Introducing Kit Hunter, a phishing kit detection script | Salted Hash, Ep. 40

It's one thing to tell administrators they need to detect kits fast; it's better to offer something that helps.

Today's post is a bit different, personal really. Over the last few months, I've attempted to learn something new, and I selected Python to be that thing. It's a slow process.

So, what's my point? Well, here lately I've released a number of videos where I show phishing kits from the victim's, as well as the administrator's perspective.

They're a useful awareness guide, and for some administrators, an interesting look into the kit's operation. I've gotten some really solid feedback on them, and I plan to keep doing them.

However, something was missing. In each video, I've stated how important it is for administrators to detect these kits as quickly as possible.

So, since I was already learning Python, I thought it would be neat to code something that would help administrators search their web servers for phishing kits, because the quicker they can be detected, the less of a problem they are in the long term.

It wasn't an easy process, and I had a lot of help, but Kit Hunter works as expected. Better than expected really. It caught the kits I tested it with, and then other kits that were not part of the sample set. I'm pleased by the results and excited to share the code.

What is Kit Hunter?

Kit Hunter is a basic Python script that will run on Linux and Windows (works fine on Mac too). It was tested on Python 2.7, but there are some kinks to work out before it will run on the 3.x branch. That's my next project to tackle.

What does Kit Hunter do?

When you run Kit Hunter it searches web directories for phishing kits based on common kit elements located in the tag file. These elements are phishing kit mechanics (e.g. geolocation scripts); branding (e.g. script author names, crew names, or kit names); and security (e.g. block lists, bounce commands, and obfuscation techniques).

The tags file is already populated with several common markers.

Kit Hunter will search all the folders and sub-folders for .txt, .php, .htm, .html, .dat, and .htaccess files, and compare the contents of those files with the tags list. If there is a match, it logs the results. These filetypes were chosen because they are commonly used in most of the phishing kits we've seen over the last year or so. However, Kit Hunter will be an ongoing project, so as things change, the code will be adjusted to deal with it.

The log itself is the most interesting aspect of the script. It has context.

The log is split into blocks, and each tag will generate a block if there is a match. The results are then grouped into directory location and file. So, if a tag is found in multiple folders and files, they're all going to appear in the block.

Finally, the block will show the exact line of code where the tag was discovered, so you can see at a glance if something is suspicious.

Thing is, if you get a hit, it is certainly worth spending a few seconds investigating.

So that's it for show and tell. If you want to play with Kit Hunter, it's available now on my GitHub.

If you find this kit useful, feel free to reach out and let me know.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.