.33.159', '201.33.160', '201.33.161', '201.33.162', '201.33.163', '201.33.164', '201.33.165', '201.33.166', '201.33.167', '201.33.168', '201.33.169', '201.33.170', '201.33.171', '201.33.172', '201.33.173', '201.33.174', '201.33.175', '201.33.176', '201.33.177', '201.33.178', '201.33.179', '201.33.180', '201.33.181', '201.33.182', '201.33.183', '201.33.184', '201.33.185', '201.33.186', '201.33.187', '201.33.188', '201.33.189', '201.33.190', '201.33.191', '201.33.192', '201.33.193', '201.33.194', '201.33.195', '201.33.196', '201.33.197', '201.33.198', '201.33.199', '201.33.200', '201.33.201', '201.33.202', '201.33.203', '201.33.204', '201.33.205', '201.33.206', '201.33.207', '201.33.208', '201.33.209', '201.33.210', '201.33.211', '201.33.212', '201.33.213', '201.33.214', '201.33.215', '201.33.216', '201.33.217', '201.33.218', '201.33.219', '201.33.220', '201.33.221', '201.33.222', '201.33.223', '201.33.224', '201.33.225', '201.33.226', '201.33.227', '201.33.228', '201.33.229', '201.33.230', '201.33.231', '201.33.232', '201.33.233', '201.33.234', '201.33.235', '201.33.236', '201.33.237', '201.33.238', '201.33.239', '201.33.240', '201.33.241', '201.33.242', '201.33.243', '201.33.244', '201.33.245', '201.33.246', '201.33.247', '201.33.248', '201.33.249', '201.33.250', '201.33.251', '201.33.252', '201.33.253', '201.33.254']
white_list_caixa = ['200.201.160', '200.201.161', '200.201.162', '200.201.163', '200.201.164', '200.201.165', '200.201.166', '200.201.167', '200.201.168', '200.201.169', '200.201.170', '200.201.171', '200.201.172', '200.201.173', '200.201.174']

domains = ['bb.com.br','caixa.com.br']

def banner():
	banner = "\n\t\t[ Phishruffus v1.0 - Intelligent threat hunter and phishing servers ]\n"
	banner += "\t\tAuthor: Jhonathan Davi @jh00nbr\tInsightl4b - lab.insightsecurity.com.br\n\n"
	banner += "Phishruffus is a tool designed for the identification of DNS servers and Internet threats used for the illegal practice of phishing.\n"
	return banner

def check_theat(dns_server,domains):
	try:
		response_threats = {}
		dns_srv = dns_server
		response_threats['dns_server'] = dns_srv
		r = dns.resolver.Resolver()
		dns_solve = [_.address.encode('utf-8') for _ in r.query(dns_srv)]
		r.nameservers = dns_solve
		r.lifetime = float(timeout)

		for domain in domains:
			result = r.query(str(domain),'A')
			ip_response = result.response.answer[0].items[0].address.encode('utf-8')
			prefixie_response = '.'.join(ip_response.split('.')[0:3])
			response_threats[domain] = {'ip_response':	ip_response,'prefixie_response':  prefixie_response}

		response_threats['status'] = True	

		return response_threats

	except Exception as f:
		response_threats['status'] = False
		return response_threats
		pass

def time():
	now = datetime.now()
	result = {'hour':str(now.hour)+':'+str(now.minute)+':'+str(now.second),'date':str(now.day)+'/'+str(now.month)+ "/"+str(now.year)}
	return result 
	
def get_informations(ip_address):
	_req = requests.get("http://ip-api.com/json/{0}".format(ip_address))
	content = _req.content
	informations = {key.encode('utf-8'): str(json.loads(content)[key]).encode('utf-8') for key in set(json.loads(content))}
	return informations

def main():
	print banner()
	if dns_servers:			
		while dns_servers:
			result_check = check_theat(dns_servers[0],domains)
			if result_check['status']:
				response = [result_check[x] for x in domains if result_check[x]]
				sys.stdout.write("\n\n[!] [ {0} ] [ {1} ] - DNS Server: [ {2} ]  \n\t".format(time()['date'],time()['hour'],result_check['dns_server']))
				sys.stdout.flush()
				for d in domains:					
					prefixie = result_check[d]['prefixie_response']
					ip_address = result_check[d]['ip_response']

					if prefixie in white_list_bb:						
						sys.stdout.write("[ {0} ] response to --> [ {1} ] \t\t\t\t [ {2} ]".format(__colors__['WARNING']+d+__colors__['ENDC'],ip_address,__colors__['OK']+"OK"+__colors__['ENDC']))						
						sys.stdout.flush()
					elif prefixie in white_list_caixa:	
						sys.stdout.write("\n\t[ {0} ] response to --> [ {1} ] \t\t\t [ {2} ]".format(__colors__['WARNING']+d+__colors__['ENDC'],ip_address,__colors__['OK']+"OK"+__colors__['ENDC']))
						sys.stdout.flush()
					else:
						sys.stdout.write("\n\t[ {0} ] response to [ {1} ] \t\t\t\t [ {2} ]".format(__colors__['ERRO']+d+__colors__['ENDC'],ip_address,__colors__['ERRO']+"THREAT"+__colors__['ENDC']))						
						sys.stdout.flush()						

			del dns_servers[0]

if __name__ == '__main__':
main()

 

 

 

requirements.txt

dnspython==1.15.0
requests==2.18.4

 

Sources:

• https://github.com/jh00nbr/Phishruffus
• https://lab.insightsecurity.com.br/phishruffus-intelligent-threat-hunter-and-phishing-servers/