How to Steal Form Data from Your Fake Website

Though you can use the Social Engineering Toolkit to clone websites, this way is much more customisable.

For example, you could send the credentials your victim enters to a script that mails you notifying you of new data someone's just entered, or automatically store them in a database.

Step 1: Clone the Website

Let's say we want to be hideously uninventive and steal someone's Facebook email and password when they log in on our fake site.

We could redirect them to our fake Facebook site by using DNS spoofing, an XSS attack, or a variety of other attack vectors.

First we need to clone the official Facebook site. We could go to the site in a browser and save the complete webpage from there, or we could grab it from the command line using wget.

Since we're going to be using some browser Dev Tools in the next step, let's do it from the browser.

Step 2: Find the Form You Want to Steal Data From

Obviously in this case we want the username and password.

Let's use Chrome Dev Tools (or anything similar) to find where in the
page source the HTML login form is.

Let's copy the form destination so we can find it in the HTML page source later:

Step 3: Alter the Form Destination

Let's open up the page source and find that form destination we just copied.

This the place where the login credentials are sent when the Log In button is pressed. Let's change this so that those credentials are sent to us instead. Here I've changed the destination so that the data is sent to

Step 4: Create the Handler to Process Those Credentials

This is part where we decide what to do with the data when a victim enters their credentials on our fake website.

We could do anything; store the data in a database, create an email alert, even change our MOTD to tell us we've been successful the next time we log in to Kali.

In this case, though, let's simply dump our victim's credentials in a text file.

Let's create a handler called handler.php, and put the following in it:

This will take the credentials from your fake facebook page, strip them of anything that might muck up our shell, then echo them to a text file, data.txt

Hope you enjoyed the tutorial :)

Image credits:


I am triying to create a gmail phishing page but browser gives an alert "phishing attack ahead"

Share Your Thoughts

  • Hot
  • Latest