How to Clone Login Forms Manually and Get Login Credentials!

Aug 5, 2015 05:42 PM
Aug 5, 2015 10:06 PM
635743683827569380.jpg

SET is great when you have a short space of time at hand, however sometimes you want to know whats actually going on under the hood or have found a site you can't clone with SET.

Step 1: Select Your Target!

The First Thing You're Going to Want to Do Is Select the Site Login You Wish to Clone! For This Tutorial I Will Be Using Facebook, However This Can Be Whatever You Like. Some Sites Use Some Javascript Obfuscation Magic to Hide the Elements (Like the login.live.com Page). But Most Major Sites Use the Traditional Element Method.

Step 2: Use Wget to Download the Login Page

Now You Have Your Site in Mind, You Will Need to Download the Login Page. This Can Be Done with Wget.

wget -U "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0" https://www.facebook.com/ -O facebook.html

635743660040381866.jpg

Wget is the command used to download files.

-U means custom useragent, if we leave this out many sites will redirect us to other custom sites as Wget isn't a browser!

-O means we save the file with a custom name.

Step 3: Modify the Exisiting Page Source.

This is where you will get your hands dirty, can be a little confusing at times, however is probably one of the most important steps. You will need to locate the form located on the page. My main editor is vim/atom, but I will be using atom for this tutorial. Open the facebook.html or file you downloaded with your editor and locate the form tag with a search.

635743664351163088.jpg

With a simple search I was able to locate the form, you will need to modify this to post to a custom PHP script. Our PHP script is called post.php, and is located in the same directory as our login html. So change the

tag to say. and delete the rest of the items in the between the first and second square angled brackets <>.

635743672046944644.jpg

Step 4: Write/Download a Credential Harvester.

So now, when you go to the page, click login, it will attempt to post the details entered to your post.php script... Which doesn't exist yet. You need to either write one or download one. I stole the one from SET and it works great. I have modifed it a little too. You can get this script from this fancy looking link or steal it from SET somewhere.

Step 5: Do Some Server Magic!

Hopefully, you have a server with PHP and the like installed. Kali itself comes with Apache pre-installed and the directory is at /var/www/.

If you're like me, you use a hosted VPS. If you want one, you can upload a Kali ISO to it to make social engineering engagements more convincing and easier. (I don't mean to advertise here!) I personally use a VPS hosting provider called Vultr, and you can get $5 free credit if you use this link, which is easily enough for a quick engagement (I do also start receiving benefits if you spend $10 because this is my ref-code). You can also register a free-domain at freenom.com. This is great if you don't exactly want to spend a lot of money but just want to try it all out.

Anyway... Once you've uploaded the files to a server, you may find you can enter your details to the page, and be re-directed, but no harvest files are created. To fix this, use chown to change the permissions of the folder.

chown -R www-data:www-data /var/www

This fixes most problems for me!

Step 6: Social Engineer!

Now you will need to "get creative!". Send the target an email or a message with something compelling on the other side that requires them to login. My common pretext is telling somebody about an extremely funny video that is 18+ rated, and they will need to re-login in order to watch it, I then edited the post.php to redirect to a funny video. By the time they've finished laughing, you are already in their account.

Hopefully this is of help to you people! I learnt how do this by playing with it, and looking at what SET did, and it helped me to understand it all better :)

-PRY0CC

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!