https://github.com/sammwyy/spearcopy
A universal and local phishing toolkit for audit purposes
https://github.com/sammwyy/spearcopy
audit pentest pentest-tool pentesting phishing phishing-kit phishing-page phishing-script phishing-tool python web-clone web-crawler webscraping website-clone website-crawler
Last synced: 3 months ago
JSON representation
A universal and local phishing toolkit for audit purposes
- Host: GitHub
- URL: https://github.com/sammwyy/spearcopy
- Owner: sammwyy
- License: mit
- Created: 2024-11-21T14:52:51.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2024-11-21T15:01:40.000Z (11 months ago)
- Last Synced: 2025-05-12T15:16:52.211Z (5 months ago)
- Topics: audit, pentest, pentest-tool, pentesting, phishing, phishing-kit, phishing-page, phishing-script, phishing-tool, python, web-clone, web-crawler, webscraping, website-clone, website-crawler
- Language: Python
- Homepage:
- Size: 6.84 KB
- Stars: 18
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# π΅οΈββοΈ SpearCopy
**SpearCopy** is an educational and auditing tool designed to clone websites locally and capture credentials entered into forms. Itβs ideal for controlled environments such as internal network testing and does not require Internet access.
> **β οΈ Disclaimer:** This project is intended **only for educational purposes** and testing in controlled environments. **Misuse of this tool is strictly prohibited.** I am not responsible for any damage caused by improper use of this software.
---
## β¨ **Features**
- **π Website cloning:** Downloads the full content of a webpage, including HTML, CSS, JavaScript, images, and other resources, preserving the original structure.
- **π¦ Credential capture:** Modifies forms to capture and log entered data in JSON format.
- **π» Local HTTP server:** Hosts the cloned site locally for testing.
- **π Customizable payload:** Includes an editable JavaScript payload to tailor phishing behavior.
- **π Download management:** Avoids duplicate downloads and organizes resources in folders based on the target URL.
---
## π οΈ **Requirements**
- Python 3.9 or higher.
- Dependencies listed in `requirements.txt` (install them with `pip install -r requirements.txt`).
---
## π **Usage**
### **Main Commands**
1. **Clone a website and start the server:**
```bash
python main.py start
```
- Downloads the specified website into `tmp//public`.
- Starts a local HTTP server at `http://localhost:8080` to serve the cloned site.
2. **Clean the temporary directory:**
```bash
python main.py clean
```
- Deletes all files and folders under the `tmp` directory.
---
## π **File Structure**
### **Generated Files**
When running the `start` command, the cloned site is saved in the following structure:
```python
tmp/
βββ /
βββ public/ # Contains the cloned website.
β βββ index.html # Main cloned page.
β βββ css/ # Local or remote CSS files.
β βββ js/ # Local or remote JavaScript files.
β βββ ... # Other resources (images, videos, etc.).
βββ logs/ # Folder for captured data logs.
βββ .json
```
### **Captured Data Logs**
Each submitted form is logged as a JSON file in the `logs` folder. An example log looks like this:
```json
{
"local_url": "http://evil.com/index.html",
"remote_url": "http://realwebsite.com/index.html",
"address": "192.168.0.10",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.94 Safari/537.36",
"data": {
"username": "test_user",
"password": "1234"
}
}
```
---
## π **Payload JavaScript**
The credential-capturing behavior is defined in the `capture.js` file. By default, it intercepts form submissions, prevents them from being sent, and logs the captured data via the `/capture` endpoint.
You can edit the `capture.js` file to customize the phishing behavior.
---
## π’ **Example Usage**
1. Run the command to clone a website:
```bash
python main.py start https://example.com
```
This will download the site and serve it at `http://localhost:8080`. All files will be stored in `tmp//public`.
2. Open the cloned site in a browser.
3. Submit data into a form and check the console or the logs stored in `tmp//logs`.
4. To clean up temporary files:
```bash
python main.py clean
```
---
## π€ Contributing
Contributions, issues and feature requests are welcome! Feel free to check [issues page](https://github.com/sammwyy/spearcopy/issues).
---
## β€οΈ Show your support
Give a βοΈ if this project helped you! Or buy me a coffeelatte π on [Ko-fi](https://ko-fi.com/sammwy)
---
## π License
Copyright Β© 2024 [Sammwy](https://github.com/sammwyy). This project is [MIT](LICENSE) licensed.