Jump to content

PSA: Phishing Pages


Sebkinne

Recommended Posts

Hey everyone,

Lately the posts asking for / supplying phishing pages have increased. While this community is all about sharing I and the other moderators would like to remind you of our disclaimer. Not only that, but I am sure we can agree that we want to keep some type of recreated sites away from easy access - at least here on the forums.

Let's break this up:

Sharing Paypal, Ebay, Amazon, Banking or similar pages should not happen here. It is very unlikely that you will need these in the scope of a pentest or similar endeavour. If you do, make them yourself, find them somewhere else but please refrain from posting them here.

Sharing social networking sites or similar is a grey zone. Most of those sites are again not really going to be used in the legal sense. There may be times where you are required to gather more detailed information on a test, hence the grey zone. So please only share them cautiously on these forums.

If the moderators do see any links posted, they are subject to be reviewed and removed if said mod disagrees with them.

We hope you understand this,

Cheers!

Link to comment
Share on other sites

I have to agree, I have made some of my own in my testing and have hesitated to share them due to the legality/moral issues. What might be a better approach is to discuss the techniques used to make then based on needs that way it is us to the poster to use his own judgement.

As others have said Google Chrome seems to be the key one I see going around. I personally like to use WGET to fetch the sites right down to the USB drive and edit them with nano.

wget -r --no-check-certificate https://www.somesite.com

Cheers :)

Link to comment
Share on other sites

I have to agree, I have made some of my own in my testing and have hesitated to share them due to the legality/moral issues. What might be a better approach is to discuss the techniques used to make then based on needs that way it is us to the poster to use his own judgement.

As others have said Google Chrome seems to be the key one I see going around. I personally like to use WGET to fetch the sites right down to the USB drive and edit them with nano.

wget -r --no-check-certificate https://www.somesite.com

Cheers :)

Hesitated to share what kind of pages? I have created many how to videos on the pineapple. Should I remove all the phishing pages that I created and shared on youtube?4shared,blogger,box,dropbox,eharmony,facebook,gmail,googleplus,hotmail,instagram,linkedin,netflix,outlook,twitter,ustream,vimeo, and youtube. Doing more research I don't believe that making phishing pages it illegal. What is your personal opinion?

Link to comment
Share on other sites

Hesitated to share what kind of pages? I have created many how to videos on the pineapple. Should I remove all the phishing pages that I created and shared on youtube?4shared,blogger,box,dropbox,eharmony,facebook,gmail,googleplus,hotmail,instagram,linkedin,netflix,outlook,twitter,ustream,vimeo, and youtube. Doing more research I don't believe that making phishing pages it illegal. What is your personal opinion?

Simple. Post them on these forums and we will remove them.

Link to comment
Share on other sites

Hey everyone,

Lately the posts asking for / supplying phishing pages have increased. While this community is all about sharing I and the other moderators would like to remind you of our disclaimer. Not only that, but I am sure we can agree that we want to keep some type of recreated sites away from easy access - at least here on the forums.

Let's break this up:

Sharing Paypal, Ebay, Amazon, Banking or similar pages should not happen here. It is very unlikely that you will need these in the scope of a pentest or similar endeavour. If you do, make them yourself, find them somewhere else but please refrain from posting them here.

Sharing social networking sites or similar is a grey zone. Most of those sites are again not really going to be used in the legal sense. There may be times where you are required to gather more detailed information on a test, hence the grey zone. So please only share them cautiously on these forums.

If the moderators do see any links posted, they are subject to be reviewed and removed if said mod disagrees with them.

We hope you understand this,

Cheers!

What do you mean exactly by,"please only share them cautiously on these forums" and why. Thanks. :unsure:

Link to comment
Share on other sites

To build on what Sebkinne stated. This is intended for professional penetration testing, not for "hacking" people's facebook accounts or stealing money. Let's just make it easy and keep it that way.

Your right. I removed all those phishing pages. People will have to make there own. I don't want the pineapple to have a bad name. "Only for hacking peoples social networks" I made it too easy for the bad guys to use my plethora of phishing pages and besides when are you ever going to need them. I just want to play my part like every one else to make the pineapple a better tool and show people how to use it(responsibly). I never thought about it in this way. Thanks for everything.

Edited by TylerCPU
Link to comment
Share on other sites

Your right. I removed all those phishing pages. People will have to make there own. I don't want the pineapple to have a bad name. "Only for hacking peoples social networks" I made it too easy for the bad guys to use my plethora of phishing pages and besides when are you ever going to need them. I just want to play my part like every one else to make the pineapple a better tool and show people how to use it(responsibly). I never thought about it in this way. Thanks for everything.

Sorry for taking some time to respond, I have been busy with work :( My opinion is exactly what you stated above. The Pineapple is designed to be a professional tool like a wrench is to a mechanic Sure a criminal can also use that tool to break into someone you knows home but would you put that tool in his hand to make it easier. In the line of work I do, enterprise security, I see too much people who think they are hacking gods and try to "test" the network only to be tracked down 30 minutes later crying on how we found out the MAC address of their "Workstation" they used. I mean some of the noobness is scary. While I love the work you have done Tyler and the video tuts are awesome, make them work for what they do. If they do not know how to make a simple phishing page in the first place they probably should not have the Pineapple in their possession :)

Keep up the great job Hak5 crew, staff, and especially the forums members who give so much back to the community.

Link to comment
Share on other sites

With the proliferation of this 'pineapple' item, these forums will begin to get more and more of these requests. I propose that we tread lightly on this subject. While I agree that some information needs to be obtained through personal experience, censorship can be a nasty beast.

Link to comment
Share on other sites

With the proliferation of this 'pineapple' item, these forums will begin to get more and more of these requests. I propose that we tread lightly on this subject. While I agree that some information needs to be obtained through personal experience, censorship can be a nasty beast.

Tread lightly in what manner? Saying this kind of stuff can't be posted?

Link to comment
Share on other sites

With the proliferation of this 'pineapple' item, these forums will begin to get more and more of these requests. I propose that we tread lightly on this subject. While I agree that some information needs to be obtained through personal experience, censorship can be a nasty beast.

There are many forums out there that will not condone illegal activity/discussion. Try asking "how to hack facebook" on the backtrack forums and see how far that gets you. On this forum, we will be keeping to the professional penetration testing ideology and not "hack my neighbor's wifi" types of illegal acts/discussions.

Link to comment
Share on other sites

Look, I'm not debating this with you, seb. It's your website. And it's not a democracy. I feel privileged enough that I get to 'peek' into your world in the first place. I'm not a professional pen-tester, nor do I know php. But I'm also not a professional lots of things that I enjoy learning and doing. I guess I just felt threatened. I, too, do not want a bunch of id10t's posting 'how do I hack my neighbor' requests, but isn't a little of that just par for the course? I do not want you to feel as though I was telling you what you should or should not allow on your website, I was merely babbling about censorship.

Besides, I think a little of what drives me to learn the things you guys all study is that I need to know more than that kid that makes those posts....

I would love to be a member of some elite forum so I had access to unprecedented knowledge, but the whole purpose of said membership is to be advanced in the first place, lol

perhaps I'll go back to quietly reading, and be satisfied with that.

Link to comment
Share on other sites

With the proliferation of this 'pineapple' item, these forums will begin to get more and more of these requests. I propose that we tread lightly on this subject. While I agree that some information needs to be obtained through personal experience, censorship can be a nasty beast.

First, I realize I'm new here and have no seniority. That said, if I had a say in the matter, I would humbly propose that 1. Pen-testing pages be delegated to a secure area or person and will only be available to legit purchasers of the Pineapple. 2. There be a criteria met before being able to acquire pen-testing pages, such as having at least 50+ posts, to show with some reasonable determinacy that the person who would be using them is not malicious, or worse, a complete idiot. Typically speaking, malicious, irresponsible idiots are not going to hang around and make 50+ post just to get some pen-test "phising" pages. They're too damn lazy and they want everything fast and easy ... hence the term "script kiddies." I do very much agree with Mr-P in principle, although perhaps not completely in action. The WiFI Pineapple is about 50% predicated (and sold) on the concept of "phishing" pen-testing pages. I could pull up a half dozen videos with Darren suggesting this use of the Pineapple (although he is always sure to astutely invoke the "I don't condone this" discalimer). Couple that with the fact that this is, broadly speaking, a community of sharing and knowledge (as true hackers do), and the restriction can very easiy become a slippery slope. Strictly speaking, *s*s*r*p has just as much or a far greater potenial for abuse than any "phising" page. So the next step will be to expulse *s*s*r*p.

The problem here is the same problem it always is: script kiddies and stupid, irresponsible hackers. Some people are malicious. They are not out to do legitimate penetration testing or even white/grey hat hacking, but rather to hurt people or use their information in a nefarious ill conceived, self-profiting way. They are completely blackhat. And the damge they can do is increased exponentially by their stupidity. It is because of these types that all hackers get a bad name.

Having gotten that rant out, I do believe that pen-testing pages should be available to those who have reasonably met some established criteria and demonstrated at least a modicum of perceivable responsibility. And that is only my personal take on the issue. You can always learn to make your own pages. In fact in an ideal setting it would probably be a good thing to do ... but I do not think it should be a prerequisite that a person know current HTML or php in order to use a pen-testing page. it's nice for responsible people, particularly users of the Pineapple, to have them on tap in some protected repository should they need them quickly.

Link to comment
Share on other sites

First, I realize I'm new here and have no seniority. That said, if I had a say in the matter, I would humbly propose that 1. Pen-testing pages be delegated to a secure area or person and will only be available to legit purchasers of the Pineapple. 2. There be a criteria met before being able to acquire pen-testing pages, such as having at least 50+ posts, to show with some reasonable determinacy that the person who would be using them is not malicious, or worse, a complete idiot. Typically speaking, malicious, irresponsible idiots are not going to hang around and make 50+ post just to get some pen-test "phising" pages. They're too damn lazy and they want everything fast and easy ... hence the term "script kiddies." I do very much agree with Mr-P in principle, although perhaps not completely in action. The WiFI Pineapple is about 50% predicated (and sold) on the concept of "phishing" pen-testing pages. I could pull up a half dozen videos with Darren suggesting this use of the Pineapple (although he is always sure to astutely invoke the "I don't condone this" discalimer). Couple that with the fact that this is, broadly speaking, a community of sharing and knowledge (as true hackers do), and the restriction can very easiy become a slippery slope. Strictly speaking, *s*s*r*p has just as much or a far greater potenial for abuse than any "phising" page. So the next step will be to expulse *s*s*r*p.

The problem here is the same problem it always is: script kiddies and stupid, irresponsible hackers. Some people are malicious. They are not out to do legitimate penetration testing or even white/grey hat hacking, but rather to hurt people or use their information in a nefarious ill conceived, self-profiting way. They are completely blackhat. And the damge they can do is increased exponentially by their stupidity. It is because of these types that all hackers get a bad name.

Having gotten that rant out, I do believe that pen-testing pages should be available to those who have reasonably met some established criteria and demonstrated at least a modicum of perceivable responsibility. And that is only my personal take on the issue. You can always learn to make your own pages. In fact in an ideal setting it would probably be a good thing to do ... but I do not think it should be a prerequisite that a person know current HTML or php in order to use a pen-testing page. it's nice for responsible people, particularly users of the Pineapple, to have them on tap in some protected repository should they need them quickly.

Yes, I couldn't have said it any better.

Link to comment
Share on other sites

Look guys, I have drafted up a few elaborate responses to this thread, I just think giving a very condensed version will bring the message across more clearly.

First of all, it is not only me that makes this decision. This decision was supported by Mr-Protocol, Diginja, Darren and myself. We took this step because we believe it is for the better of the community. Of course, in some aspects we may be wrong and we may make the wrong decisions, but at least in this regard we don't think so.

This community is meant to be a place to learn and share knowledge. We don't mean to take that away from you guys. To be frank, creating these phishing pages, well, it doesn't take much knowledge to create one. It doesn't take a long time. You will find many tutorials, programs etc to make that easy for you. We will just not condone the sharing of clearly malicious pages. Want to share a made up site as a POC? Well, go ahead! Want to share a fake facebook page? Sorry, just don't.

Introducing a section on the forum that you can only enter after X amount of posts for this kind of content.. well, that is silly. In all fairness, if you are on a pentest / whatever and you are counting yourself as "advanced", well it will take you less than 10 minutes to come up with whatever page you want. It is literally just changing a couple of lines of html. If people say that this knowledge shouldn't be necessary on a pentest, well.. I think this may be something you will have to learn.

I don't mean to offend anyone with this post, but I hope I got my point across.

Best Regards,

Sebkinne

Link to comment
Share on other sites

Look guys, I have drafted up a few elaborate responses to this thread, I just think giving a very condensed version will bring the message across more clearly.

First of all, it is not only me that makes this decision. This decision was supported by Mr-Protocol, Diginja, Darren and myself. We took this step because we believe it is for the better of the community. Of course, in some aspects we may be wrong and we may make the wrong decisions, but at least in this regard we don't think so.

This community is meant to be a place to learn and share knowledge. We don't mean to take that away from you guys. To be frank, creating these phishing pages, well, it doesn't take much knowledge to create one. It doesn't take a long time. You will find many tutorials, programs etc to make that easy for you. We will just not condone the sharing of clearly malicious pages. Want to share a made up site as a POC? Well, go ahead! Want to share a fake facebook page? Sorry, just don't.

Introducing a section on the forum that you can only enter after X amount of posts for this kind of content.. well, that is silly. In all fairness, if you are on a pentest / whatever and you are counting yourself as "advanced", well it will take you less than 10 minutes to come up with whatever page you want. It is literally just changing a couple of lines of html. If people say that this knowledge shouldn't be necessary on a pentest, well.. I think this may be something you will have to learn.

I don't mean to offend anyone with this post, but I hope I got my point across.

Best Regards,

Sebkinne

Now that I think about, I guess it's silly to only share some content when x amount of posts are met. It is super easy to make that kind of stuff. Just asking but how can you say to not share facebook and twitter phishing pages when hak5 hosts it. If you don't want to share that kind of stuff then you should get rid of that too. Your not offending anybody. We all like what you have to say. :D

Link to comment
Share on other sites

Now that I think about, I guess it's silly to only share some content when x amount of posts are met. It is super easy to make that kind of stuff. Just asking but how can you say to not share facebook and twitter phishing pages when hak5 hosts it. If you don't want to share that kind of stuff then you should get rid of that too. Your not offending anybody. We all like what you have to say. :D

I can't speak for the content hosted there. I agree it should be removed - though I am not responsible for it.

I'll raise it.

Link to comment
Share on other sites

We will just not condone the sharing of clearly malicious pages. Want to share a made up site as a POC? Well, go ahead! Want to share a fake facebook page? Sorry, just don't.

Best Regards,

Sebkinne

THAT'S the clarity I was hoping for. I was pretty sure that was your intent, but there was a small doubt. I love this community and in no way do I want to rub anyone's fur the wrong way regarding forum rules.

That said, I ask some pretty rudimentary questions on occasion, and I can see myself asking someone "How come my phishing page doesn't work anymore?" or "Can someone help me get the logging working on this phishing page correctly?". I can figure out how to make a phishing page, but getting one to work on the pineapple in a particular way may take more expertise than I may have at any one time. I want to be able to ask questions and continue to learn and grow. The Hak-tastic community is my primary way of doing that....my trusted virtual colleagues. :)

That bit of clarity above helps a great deal, and everyone should now know clearly where the boundaries are on this issue, thanks Seb.

And of course, thanks to all for making these forums such a wealth of knowledge, and a community I really enjoy being a part of....and of course to Whistle Wonka and his Magical Endless Module Making Machine!!! :) :)

Seriously, huge thanks to all...I love you guys. :)

hf

Link to comment
Share on other sites

  • 3 weeks later...

I just saw yet another post that was made referring to phishing, which was redirected here.

With all due respect to you, Seb, Mr-P and DigiNinja, in my very humble opinion, this forum needs to be made private. Specifically, that is, non G searchable ... non viewable unless a registrant is signed-in. I fully understand the need for foresight and discretion on matters such as this thread intends to address, and I largely agree with it. And simultaneously, it is a bit disheartening to know that this subject cannot be discussed in any measure when it is, very frankly, a large portion of what the Pineaple is about. It's not my intetiontion in any way to stir trouble, only provoke thought.

I hope you gentleman will graciously consider my idea as set forth earlier, as well as what is being suggested in this post. As a past Administrator of my own forum, albeit smaller than this one, I've not only seen it work but work with very effective results. I realize there's a business element involved here and there may be a marketing aspect to keep balanced which may make these remedies unlikely to be enacted. But if you want to maximize having your pineapple cake while the community can eat of it too, I hazard to say it would be the most reasonable counteragent to what you're trying to avoid.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...