Big-Papa Integrates Javascript and python for remote cookie stealing which then can be used for session hijacking

Related tags

Security related resourcesjavascriptcookiespython3bypassingsession-storesession-cookieauthentication-backendmitm-attackscookie-authenticationhijack-jsmaninthemiddleattack2factorsession-stealercookie-stealerinject
Overview

[SxNade Python Version Maintenance Stage [Update Ask Me Anything ! Discord

Big-Papa

Capture

Big-Papa Integrates Javascript and python for remote cookie stealing which then can be used for session hijacking

IN ACTION

Capture

The Higlighted data is the cookie of ongoing admin session on a router(gateway)

Now we can use something Like Burpsuite to Load the cookies and Hijack the admin session

๐—œ๐—ก๐—ฆ๐—ง๐—”๐—Ÿ๐—Ÿ๐—”๐—ง๐—œ๐—ข๐—ก ๐—œ๐—ก๐—ฆ๐—ง๐—ฅ๐—จ๐—–๐—ง๐—œ๐—ข๐—ก๐—ฆ

1 chmod +x install.sh

2 ./install.sh

PLease Note that you need to edit the Javascript File to your own Local IP address

Capture

How Does it work?

Big-Papa utilizes malicious javascript code injection...and then makes a GET Request(with cookies) to the Python Web server running on the attacker machine

Note That you need to be man in the middle in order to inject the malicious javascript Code and then steal cookies of the website that the victim is currently visting

For testing purposes copy the Javascript code from the bgp.js file without the script tags and execute in the console of the browser

You can use Bettercap in-order to become man-in-the-middle using bettercap or use arp spoof and then run Big-Papa to inject Javascript

For HTTPS?

Big-Papa will work Perfectly against HTTP websites but For HTTPS you can use sslstrip to Downgrade it to HTTP and then utilize Big-Papa

*SSLstrip --> https://github.com/moxie0/sslstrip.git

Still some websites use HTTP and thus their data including Passwords can be read in Clear text but we need to steal cookies in some cases in order to Bypass 2-Factor-Authentication

๐•Œโ„™๐”ป๐”ธ๐•‹๐”ผ

There were problems with writing code for javscript injector due to ongoing problems with netfilterqueue installation

BUT YOU CAN STILL USE BETTERCAP TO BECOME MAN IN THE MIDDLE AND ALSO INJECT JAVASCRIPT CODE USING BETTERCAP

*INSTALL BETTERCAP AS FOLLOWS

sudo apt install bettercap

Then you can run Big-Papa to capture cookies

You can manually perform the mitm attack and then inject the Javascript code with Big-Papa.py script runnning along

A new feature to mail the captured cookies to user specified e-mail will be added soon...

๐‘ด๐‘จ๐‘ฒ๐‘ฌ_๐‘ฐ๐‘ป_๐‘ฉ๐‘ฌ๐‘ป๐‘ป๐‘ฌ๐‘น

To make Big-Papa Even Better Contribute to it Or use and Report Any Bugs or fixes Required..

git clone https://github.com/SxNade/Big-Papa

Owner
๐ŸŒŒ โ€œCreate Don't Hateโ€๐Ÿš€๐Ÿš€
GitHub Repository
orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Urminder Singh 34 Nov 21, 2022
SonicWall SMA-100 Unauth RCE Exploit (CVE-2021-20038)

Bad Blood Bad Blood is an exploit for CVE-2021-20038, a stack-based buffer overflow in the httpd binary of SMA-100 series systems using firmware versi

Jake Baines 80 Dec 29, 2022
Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.

GoodHound ______ ____ __ __ / ____/___ ____ ____/ / / / /___ __ ______ ____/ / / / __/ __ \/ __ \/ __

idna 352 Jan 02, 2023
KeyLogger

By-Emirhan KeyLogger Hangi Sistemlerde ร‡alฤฑลŸฤฑr? | On Which Systems Does It Work? KALฤฐ LฤฐNUX UBUNTU PARDUS MฤฐNT TERMUX ARCH YรœKLEME & ร‡ALIลžTIRMA KOMUTL

2 Feb 24, 2022
This is a js front-end encryption blasting account and password tools

Author:0xAXSDD By Gammaๅฎ‰ๅ…จๅฎž้ชŒๅฎค version:1.0 explain:่ฟ™ๆ˜ฏไธ€ๆฌพ็”จๆˆท็ป•่ฟ‡ๅ‰็ซฏjsๅŠ ๅฏ†่ฟ›่กŒๅฏ†็ ็ˆ†็ ด็š„ๅทฅๅ…ท๏ผŒไฝ ๆ— ้œ€ๅœจๆ„jsๅŠ ๅฏ†็š„็ป†่Š‚๏ผŒๅช้œ€่ฆ่พ“ๅ…ฅไฝ ๆƒณ่ฆ็ˆ†็ ดurl๏ผŒไปฅๅŠusername่พ“ๅ…ฅๆก†็š„classname๏ผŒpassword่พ“ๅ…ฅๆก†็š„clas

75 Nov 25, 2022
NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains

NexScanner NexScanner is a tool which helps you scan a website for sub-domains and also to find login pages in the website like the admin login panel

8 Sep 03, 2022
Python Password Generator

This is a console-based version of a password generator written with Python. The program generates a password based on numbers of letters, numbers, and symbols specified by the user. This is a simple

p.katekomol 1 Jan 24, 2022
A script to extract SNESticle from Fight Night Round 2

fn22snesticle.py A script for producing a SNESticle ISO from a Fight Night Round 2 ISO and any SNES ROM. Background Fight Night Round 2 is a boxing ga

Johannes Holmberg 57 Nov 22, 2022
A Superfast SMS & Call bomber for Linux And Termux !

A Superfast SMS & Call bomber for Linux And Termux !

Anubhav Kashyap 15 Feb 21, 2022
SEBUAH TOOLS TERMUX CRACK AKUN FF HOMKI AKUN EPEP DAH SATU FOLLOW AE YA BROO AWOKWOK

print " INSTALL TOOLS " $ pkg update && upgrade $ pkg install python2 $ pkg install git $ pip2 install lolcat $ pip2 install bs4 $ pip2 install reques

Jeeck 2 Nov 29, 2021
A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

master_librarian A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities. To install requirements: $ sudo pyth

CoolerVoid 167 Dec 19, 2022
GRR Rapid Response: remote live forensics for incident response

GRR Rapid Response is an incident response framework focused on remote live forensics. Build Type Status Tests End-to-end Tests Windows Templates Linu

Google 4.3k Jan 05, 2023
Fast and customizable vulnerability scanner For JIRA written in Python

Fast and customizable vulnerability scanner For JIRA. ๐Ÿค” What is this? Jira-Lens ๐Ÿ” is a Python Based vulnerability Scanner for JIRA. Jira is a propri

Mayank Pandey 185 Dec 25, 2022
Red Team Toolkit is an Open-Source Django Offensive Web-App which is keeping the useful offensive tools used in the red-teaming together.

RedTeam Toolkit Note: Only legal activities should be conducted with this project. Red Team Toolkit is an Open-Source Django Offensive Web-App contain

Mohammadreza Sarayloo 382 Jan 01, 2023
Update of uncaptcha2 from 2019

YouTube Video Proof of Concept I created a new YouTube Video with technical Explanation for breaking Google's Audio reCAPTCHAs: Click on the image bel

Nikolai Tschacher 153 Dec 20, 2022
Simple tool to create passwords.

PasswordGenerator Simple password generator: -Simplisitc Window Application -Allows Numbers, Symbols & letters upper and lowercase -Restricts rows of

DM 1 Jan 10, 2022
Ducky Script is the payload language of Hak5 gear.

Ducky Script is the payload language of Hak5 gear. Since its introduction with the USB Rubber Ducky in 2010, Ducky Script has grown in capability while maintaining simplicity. Aided by Bash for logic

Abir Abedin Khan 6 Oct 07, 2022
่šๅˆGithubไธŠๅทฒๆœ‰็š„Pocๆˆ–่€…Exp๏ผŒCVEไฟกๆฏๆฅ่‡ชCVEๅฎ˜็ฝ‘ใ€‚Auto Collect Poc Or CVE from Github by CVE ID.

PocOrExp in Github ่šๅˆGithubไธŠๅทฒๆœ‰็š„Pocๆˆ–่€…Exp๏ผŒCVEไฟกๆฏๆฅ่‡ชCVEๅฎ˜็ฝ‘ ๆณจๆ„๏ผšๅช้€š่ฟ‡้€š็”จ็š„CVEๅท่šๅˆ๏ผŒๅ› ๆญคๅฏนไบŽMS17-010็ญ‰Windows็ผ–ๅทๆผๆดžไปฅๅŠ่‘—ๅ็š„ๆœ‰็ปฐๅท็š„ๆผๆดž๏ผŒ่ฟ˜ๆ˜ฏ่‡ชๅทฑๆฃ€็ดขไธ€ไธ‹ๆฏ”่พƒๅฅฝ Usage python3 exp.py -h usage: ex

567 Dec 30, 2022
An easy-to-use wrapper for NTFS-3G on macOS

ezNTFS ezNTFS is an easy-to-use wrapper for NTFS-3G on macOS. ezNTFS can be used as a menu bar app, or via the CLI in the terminal. Installation To us

Matthew Go 34 Dec 01, 2022
Hashpic - Hashpic creates an image from a MD5 or SHA512 hash

Hashpic Hashpic creates an image from the MD5 hash of your input. Since v0.2.0 i

0xflotus 15 Nov 23, 2022