When zip is extracted it's often possible to see a txt file where the activity is logged. For companies automating recuperation of such informations could be great.

Yes

Originally posted by @KCHARGING in #26 (comment)

Hi,

Just an idea

As an enhancement, could be an configuration option to add an output into the config to allow this to write out to a JSON file or even a CSV.

Looking at how i can ingest this information into an Elastic instance the sqlite db using a plugin there is the following requirement: "Any tables being watched must have an id column that is monotonically increasing"

Having the option to output to a file such as just would allow a beat agent (filebeat) to simple read and send the file with no further modification required.

As I use another script for that (no published for now) I think we can extract, automaticaly, e-mails of actors when a phishing kit is downloaded.

We can create a smaller container using alpine:latest image instead of Phusion.

I am trying gathering Phishing kits using StalkPhish. It is working very well.
But I have an trouble and think that I report the trouble.
Timeout parameter of requests.get is not working sometimes.
One requests.get in StalkPhish is not ended more than hours oftenly.

Reference : https://stackoverflow.com/questions/53242211/python-requests-timeout-not-working-properly

Hi,

Not sure if i am missing something here,

Running on Ubuntu Server 16.04,

When try run i get the following

Traceback (most recent call last):
File "./StalkPhish.py", line 26, in
from tools.utils import VerifyPath
File "/home/[username]/StalkPhish/stalkphish/tools/utils.py", line 13, in
from ipwhois.net import Net
ImportError: No module named 'ipwhois'

When i look in the modules i dont see anything for ipwhois. I can comment this out in the utils.py to work but then clearly i wont get the ipwhois data

Cheers

StillTryDownload is set to 'Y' even when the network, or proxy, connection is down.

https://mail.google.com/mail/mu/mp/501/#cv/Spam/186f4da1239b74e7

For the moment StalkPhish only download the first zip file which appear in 'Ziplst' list. Should download all those zip files.

When download.py script try to catch a zipfiles protected by a captcha system, the zip file is created and declared in database, but this file is not a zipfile (HTML file most of the time)... this is not what I'm (probably you are) looking for.
It needs a file verification before writing to disk and declare into DB.

hello .. i'm getting this error:

[!!!] ConfParser Error: (<class 'configparser.DuplicateOptionError'>, While reading from 'conf/example.conf' [line 35]: option 'http_proxy' in section 'CONNECT' already exists, <traceback object at 0x7f9dab3fab90>)
Traceback (most recent call last):
File "StalkPhish.py", line 321, in ConfAnalysis
DBfile = CONF.DBfile
AttributeError: 'ConfParser' object has no attribute 'DBfile'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "StalkPhish.py", line 358, in main
ConfAnalysis(ConfFile)
File "StalkPhish.py", line 351, in ConfAnalysis
LOG.error("ConfAnalysis error " + str(err))
NameError: name 'LOG' is not defined

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "StalkPhish.py", line 418, in
main()
File "StalkPhish.py", line 411, in main
LOG.error("Main error " + str(err))
NameError: name 'LOG' is not defined

When you use -u option of StalkPhish (add unique url) the ASN number is quoted in database, it should not.

When building docker container with docker-compose up --build -d Tor is not started.

Hi,
Can you add OSINT module Criminal IP?

Criminal IP to provide Probability of Phishing URL

An exception error occured when PageTitle can't be retrieved because the connection to URL timeouts.
2019-06-10 11:41:59,384 - download.py - ERROR - Get PageTitle Error: http://webmail.microsoftwindows10techsupport.com:2095/(<class 'requests.exceptions.ConnectTimeout'>, ConnectTimeout(MaxRetryError("SOCKSHTTPConnectionPool(host='webmail.microsoftwindows10techsupport.com', port=2095): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.contrib.socks.SOCKSConnection object at 0x7fb9e1323eb8>, 'Connection to webmail.microsoftwindows10techsupport.com timed out. (connect timeout=5)'))")), <traceback object at 0x7fb9e0eb21c8>)

What could be the cause of this and how to solve it?

[root@instance-20190708-2326 stalkphish]# python3 StalkPhish.py -c conf/example.conf

/ | | | | | | __ | | () | |
| ( | |_ __ | | | | |) | | _ | |
__ | / _` | | |/ / /| ' | / | '
__) | || (| | | <| | | | | | _ \ | | |
|/ __,|||_| || |||/| ||

-= StalkPhish - The Phishing Kit stalker - v0.9.8 =-

[!!!] ConfParser Error: (<class 'configparser.MissingSectionHeaderError'>, File contains no section headers.
file: 'conf/example.conf', line: 1
'\ufeff###################################\n', <traceback object at 0x7f2a8926ed48>)
Traceback (most recent call last):
File "StalkPhish.py", line 355, in ConfAnalysis
DBfile = CONF.DBfile
AttributeError: 'ConfParser' object has no attribute 'DBfile'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "StalkPhish.py", line 396, in main
ConfAnalysis(ConfFile)
File "StalkPhish.py", line 388, in ConfAnalysis
LOG.error("ConfAnalysis error " + str(err))
NameError: name 'LOG' is not defined

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "StalkPhish.py", line 460, in
main()
File "StalkPhish.py", line 453, in main
LOG.error("Main error " + str(err))
NameError: name 'LOG' is not defined

For a better view of a threat, or bunch of threats, we could add ASN (Asynchonous System Number) into database.

Not sure what I am missing. I am running this on Ubuntu 4.4.0-131-generic and Python3 (Python 3.5.2 (default, Nov 12 2018, 13:43:14)

StalkPhish - The Phishing Kit stalker - v0.9.5.3 =-

2019-04-15 15:15:26,329 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2019-04-15 15:15:26,329 - StalkPhish.py - INFO - Database: ./db/StalkPhish.sqlite3
2019-04-15 15:15:26,330 - StalkPhish.py - INFO - Main table: StalkPhish
2019-04-15 15:15:26,331 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2019-04-15 15:15:26,332 - StalkPhish.py - INFO - Files directory: ./files/
2019-04-15 15:15:26,332 - StalkPhish.py - INFO - Download directory: ./dl/
2019-04-15 15:15:26,333 - StalkPhish.py - INFO - Declared Proxy: None

2019-04-15 15:15:26,333 - StalkPhish.py - ERROR - Main error (<class 'AttributeError'>, AttributeError("'NoneType' object has no attribute 'split'",), <traceback object at 0x7f2cc9d32648>)

pan0pt1c0n/PhishBait#1 (comment)

ue-1631388753

It miss a special warning message when the configuration file specified does not exist.

Receiving the below error when executing StalkPhish on a fresh O/S (Raspbian) install and fresh Git Pull on July 18/2019.

2019-07-18 20:00:39,477 - StalkPhish.py - INFO - Proceeding to OSINT modules launch
2019-07-18 20:00:40,651 - urlscan.py - INFO - Searching for 'webmail'...
2019-07-18 20:00:44,297 - urlscan.py - INFO - hxxps[:]//bad-domain.com bad-domain.com x.x.x.x https://urlscan.io/result/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Thu Jul 18 20:00:40 2019 aborted
2019-07-18 20:00:44,298 - urlscan.py - ERROR - HTML parser Error: table StalkPhish has 8 columns but 10 values were supplied

When scraping PhishTank if you use Tor network Cloudflare will stop the crawler and you will not be able to retrieve informations.

2023-06-03 15:24:23,027 - StalkPhish.py - INFO - Proceeding to OSINT modules launch
2023-06-03 15:24:23,099 - urlscan.py - ERROR - Urlscan connection error: SOCKSHTTPSConnectionPool(host='urlscan.io', port=443): Max retries exceeded with url: /api/v1/search/?q=page.url:webmail%20OR%20page.domain:webmail (Caused by NewConnectionError('<urllib3.contrib.socks.SOCKSHTTPSConnection object at 0x0000022A22AC98B0>: Failed to establish a new connection: [WinError 10054] Une connexion existante a dû être fermée par l’hôte distant'))
2023-06-03 15:24:23,099 - urlscan.py - ERROR - HTML parser Error: name 'HTMLText' is not defined
2023-06-03 15:24:23,140 - urlscan.py - ERROR - Urlscan connection error: SOCKSHTTPSConnectionPool(host='urlscan.io', port=443): Max retries exceeded with url: /api/v1/search/?q=page.url:secure%20OR%20page.domain:secure (Caused by NewConnectionError('<urllib3.contrib.socks.SOCKSHTTPSConnection object at 0x0000022A22AEA2B0>: Failed to establish a new connection: [WinError 10054] Une connexion existante a dû être fermée par l’hôte distant'))
2023-06-03 15:24:23,140 - urlscan.py - ERROR - HTML parser Error: name 'HTMLText' is not defined
2023-06-03 15:24:23,181 - urlscan.py - ERROR - Urlscan connection error: SOCKSHTTPSConnectionPool(host='urlscan.io', port=443): Max retries exceeded with url: /api/v1/search/?q=page.url:email%20OR%20page.domain:email (Caused by NewConnectionError('<urllib3.contrib.socks.SOCKSHTTPSConnection object at 0x0000022A22AEA040>: Failed to establish a new connection: [WinError 10054] Une connexion existante a dû être fermée par l’hôte distant'))
2023-06-03 15:24:23,181 - urlscan.py - ERROR - HTML parser Error: name 'HTMLText' is not defined

Thanks you

When a zip file name to download is > 255 chars, the file can't be write on disk, and no particular message append.

Hi,

Is it possible to perform a phishing kit scan against a single URL, or a given list from a file, instead of passing through the database?

A kind of:
./StalkPhish.py -c conf/example.conf -G http://myurl.example/folder

please help me about error ?

# pip3 install -r requirements.txt
# pip install ipwhois
root@kali:~/Tools/StalkPhish/stalkphish# python3 StalkPhish.py 
Traceback (most recent call last):
  File "StalkPhish.py", line 26, in <module>
    from tools.utils import VerifyPath
  File "/root/Tools/StalkPhish/stalkphish/tools/utils.py", line 13, in <module>
    from ipwhois.net import Net
ModuleNotFoundError: No module named 'ipwhois.net'

It seems that, even if you asked for (in configuration, with keep_files = no), the files get from phishtank or openphish, are never deleted.

When PageTitle can't be retrieved in tools/download.py script, an error occured with this message:
ERROR - Error Downloading zip: argument of type 'NoneType' is not iterable

-= StalkPhish - The Phishing Kit stalker - v0.9.8-3 =-

2022-10-16 06:10:22,488 - StalkPhish.py - INFO - Configuration file to use: conf/example.conf
2022-10-16 06:10:22,489 - StalkPhish.py - INFO - Database: ./db/StalkPhish.sqlite3
2022-10-16 06:10:22,489 - StalkPhish.py - INFO - Main table: StalkPhish
2022-10-16 06:10:22,490 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2022-10-16 06:10:22,491 - StalkPhish.py - INFO - Files directory: ./files/
2022-10-16 06:10:22,491 - StalkPhish.py - INFO - Download directory: ./dl/
2022-10-16 06:10:22,491 - StalkPhish.py - INFO - Declared Proxy: socks5://127.0.0.1:9050

2022-10-16 06:10:22,492 - StalkPhish.py - ERROR - Proxy connection error, exiting!

The Phishing.Database module does not start due to a indentation error in StalkPhish.py

It seem's that we now need an API key to retrieve Phishtank's JSON file (see https://www.phishtank.com/developer_info.php).
I will publish a patch soon, with a new API_key variable.

Hello t4d,

Tried to install StalkPhish on Mac OS X docker.

Have the following error

Step 6/13 : RUN pip3 install --upgrade pip
 ---> Running in f3329252cd17
/bin/sh: pip3: not found
ERROR: Service 'stalkphish' failed to build : The command '/bin/sh -c pip3 install --upgrade pip' returned a non-zero code: 127

Nice end of week-end and stay safe you and your family

Eric

It seems that when you try to declare a unique URL (with -u option), if this URL does not start with "http|s://" an Invalid or Missing Requests schema occured.

Hello,
i have this error, can you help me.

2023-05-30 16:24:07,135 - StalkPhish.py - INFO - Configuration file to use: .\stalkphish\conf\example.conf
2023-05-30 16:24:07,135 - StalkPhish.py - INFO - Database: ./db/StalkPhish.sqlite3
2023-05-30 16:24:07,136 - StalkPhish.py - INFO - Main table: StalkPhish
2023-05-30 16:24:07,158 - StalkPhish.py - INFO - Investigation table: StalkPhishInvestig
2023-05-30 16:24:07,166 - StalkPhish.py - INFO - Files directory: ./files/
2023-05-30 16:24:07,167 - StalkPhish.py - INFO - Download directory: ./dl/
2023-05-30 16:24:07,167 - StalkPhish.py - INFO - Declared Proxy: None

2023-05-30 16:24:07,167 - StalkPhish.py - INFO - Proceeding to OSINT modules launch
2023-05-30 16:24:07,547 - urlscan.py - INFO - Searching for 'cliquesante'...
2023-05-30 16:24:08,351 - urlquery.py - INFO - Searching for 'cliquesante'...
2023-05-30 16:24:08,358 - StalkPhish.py - ERROR - Main error (<class 'ImportError'>, ImportError("cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_' (C:\Users\merci\PycharmProjects\StalkPhish\venv\lib\site-packages\urllib3\util\ssl_.py)"), <traceback object at 0x000001E7AB431180>)

If the URL retrieved contain only a domain name, StalkPhish will try to download a non existent $DOMAIN/.zip file.