How to Steal Form Data from Your Fake Website

Aug 27, 2015 10:18 AM

Though you can use the Social Engineering Toolkit to clone websites, this way is much more customisable.

For example, you could send the credentials your victim enters to a script that mails you notifying you of new data someone's just entered, or automatically store them in a database.

Step 1: Clone the Website

Let's say we want to be hideously uninventive and steal someone's Facebook email and password when they log in on our fake site.

We could redirect them to our fake Facebook site by using DNS spoofing, an XSS attack, or a variety of other attack vectors.

First we need to clone the official Facebook site. We could go to the site in a browser and save the complete webpage from there, or we could grab it from the command line using wget.

Since we're going to be using some browser Dev Tools in the next step, let's do it from the browser.

635761873713767287.jpg

Step 2: Find the Form You Want to Steal Data From

Obviously in this case we want the username and password.

Let's use Chrome Dev Tools (or anything similar) to find where in the

page source the HTML login form is.

635761879300798360.jpg

Let's copy the form destination so we can find it in the HTML page source later:

635761882762204555.jpg

Step 3: Alter the Form Destination

Let's open up the page source and find that form destination we just copied.

635761887050016984.jpg

This the place where the login credentials are sent when the Log In button is pressed. Let's change this so that those credentials are sent to us instead. Here I've changed the destination so that the data is sent to malicious.com/handler.php

635761890367985801.jpg

Step 4: Create the Handler to Process Those Credentials

This is part where we decide what to do with the data when a victim enters their credentials on our fake website.

We could do anything; store the data in a database, create an email alert, even change our MOTD to tell us we've been successful the next time we log in to Kali.

In this case, though, let's simply dump our victim's credentials in a text file.

Let's create a handler called handler.php, and put the following in it:

635762420645868772.jpg

This will take the credentials from your fake facebook page, strip them of anything that might muck up our shell, then echo them to a text file, data.txt

Hope you enjoyed the tutorial :)

Image credits: itnews.com.au

Comments

No Comments Exist

Be the first, drop a comment!