⛧ Church of Malware / PHISH\_HUNTER\_PRO

PHISH_HUNTER_PRO

Advanced phishing investigation and disruption toolkit written in Python

ek0ms_savi0r

IMG_4518

PHISH_HUNTER_PRO is a modular Python toolkit for investigating and disrupting phishing websites.

It includes tools for scanning, form flooding, XSS and SQLi fuzzing, denial-of-service (DoS) disruption, open port scanning, SSL certificate inspection, and metadata analysis.
The framework supports Tor routing, proxy rotation, and integrates with services like Shodan and VirusTotal.

Built for security researchers, OSINT analysts, and defenders tracking malicious infrastructure.

INSTALLATION

Clone the repository

git clone https://github.com/ekomsSavior/PHISH_HUNTER_PRO.git
cd PHISH_HUNTER_PRO

Install required tools and libraries

sudo apt update && sudo apt install tor parallel dirb nmap sublist3r curl python3-requests python3-scapy -y
sudo apt install python3-socks -y

Install Faker

pip3 install Faker --break-system-packages

RUNNING THE TOOL

Start Tor before using the spammer

sudo systemctl start tor@default

Then launch the tool

python3 cli.py

You’ll see

[1] Scan Domain (single)
[2] Spam Login Page (single)
[3] Deep Recon (single)
[4] Fuzzing + Attack Surface Discovery
[5] Bulk Scan, Spam or Deep Recon
[6] Mini Scanner (Param Injection + Reflections)
[7] Flexible Contact Spammer (toggle fields)
[8] DoS Attack Module (multi-protocol)
[9] Hardcore DoS Mode (fast + raw)
[10] Mass Param Bombing / SQLi Fuzz Loop 
[11] Full Disruption Script (Spam + DoS + Fuzz) 
[12] XSS Payload Injector (Reflected & Dom)
[0] Exit

SCANNER MODULE

  • Pulls WHOIS and DNS records
  • Uses WhatWeb to fingerprint technologies
  • Identifies red flags like shady registrars or reused infrastructure
  • Provides direct reporting links

SPAMMER MODULE

Disrupt phishing login forms by flooding them with randomized fake logins.

Features

  • Tor SOCKS5 support
  • Circuit rotation using pkill -HUP tor (no extra config)
  • User-agent randomization
  • Optional proxy rotation

USING A PROXY LIST

If Tor is blocked, rotate proxies:

  1. Create a file called proxy_list.txt in the project directory.
  2. Add one proxy per line, like:
http://123.45.67.89:8080  
socks5://98.76.54.32:1080

The tool will automatically use these if Tor is unavailable.

CONTACT FORM SPAMMER MODULE

Flood phishing contact forms with realistic spam using dynamic field toggles and Faker-generated data.

Features

  • Select which fields to include (first name, last name, email, phone, address, etc)
  • Add custom field names and value
  • Handle dropdown/select boxes (e.g., “Best time to contact you”)
  • Randomized insults or abuse report messages
  • User-agent rotation
  • Tor and proxy support
  • Logs each attempt with full payload

DEEP RECON MODULE

  • Follows and logs HTTP redirects (curl -L -I)
  • Tracks meta-refresh redirects inside HTML (chasing hidden redirect chains)
  • Decodes Base64-encoded URLs in redirects or page source (target=BASE64...)
  • Analyzes SSL certificates (openssl s_client)
  • Extracts metadata: input fields, iframes, external scripts, emails, meta tags
  • Saves raw HTML snapshots to the reports/ folder
  • Performs form discovery (curl | grep)
  • Runs Nmap with version detection (nmap -sV --top-ports 1000)
  • Queries Shodan for IP intelligence (optional, if API key provided)
  • Queries VirusTotal for domain and IP reputation
  • Runs DIRB directory brute-force (dirb), tuned for responsiveness
  • Runs Sublist3r for subdomain enumeration

FUZZING MODULE

Uncover hidden routes, vulnerable parameters, WAF misconfigurations, and insecure header handling with this adaptive fuzzing engine.

Features

  • Path fuzzinghttps://target/FUZZ
  • Header fuzzing → Rotates attacker-like headers (sqlmap, Googlebot, X-Forwarded-For) to provoke error responses
  • Parameter fuzzinghttps://target/page?id=FUZZ
  • Subdomain path fuzzing → Probes enumerated subdomains (http://subdomain.tld/FUZZ)
  • Speed Profiles → Fast, Normal, and Stealth modes (adds delay + TOR)
  • 429 Detection → Handles rate-limiting with automatic backoff
  • Tor + Proxy Support → Fully integrated SOCKS5 routing and fallbacks
  • Clean Report Output → All findings saved to reports/ with timestamps

This module is ideal for discovering logic bugs, broken access control, shadow files, and misconfigured phishing infrastructure.

MINI SCANNER MODULE

Fast and lightweight param scanner designed to quickly flag injectable fields.

Features

  • Injects payloads like:
    <script>alert(1)</script>, '1--, 1 OR 1=1
  • Scans common parameters:
    id, q, search, page, query, redirect, url, file
  • Rotates headers (sqlmap, Googlebot, X-Forwarded-For) to observe backend behavior

Flags and Detections

  • Reflected Input → potential XSS
  • Backend Errors → SQLi, LFI, command injection hints
  • Behavioral Shifts → redirects, blank pages, altered content
  • Interesting Status Codes → 403, 500, 301/302

Output

Saves a detailed report to the reports/ folder
Logs all discovered injection points to loot/param_targets.txt (for use in Module 12: XSS Payload Injector)

Perfect for quick triage of phishing panels and low-hanging bugs in scam infrastructure.

BULK SCAN MODE

Run any module across a list of domains:

  1. Prepare a CSV file (e.g., domains.csv)
phishingsite1.com  
phishingsite2.net  
phishingsite3.org
  1. Select Option 4 in the menu and point it to your file.
    Reports and logs will be saved in the reports/ folder automatically.

API KEY SETUP

The Deep Recon module supports Shodan and VirusTotal.

Edit the top of deep_recon.py to insert your keys:

SHODAN_API_KEY = "your_key_here"
VT_API_KEY = "your_key_here"

DoS MODULE (STANDARD)

Launch multi-threaded denial-of-service attacks against phishing sites.

Features

  • Configurable thread count (e.g. 50, 100, 250)
  • Supports both HTTP and HTTPS targets
  • Sends randomized header floods using valid syntax
  • Targets GET endpoints only for stealth and compatibility
  • Basic request delay randomization to avoid instant detection

Usage
Select option [8] DoS Attack Module (multi-protocol) in the CLI and provide:

  • The phishing URL (http or https)
  • Number of threads to use

Note: Use responsibly. Some phishing sites are behind WAF/CDNs and may not respond immediately.

HARDCORE DoS MODE

An advanced, stealth-capable version of the DoS engine.

Features

  • Tor routing for obfuscation
  • Raw socket option (HTTP only)
  • Header randomization + bot-like behavior
  • Supports higher thread volume (e.g. 200–1000)
  • Includes failsafe to bypass if Tor is unreachable

Usage
Choose [9] Hardcore DoS Mode (fast + raw) and enter:

  • Target URL
  • Thread count
  • Whether to use Tor (y/n)

Use this with discretion, especially during red team demos or controlled takedowns.

NEW: MASS PARAM BOMBING / SQLi Fuzz Loop

Launches mass injections across common parameters like id, q, query, page, url, and more.

Features

  • Rotates payloads such as '1 OR 1=1, <script>, --, etc.
  • Rotates User-Agent and Referer headers
  • Flags backend error signatures (SQL, syntax, stack trace)
  • Logs duplicate 200 responses to detect fake pages or honeypots
  • Optionally runs with Tor stealth routing

Useful for:

  • SQL injection fuzzing
  • Testing WAF behavior
  • Identifying parameter reflection vectors

NEW: FULL DISRUPTION SCRIPT

Combines Spammer, DoS, and Fuzzer into a single attack chain.

Features

  • Launches randomized fake login floods (from Module 2)
  • Sends multi-threaded DoS (from Module 8)
  • Runs fuzzer across common endpoints

Great for red team demos or takedown simulations.

NEW: XSS PAYLOAD INJECTOR (Reflected + DOM)

Automated XSS payload injector with fallback to DOM-based triggers.

Features

  • Injects into any URL with a parameter (e.g. ?q=1)
  • Rotates <script> payloads, onerror handlers, fetch+cookie grabbers
  • Detects reflected payloads in HTML response
  • Adds fallback DOM-based payload if no reflection is found
  • Detects duplicate 200 responses for fake or honeypot behavior
  • Logs successful hits to loot/xss_hits.txt

Integration with Mini Scanner
If you've run Module 6 (Mini Scanner), it saves a target list to:

loot/param_targets.txt

This list can be auto-loaded into Module 12 for rapid XSS injection across all discovered param endpoints 💉

ADDITIONAL TIPS

  • Inspect raw HTML snapshots to uncover hidden form fields, JavaScript traps, and backdoors.
  • DIRB results depend on the site. Dead buckets or static pages may yield no hits.
  • For advanced brute-forcing, use ffuf, dirb, or gobuster with custom wordlists.
  • Explore redirects and forms with curl -v.
  • Query phishing IPs on https://shodan.io for deeper reconnaissance.
  • Check out Phish Breaker — an advanced companion toolkit.
    Repo: https://github.com/ekomsSavior/phish_breaker

STAY TUNED

This project is under active development.

DISCLAIMER

PHISH_HUNTER_PRO is for ethical, legal use only.

You must have explicit permission to test targets.
Use responsibly. You assume full liability for how you deploy this software.

AUTHOR

Crafted with purpose by
ek0ms savi0r

GitHub → https://github.com/ekomsSavior
Instagram → https://instagram.com/ekoms.is.my.savior
Medium → https://medium.com/@ekoms1/phish-hunter-pro-b3cc30041f91