Grabber

---

Warning

Educational / Demonstration Purposes Only

• Grabber is a social engineering proof-of-concept (POC) designed to demonstrate how browser permissions (camera, location) can be exploited when users trust unverified sites.
• This tool is NOT intended for malicious use. The author takes no responsibility for any misuse.

---

📚 Table of Contents

• 📖 Overview
• ✨ Features
• ⚡ Installation
  • Requirements
  • Debian / Ubuntu
  • Arch Linux
  • Android (Termux)
  • iOS / iSH (Alpine)
• 🔐 Set Admin Credentials
• 🛠 Usage Flow
• 📂 Data Storage
• 📁 Project Structure
• ⚖️ Legal / Educational Use Only
• ⚠️ Disclaimer
• 📜 License

---

📖 Overview

Grabber simulates a website with a seemingly legitimate use of gps and camera permissions. Its goal is to raise awareness about how easily sensitive data can be harvested when permissions are granted to untrusted websites.

---

Terminal Menu:

User-Facing Page Themes:

Admin Panel:

---

✅ What happens when a user visits the page?

• The site appears to be a legitimate website requiring camera and location permissions.
• Collects:
  • Server-facing IP
  • Public IP (via IPify API)
  • WebRTC leak IPs
• If location permission is granted:
  • Displays their location on an interactive OpenStreetMap.
• If camera permission is granted:
  • Silently captures 3 front-facing photos in the background.
  • Displays a fake error popup:
    "Failed to initialize camera."
• Logs stored in data.json.
• Captured photos saved in /images.

An admin dashboard allows:
✔ Viewing IP details (with WHOIS info)
✔ Viewing captured geolocation on an interactive map
✔ Viewing captured images (single or carousel with autoplay)
✔ Secure access – The admin panel is only accessible from localhost or 127.0.0.1, preventing external access.

---

✨ Features

• ✅ Disguised UI – Multiple user-facing HTML themes that appear to be websites legitimately requiring permissions
• ✅ IP Collection – Server IP, Public IP, WebRTC IP leaks
• ✅ Location Tracking – OpenStreetMap embed if allowed
• ✅ Silent Camera Capture – Three selfies in background, fake error shown
• ✅ Secure Admin Panel – Login protected with scrypt-hashed credentials and restricted to localhost only
• ✅ Image Carousel – Navigate or autoplay captured images
• ✅ Serveo Integration – Expose local server securely
• ✅ Optional URL Shortening – Three shortening services supported

---

⚡ Installation

Requirements

• Node.js v14+
• Python 3.8+
• npm
• pip
• OpenSSH

---

Debian / Ubuntu

sudo apt update && sudo apt install -y git nodejs npm python3 python3-pip openssh-client
git clone https://github.com/cons0le7/Grabber

---

Arch Linux

sudo pacman -S --needed git nodejs npm python python-pip openssh
git clone https://github.com/cons0le7/Grabber

---

Android (Termux)

pkg install git nodejs python python-pip openssh
git clone https://github.com/cons0le7/Grabber

---

iOS / iSH (Alpine)

apk add git nodejs npm python3 py3-pip openssh
git clone https://github.com/cons0le7/Grabber

---

⌨️ Install Node Packages

cd Grabber
npm install whois whois-json underscore

🔐 Set Admin Credentials

python3 pass.py

✔ Prompts for username & password
✔ Hashes credentials using scrypt
✔ Saves securely in config.json

Tip: Delete pass.py after setup for extra security.

---

🛠 Usage Flow

Start the server:

python3 grab.py

This will:

• Check if port 3000 is in use and prompt to terminate any processes occupying it.
• List all available user-facing HTML pages in /public and prompt for selection.
• Ask if you want Local mode (localhost only) or Public mode (via Serveo or localhost.run).
• If Public mode is chosen, optionally ask whether to shorten the public URL (3 options available).
• Start the Node.js server on http://localhost:3000.
• If Public mode is chosen, create a Serveo or localhost.run tunnel and display a public link.

After starting server, send the generated link to the test device.

---

On Test Device:

• Open the link.
• Accept location permissions → Displays map.
• Tap “Scan Item” → Accept camera permissions.
• Fake error appears: "Failed to initialize camera." (images are still captured).

Server-Side:

• Access the admin panel:
  http://localhost:3000/admin or http://127.0.0.1:3000/admin
  (The panel is not accessible externally, only from localhost for security.)

• Log in using your credentials.

• View:

  ✔ Collected IP info with WHOIS
  ✔ Click coordinates → Opens interactive map
  ✔ Captured images → Carousel with navigation & autoplay

---

📂 Data Storage

• Captured images: /images
• All session data: data.json

---

📁 Project Structure

Grabber/
│
├── public/          # Front-end files (HTML, CSS, JS)
├── images/          # Captured images
├── config.json      # Stores hashed credentials
├── data.json        # Logs IP, location, session details
├── grab.py          # Main launcher script
├── pass.py          # Credential setup script
└── server.js        # Node.js server

---

⚖️ Legal / Educational Use Only

• This software is strictly for educational, research, or demonstration purposes.
• Do not use this tool to target real individuals or systems without explicit consent.
• By using Grabber, you agree not to engage in illegal or unethical activities.
• The author does not endorse or facilitate malicious use and assumes no liability for misuse.

---

⚠️ Disclaimer

This tool is provided “as-is”.
The authors are not responsible for any damages, legal issues, or misuse arising from the use of this software.

---

📜 License

MIT License. See LICENSE for details.