It was created with the aim of teaching the world how large Internet companies could obtain confidential information such as the status of sessions of their websites or services and control over their users through the browser, without them knowing, but It evolves with the aim of helping government organizations, companies and researchers to track the cybercriminals.
At the beginning of the year 2018 was presented at BlackHat Arsenal in Singapore : and in multiple security events worldwide.
PROCESS HOOKS: Manages social engineering attacks or processes in the target’s browser.
— SEVERAL: You can issue a phishing attack of any domain or service in real time as well as send malicious files to compromise the device of a target.
— SPEECH: A process of audio creation is maintained which is played in the browser of the objective, by means of this you can execute personalized messages in different voices with languages in Spanish and English.
PUBLIC NETWORK TUNNEL: Trape has its own API that is linked to ngrok.com to allow the automatic management of public network tunnels; By this you can publish your content of trape server executed locally to the Internet, to manage hooks or public attacks.
NETWORK: You can get information about the user’s network.
— SPEED: Viewing the target’s network speed. (Ping, download, upload, type connection)
— HOSTS OR DEVICES: Here you can get a scan of all the devices that are connected in the target network automatically.
PROFILE: Brief summary of the target’s behavior and important additional information about your device.
— GPU — ENERGY
Session recognition is one of trape most interesting attractions, since you as a researcher can know remotely what service the target is connected to.
* USABILITY: You can delete logs and view alerts for each process or action you run against each target.
First unload the tool.
git clone https://github.com/jofpin/trape.git
python trape.py -h
If it does not work, try to install all the libraries that are located in the file requirements.txt
pip install -r requirements.txt
Example of execution
Example: python trape.py --url http://example.com --port 8080
HELP AND OPTIONS
user:~$ python trape.py --help
usage: python trape.py -u <> -p <> [-h] [-v] [-u URL] [-p PORT]
[-ak ACCESSKEY] [-l LOCAL]
[--update] [-n] [-ic INJC]
-h, --help show this help message and exit
-v, --version show program's version number and exit
-u URL, --url URL Put the web page url to clone
-p PORT, --port PORT Insert your port
-ak ACCESSKEY, --accesskey ACCESSKEY
Insert your custom key access
-l LOCAL, --local LOCAL
Insert your home file
-n, --ngrok Insert your ngrok Authtoken
-ic INJC, --injectcode INJC
Insert your custom REST API path
-ud UPDATE, --update UPDATE
Update trape to the latest version
–url In this option you add the URL you use to clone Live, which works as a decoy.
–port Here you insert the port, where you are going to run the trape server.
–accesskey You enter a custom key for the trape panel, if you do not insert it will generate an automatic key.
–injectcode trape contains a REST API to play anywhere, using this option you can customize the name of the file to include, if it does not, generates a random name allusive to a token.
–local Using this option you can call a local HTML file, this is the replacement of the –url option made to run a local lure in trape.
–ngrok In this option you can enter a token, to run at the time of a process. This would replace the token saved in configurations.
–version You can see the version number of trape.
–update Option especially to upgrade to the latest version of trape.
–help It is used to see all the above options, from the executable.
This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.
We are totally convinced that if we teach how vulnerable things are, we can make the Internet a safer place.
This development and others, the participants will be mentioned with name, Twitter and charge.
— Jose Pino - @jofpin - (Security Researcher)
I invite you, if you use this tool helps to share, collaborate. Let’s make the Internet a safer place, let’s report.
The content of this project itself is licensed under the Creative Commons Attribution 3.0 license, and the underlying source code used to format and display that content is licensed under the MIT license.
Copyright, 2018 by Jose Pino