07 Sep 2021

Kit Hunter 2.0 - Getting Started

Filed Under: khdocs

Installation and getting started:

  1. Requirements
  2. Installation
  3. Usage
  4. Directory Scanning
  5. Shell Scanning


Kit Hunter is, at its most basic function, a search tool for administrators. With the release of version 2.0, this post will serve as a basic overview of the installation instructions and usage examples. Other posts will follow this one, and offer more granular levels of explanation on usage, but this brief overview will serve as a general getting started post.

What is Kit Hunter?

As mentioned on GitHub:

Kit Hunter is a basic scanning tool that will search directories and locate phishing kits based on established markers. As detection happens, a report is generated for administrators.

The key element in Kit Hunter is context. It’s made for administrators, but researchers can use it too. I’ve been using it for my phishing research for nearly a year now, and it has helped me enormously. For basic usage, Kit Hunter gives administrators the ability to scan web directories for phishing kits. Often, phishing kits appear on websites out of the blue, and the administrator isn’t aware of a problem until after the fact. This is a problem. Kit Hunter works to address gaps in visibility, by enabling quick and easy searches of the webserver, which can be automated or ran on demand.


Kit Hunter will require the use of Python 3. Testing was conducted on version 3.7.3

In addition to Python 3, the following will need to be available to the script:


Previous versions of Kit Hunter were tested on other versions of Python for various platforms. However, the primary driver for this version has been Debian 10 and Python 3.

-[ TOC ⬏ ]-


Installing Kit Hunter is easy.

You can clone it on GitHub via the command line: gh repo clone SteveD3/kit_hunter

You can also download a ZIP file directly

Once downloaded, you will need to place the tag folders somewhere on the system, and then edit kit_hunter_2.py and make sure the paths are set.

You’ll find these paths at the top of the script, just below the acknowledgements. The sections you’ll need to edit are below. I’ve included what is in my configuration as an example.

kh_shell_scan = ‘/lab/steved3/PHISHING/Kit-Hunter-2/tag_files/shell_scan/’

kh_quick_scan = ‘/lab/steved3/PHISHING/Kit-Hunter-2/tag_files/quick_scan/’

kh_full_scan = ‘/lab/steved3/PHISHING/Kit-Hunter-2/tag_files/’

Once configuration is complete, you’re ready to run the script.

-[ TOC ⬏ ]-


To launch a full scan using the default settings: python3 kit_hunter_2.py

To launch a quick scan, using minimal detection rules: python3 kit_hunter_2.py -q

To launch a custom scan: python3 kit_hunter_2.py -c

Note: When using the -c switch, you must place a tag file in the same location as Kit Hunter. You can name this file whatever you want, but the extension must be .tag. Please remember that the formatting is important. There should only be one item per line, and no whitespaces. You can look at the other tag files if you need examples.

Using Kit Hunter is straightforward for most scans. By default the script will generate a report that shows the files that were detected as potentially problematic, list the markers that indicated them as problematic (a.k.a. tags), and then show the exact line of code where the detection happened.

Here is an example from Kit Hunter v.2.5.9:

| ==============================================================================
| Archive Scanned:
| /lab/steved3/PHISHING/Kit-Hunter-2/Scanner/crew4mellc.top_OurTime (3).zip
| ==============================================================================
| The following files contain known phishing keywords:
| ==============================================================================
| File: 'ourtime/index.html'
| File: 'ourtime/index2.html'
| File: 'ourtime/login2.php'
| ==============================================================================
| The following tag file reported matches: chalbhai_Phishing_Detection.tag
| ==============================================================================
|           Tag: 'id="formimage1"'
| ==============================================================================
| The following tag file reported matches: Phishing_Kit_URL_Indicators.tag
| ==============================================================================
|           Tag: 'ourtime.com'
| ==============================================================================
| The following lines contained the previously flagged phishing tags:
| ==============================================================================
| Line:  '<div id="formimage1" style="position:absolute; left:184px; top:571px;
| Line:  '<div id="formimage1" style="position:absolute; left:221px; top:288px;
| Line:  'header("Location: hxxp://ourtime.com");'
| ==============================================================================

In the example above, we can see that this archive matched a known phishing templating system, and is targeting a social network. If you’re not running Ourtime.com, then seeing this archive, or its extracted contents on your webserver is a serious problem.

If you would like to turn off the listing of matching lines, which you see at the end of the report, use the -l switch. Likewise, if you do not want to see a listing of folders and archives where there were no detections made (zero matches) then use the -m switch.

Directory Scanning

You can run kit_hunter_2.py from any location using the -d switch to select a directory to scan:

python3 kit_hunter_2.py -d /path/to/directory

However, it is easier if you place kit_hunter_2.py in the directory above your web root (e.g. /www/ or /public_html/) and call the script from there.

The final report will be generated in the directory being scanned.

In my usage, I call Kit Hunter from my /kit/download/ directory where new phishing kits are saved. My reports are then generated and saved to that folder. However, if I call Kit Hunter and scan my /PHISHING/Archive/ folder using the -d switch, then the report will save to /PHISHING/Archive/.

Once scanning is complete, output from the script will point you to the location of the saved scan report.

-[ TOC ⬏ ]-

Shell Scanning

This latest release of Kit Hunter comes with shell detection. Shell scripts are often packaged with phishing kits, or used to deploy phishing kits on webservers.

Kit Hunter will scan for some common shell script elements. The process works exactly the same way as regular scanning, only the shell detections are called with the -s switch. This is a standalone scan, so you can’t run it with other types. You can however leverage the -m and -l flags with shell scanning. See the script’s help section for more details.

Once scanning is complete, output from the script will point you to the location of the saved scan report.

-[ TOC ⬏ ]-

That's all for now.

-[30]- a.k.a. The End

-[ Return ⬏ ]-