Though you can use the Social Engineering Toolkit to clone websites, this way is much more customisable.
For example, you could send the credentials your victim enters to a script that mails you notifying you of new data someone's just entered, or automatically store them in a database.
Step 1: Clone the Website
Let's say we want to be hideously uninventive and steal someone's Facebook email and password when they log in on our fake site.
We could redirect them to our fake Facebook site by using DNS spoofing, an XSS attack, or a variety of other attack vectors.
First we need to clone the official Facebook site. We could go to the site in a browser and save the complete webpage from there, or we could grab it from the command line using wget.
Since we're going to be using some browser Dev Tools in the next step, let's do it from the browser.
Step 2: Find the Form You Want to Steal Data From
Obviously in this case we want the username and password.
Let's use Chrome Dev Tools (or anything similar) to find where in the
page source the HTML login form is.
Let's copy the form destination so we can find it in the HTML page source later:
Step 3: Alter the Form Destination
Let's open up the page source and find that form destination we just copied.
This the place where the login credentials are sent when the Log In button is pressed. Let's change this so that those credentials are sent to us instead. Here I've changed the destination so that the data is sent to malicious.com/handler.php
Step 4: Create the Handler to Process Those Credentials
This is part where we decide what to do with the data when a victim enters their credentials on our fake website.
We could do anything; store the data in a database, create an email alert, even change our MOTD to tell us we've been successful the next time we log in to Kali.
In this case, though, let's simply dump our victim's credentials in a text file.
Let's create a handler called handler.php, and put the following in it:
This will take the credentials from your fake facebook page, strip them of anything that might muck up our shell, then echo them to a text file, data.txt
Hope you enjoyed the tutorial :)
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
3 Comments
I am triying to create a gmail phishing page but browser gives an alert "phishing attack ahead"
You can use javascript to block browser popups. A security researcher found a way around Google Chrome's phishing popup:
http://www.pcworld.com/article/2918172/researchers-play-cat-and-mouse-with-googles-antiphishing-chrome-extension.html
can anyone explain step 3 and 4 clearly pls
Share Your Thoughts