Phishing 101

Warning & Disclaimer: Making a phishing page is not illegal, but using a phishing page is illegal. This tutorial is just to show you, “How to create phishing page?”. If you use this to hack anyone account, then I AM not responsible for it. Do anything on your own risk.

Phishing? What is it really?You may or may not have heard the term but most definitely have experienced this once. Remember when your friend sent you a link, or some random email sent you a link or yourself click some random link that takes you to a page that asks your credentials and when you enter them , alas, you've been hacked. That's phishing. And you will learn everything there is know about phishing for beginners. How to create a phishing site, different ways to overcome some obstacles in making a phishing site,and of course how to safeguard from it.

Creating a Phishing site

Step 01:

First thing to do is.....................select a site, I mean honestly could there be any other step, you might specifically want to create a certain site in which case good luck you are good to go to the next step and if you want to just have some fun then pick a site with a login in it. I picked our ever loving facebook for this task.

Step 02:

Ok now go to the site you chose and go to the page where there is a login. And save the page as shown below.














click "Save page As" and you should end up with some thing like this in where ever you saved them.








This basically the html file of the web page you "saved" and of course it's corresponding CSS , Javascript and other files (in the folder). Remember that because it will be important later down the line.

Step 03:

Next step is, modifying the code. For this we need a text editor or a web code editor, I chose "Brackets" but you can choose whatever you want. Someone without proper coding background (specifically html, and later PHP) might have trouble grasping everything but bear with me. First we find the "form" in which the login is located and change it's "action" to something else. Basically what action is the web page the login access once you hit the submit button, in facebook it's where they take your email and password and do whatever they do, and what we want to do is save them in a text file. To do that we need to create the aforementioned PHP file and of course the text file.

Having said that locating this may be hard, so basically open your text editor click "ctrl + f" and search "<form" and try to locate it.









now replace it with whatever the name you give to the PHP where the password and email are saved.

Step 04:

Normally your code modifications should be done by now but with face there is a issue, Before I explain why let me tell ways in which your phish site could go wrong,
  1. Your web hosting site could take it down.
  2. Your web browser could could detect and block it ( I'll get into more details later).
  3. Facebook could detect it and take it down.
And how that 3rd one occurs is that a certain code in your page is calling facebook, this is most likely an ajax, so what you need to do remove all the ajax and all the suspicious javascript. The filtered code is available and link is sited all the way down in the link section.

Step 05:

Now we host it, you can choose whatever the site you want but I chose 000webhost. First go to it and sign up.

















Fill the form and give the site name and of course verify your email, basically set up your account.

Step 06:

Now it's time to upload them.






















First upload the modified html and make a separate folder and upload all the content in the downloaded files into it.





















now your site should be up, go to your domain you should have your phishing site.

Step 07:

It's done .............. but is it? the answer is NO, remember when you changed "action" in the form of the html file, we haven't coded that yet. What we want to do is to compose a PHP that take parameters from our phish site and store it in text file. Now the whole code is in my github which you could find below, but I'll put it here anyway.


















Make your site look more legit

Step 08:

Now your site is done and you can start phishing , except it probably won't succeed



















Remember when I mentioned how your site would , this happens because your site actually figured your site contains and chances are whoever who clicks this link won't give out there credentials , it's only right to make your site legit, and how we do that is getting a domain ( first, then we make it more legit). Where we do is "freenoms", now what you want to do is setup your account there and get a domain, it's pretty simple once you to the site you'll realize how to do it.
I chose .tk but there are other free domain extensions.

Now go to 000webhost Click on Own domain.In the pop up box type your freenom registered .tk domain.Then click on Park domain.













Note the nameservers : ns01.000webhost.com, ns02.000webhost.com














Now go to freenoms and click tab services on the top right and select my domains. There you can see your registered domain , click the manage domain.









Click on Management tools tab and select Nameservers.

















Tick Use custom nameservers .Then clear all fields. And enter the "Nameservers" that you obtained in here.



















Now go to 000webhost and park your domain and wait for sometime and now you got a phishing website with your custom domain.

Step 09:

Now you got a really authentic looking phishing website, lets make it more authentic, How? let's just buy SSL certificate and make your website HTTPS , then it will really looks like an authentic site chances of your Phish getting successful is really high.
How you do go to cloudfare and set up your account as usual. In Add a website section enter your domain that was obtained at freenoms and hit the Scan the DNS button. Wait for sometime , then hit continue button couple of times and select free plan. Now next page will tell you to change the nameserver of your domain.














Now go to freenoms and change the nameservers like previously done.Now the Dashboard will come up , click on Recheck nameservers button.Click on the Crypto button on the top.Under the SSL section make it Flexible.It may take 24 hrs to authorize SSL on your domain, after few hours try to open your domain with HTTPS protocol. Congratulations now you have completely immune to any obstacle that would take down your site that looks very legitimate.

Safeguard from phishing

Phishing here is on facebook, while it maybe an innocent prank or it maybe done with some malicious it might not seem that threatening , but the matter of the fact is the bad guys aren't really that interested in your facebook, what would happen if you gave your credentials in a fake paypal site, And phishing in itself is not that threatening it usually accompanies with Social Engineering techniques( which I will do later)  which makes it a lot more formidable. It's much easier for an attacker to trick you and get your credentials than to lets say launch a brute force attack on the site and get them. So I'll briefly list down means of  avoiding Phishing , although what I say may not exactly completely help you, because phishing comes in various shapes and form and with the knowledge obtained in this tutorial try not them to get the best of you, User awareness is well and truly the only mean of actually facing Phishing.
Without a further ado , here are few suggestions to identify Phishing phishing.
  1. Usually banks or most of the institutes dealing with finances don't send emails, if they don't even click them, just contact the institute.
  2. If it looks legitimate , just check the link actually belongs to the domains and subdomains that this company owns.
  3. Don't trust websites just because your browser indicates it's safe, I mean we just got a SSL certificate to our phishing site fairly easily.
  4. Update your web browser every now and then, web browsers DOES have the ability to identify malicious website to a some extent why completely NOT use it.
  5. Install Anti-virus software that has the ability to identify malicious web sites, it's really hard to identify a well prepared phishing site ( like the one we made ) but still anti-virus software are capable of identifying blatantly malicious sites.
  6. Most importantly, be aware of security threats and how they are implemented , because attackers do get very creative and in future you might fall victim to one of their schemes if you don't keep in touch.

Links 


Phishing site - https://www.fakefasebook.tk/
Github repository/phishing- https://github.com/HashKushayne/Phishing


 And that's it about and if your interested about security , check out for my other stuff as well.





Comments

Post a Comment

Popular Posts