A discord token stealer client with a flask server
First off a big shoutout to my friend and great hacker+dev Lean. He is the one who introduced me to this client-server malware architecture, so thanks for the inspiration man. Also I'm taking his disclaimer hahahaha.
This tool is purely educational and is inteded to make the internet more secure
I will not be responsible for any direct or indirect damage caused due to the usage of this tool, it is for educational purposes only.
Simply put, this app has 2 parts to it, a client go binary, and a flask python server. The go binary is a discord token stealer, it checks for files to try and find discord tokens stored locally on a users system. After finding them and decrypting them, it sends them as a request to the server. The server has an api to accept valid discord tokens, and a frontend for the user to login, and see all the tokens and user information he has received.
Generally I've wanted to do a project like this for some time now. This isn't the most original or technical malware, but I think it's a great project to get accustomed to such an architecture. I wrote it in Go simply because it crossed my mind and i said why not. It's an interesting language with some cool stuff, but I'll need to see more of it to be convinced. As for the serverside I went with Flask, because I finally wanted to approach it from a programming perspective. I wanted to know how to use it as I think it's a strong and easy way to implement web apps for someone who likes python.
Lastly, honourable mention goes to this article for how to handle the discord tokens.
For the client, install go
For the server, just install the necessary packages from requirements.txt
pip install -r requirements.txt
Run the below commands. This is for my setup, change accordignly:
cd client
go build stealer.go
move stealer.go ..\server\application\static
cd ..\server
py run.py
- Run
run.pyto start the server and get the secret token
- Enter the secret token
- This is the index page
- Go view the logs. At the start they are empty
- Run the malware
stealer.exeand refresh the page
This is for local use. For remote, the malware will be at http://<attacker-ip:port>/static/stealer.exe
I don't think I'll touch this again. But here are some ideas:
- Diss flask
sessionfor session handling and find another way, mostly to support sessions between different blueprints - Add more functionalities like deleting users, or viewing users by id
- Have the malware check the browser cache for tokens stored there (for if user uses discord through browser)
- Write the css for the error message in login properly (never will kek)
- Use template inheritance just cause
- Fix status response code
You can find me on Twitter.
See LICENSE for more info.