NotePhish is a Privnote-style phishing project created for educational purposes and ethical hacking demonstrations. It simulates a phishing attack using social engineering techniques. The project displays a professional-looking note (similar to Privnote) that self-destructs once accessed by the user. When the note is accessed, the client-side geolocation, public IP address, and browser information are captured and sent to the server for logging. Additionally, a camera capture feature can be triggered to collect an image from the user's device.
Note: This project is for ethical purposes only and should be used with proper authorization.
- Client-Side Simulation: Displays a Privnote-like self-destructing note with minimal interaction required from the user.
- Data Collection: Automatically logs geolocation, IP address, and browser information when the note is accessed.
- Background Logging: Continuously sends logs (e.g., geolocation, IP, browser info) every minute once triggered.
- Camera Capture: Captures an image from the user's device using the camera and sends it to the server.
- In-Memory Logging: Stores the collected data in-memory (no persistent storage).
- Extensibility: Designed for future additions like more advanced phishing techniques, improved UI/UX, and better analytics.
The project is split into two servers running on different ports (3000 and 3001) for different purposes. This separation helps avoid overwhelming the user with multiple permission requests all at once, which could raise suspicion.
- Server 1 (Port 3000): Handles geolocation, IP, and browser information logging.
- Server 2 (Port 3001): Handles camera capture.
Using two servers allows you to present different notes depending on your goal:
- Note 1 (Geolocation Only): Displays a note that gathers geolocation data when accessed (e.g., "Hello ca va?").
- Note 2 (Camera Only): Displays a note that triggers the camera capture when accessed (e.g., "Dis moi, tu saurais p?").
- Both Notes: You can send both notes to the user if you need both geolocation and camera data. By using separate servers, the system reduces the likelihood of raising security alarms on the client side.
- Need GPS/Geolocation Only: Send the link to the note served by Server 1 (
http://localhost:3000). - Need Camera Image Only: Send the link to the note served by Server 2 (
http://localhost:3001). - Need Both: Send links to both notes.
Each note displayed to the user contains a customizable message. To change the message, modify the following files:
-
Server 1 (Geolocation):
- Open the
server1.jsfile. - Modify the
noteContentvalue in the/route:const noteContent = "Your new message for geolocation data here."; // Example note content
- Open the
-
Server 2 (Camera Capture):
- Open the
server2.jsfile. - Modify the
noteContentvalue in the/route:const noteContent = "Your new message for camera capture here."; // Example note content
- Open the
- Server 1 (Geolocation):
const noteContent = "Hello ca va?"; // Message for Note 1
- Server 2 (Camera Capture):
const noteContent = "Dis moi, tu saurais p?"; // Message for Note 2
You can adapt these messages based on your scenario and what kind of interaction you're simulating.
{
"timestamp": "xxxx-xx-xxTxx:xx:xx.xxxZ",
"publicIP": "xxx.xx.xxx.xx",
"latitude": "xx.xxxxxxxxxxxxxxx",
"longitude": "x.xxxxxxxxxxxxxxx",
"browserInfo": {
"userAgent": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"platform": "xxxxxxxxxxxx",
"language": "xx-XX"
}
}This template illustrates the structure of the data that will be logged when the user interacts with the phishing note. The timestamp field logs the exact time, while publicIP, latitude, and longitude capture geolocation data, and browserInfo holds user-agent details like platform and language.
NotePhish/
├── node_modules/
├── public/
│ └── (static assets such as JS/CSS for the front-end)
├── views/
│ └── (EJS templates for rendering web pages)
├── public/uploads/
│ └── (logs and images stored in the uploads folder)
├── server1.js (Handles geolocation, IP tracking)
├── server2.js (Handles camera capture)
├── package.json (Project metadata and dependencies)
└── README.md (Project description and setup)
-
Node.js: Ensure you have Node.js installed on your machine. You can check your installation by running:
node -v
If Node.js isn't installed, download and install it from the official website.
-
npm:
npmcomes with Node.js, but verify it's installed:npm -v
-
Manual Installation of Dependencies: If dependencies aren't installed automatically:
npm install express ejs body-parser
-
Clone the repository:
git clone https://github.com/4lp1ne/NotePhish.git cd NotePhish -
Install dependencies:
npm install
You can use the provided run.bat script to start the servers and access the phishing note pages. The script will ask you which server(s) you want to run.
./run.bat- Option A: Runs only Server 1 (for geolocation, IP, and browser info logging).
- Option B: Runs only Server 2 (for camera capture).
- Option C: Runs both Server 1 and Server 2 (for geolocation, IP logging, and camera capture).
-
Double-click the
run.batscript to start the project. -
Choose an option:
- Enter A to run only the geolocation logging.
- Enter B to run only the camera capture.
- Enter C to run both servers.
-
Access the app:
- The script will automatically open the browser for the selected servers:
- For Server 1 (Geolocation and logging):
http://localhost:3000 - For Server 2 (Camera capture):
http://localhost:3001
- For Server 1 (Geolocation and logging):
- The script will automatically open the browser for the selected servers:
-
Logs and Images:
- The collected data (logs and camera captures) are saved in the
public/uploadsdirectory:- Geolocation logs are saved in
log.txt. - Captured images are saved in
.pngformat.
- Geolocation logs are saved in
- The collected data (logs and camera captures) are saved in the
To expose your local NotePhish instance to the public, you can use localtonet:
-
Install Localtonet on your machine:
curl -O https://localtonet.com/download.sh && sh download.sh -
Run Localtonet with your local Node.js port:
./localtonet tcp --port 3000 ./localtonet tcp --port 3001
-
Localtonet will provide a public URL that others can access to see the phishing note interface:
Public URL: https://your-localtonet-url
- Persistent Logging: Introduce database storage (MongoDB or MySQL) to persist logs over multiple sessions.
- Admin Dashboard: Reintroduce a dashboard to display collected logs, provide analytics, and allow for log management.
- Enhanced Phishing Techniques: Add more sophisticated features like fake login forms, password collection simulations, or fake email attachments.
- Security Measures: Include tools for demonstrating countermeasures, such as anti-phishing and safe browsing practices.
MIT License
Copyright (c) 2024 4lp1ne
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software
without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.