SET is great when you have a short space of time at hand, however sometimes you want to know whats actually going on under the hood or have found a site you can't clone with SET.
Step 1: Select Your Target!
The First Thing You're Going to Want to Do Is Select the Site Login You Wish to Clone! For This Tutorial I Will Be Using Facebook, However This Can Be Whatever You Like. Some Sites Use Some Javascript Obfuscation Magic to Hide the <Input> Elements (Like the login.live.com Page). But Most Major Sites Use the Traditional <Input> Element Method.
Step 2: Use Wget to Download the Login Page
Now You Have Your Site in Mind, You Will Need to Download the Login Page. This Can Be Done with Wget.
wget -U "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0" https://www.facebook.com/ -O facebook.html
Wget is the command used to download files.
-U means custom useragent, if we leave this out many sites will redirect us to other custom sites as Wget isn't a browser!
-O means we save the file with a custom name.
Step 3: Modify the Exisiting Page Source.
This is where you will get your hands dirty, can be a little confusing at times, however is probably one of the most important steps. You will need to locate the form located on the page. My main editor is vim/atom, but I will be using atom for this tutorial. Open the facebook.html or file you downloaded with your editor and locate the form tag with a search.
With a simple search I was able to locate the form, you will need to modify this to post to a custom PHP script. Our PHP script is called post.php, and is located in the same directory as our login html. So change the <form> tag to say. <form method="post" action="post.php"> and delete the rest of the items in the <form tag> between the first and second square angled brackets <>.
Step 4: Write/Download a Credential Harvester.
So now, when you go to the page, click login, it will attempt to post the details entered to your post.php script... Which doesn't exist yet. You need to either write one or download one. I stole the one from SET and it works great. I have modifed it a little too. You can get this script from this fancy looking link or steal it from SET somewhere.
Step 5: Do Some Server Magic!
Hopefully, you have a server with PHP and the like installed. Kali itself comes with Apache pre-installed and the directory is at /var/www/.
If you're like me, you use a hosted VPS. If you want one, you can upload a Kali ISO to it to make social engineering engagements more convincing and easier. (I don't mean to advertise here!) I personally use a VPS hosting provider called Vultr, and you can get $5 free credit if you use this link, which is easily enough for a quick engagement (I do also start receiving benefits if you spend $10 because this is my ref-code). You can also register a free-domain at freenom.com. This is great if you don't exactly want to spend a lot of money but just want to try it all out.
Anyway... Once you've uploaded the files to a server, you may find you can enter your details to the page, and be re-directed, but no harvest files are created. To fix this, use chown to change the permissions of the folder.
chown -R www-data:www-data /var/www
This fixes most problems for me!
Step 6: Social Engineer!
Now you will need to "get creative!". Send the target an email or a message with something compelling on the other side that requires them to login. My common pretext is telling somebody about an extremely funny video that is 18+ rated, and they will need to re-login in order to watch it, I then edited the post.php to redirect to a funny video. By the time they've finished laughing, you are already in their account.
Hopefully this is of help to you people! I learnt how do this by playing with it, and looking at what SET did, and it helped me to understand it all better :)
-PRY0CC
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
14 Comments
So you meant Phishing ? Or ...
was about to say the same thing...lol
But great job tho
Well. YES! But lets all be honest. Social Engineering sounds much much cooler :P
Well, It will require social engineering in some way so cool. Nice writeup.+1
I am a little lost in the last part I don't understand the part of using a free host instead apache, and the harvester file, you must create the harvester file on your host right? i thought the fancy link was the php file harvester :/ I am confused !!!
Good work!
Thanks OTW!
Great! Thank you so much :)
great job +1
mr_nakupenda
I must try this!! Hope this works on Virtual Box
Nice tutorial I Love it
However this page is most likely to be detected by "Google's Safe Browsing technology"
A good solution is to make the post.php redirect to a webpage within the same server. This way it wont trigger the phishing alarm
Can you brief a lil bit more about this
your fancy link is broken =(
someone tell me where the heck the log directly is located
Share Your Thoughts