Note : Educational purpose only. Author will not be responsible for any harm.
Phishing is attempt to aquire usernames, passwords, credit card information from the victim by misleading him/her to a cloned web-page of the original one, which would be hosted on localhost, or on the computer, to which attacker has access to. Once the victim enters account details, it would be sent back to localhost, and the victim would be redirected to the original web page. Which gives attacker, the original account details.
Tools used to perform this attack:
1. Social-Engineer Toolkit (SET) (Used through Back-Track Linux, which comes preinstalled) If you don't have back-track linux (get from http://www.backtrack-linux.org/downloads/ ), to install it on your Linux box, scroll down at the bottom of page, for the guide.
2. Fake mailer ( http://www.emkei.cz )
3. URL shortner ( http://url2it.com )
First, we need to mirror the login page of the web-page (for example facebook, gmail, or yahoo), of which we want details of the user.
Using Back-Track Linux (or any other GNU/Linux distro of your choise), we fire SET tool
It is present in /pentest/exploits/set directory in Back-Track 5. It may reside somewhere else if you are using other Linux distribution. Switch to that directory. In back-track, enter :
# cd /pentest/exploits/set
To run it, we enter # ./set in a Terminal window, with root's priviliges.
Once we run it, SET tool shows a welcome message, with the menu to select from, which attack we want to proceed.To make a mirror of a webpage, and to host it on the localhost, we select
Website Attack Vectors
That will show sub-menus, one of them is Credential Harvester Attack Method, to do our operation.
Again, we need to clone the site, so we go for Site Cloner and it asks for the URL to clone.
Here, in this example, we enter http://www.facebook.com to mirror its login page.
Once we are done with this, the tool will host that mirrored page for us. Now, what we need is to get the IP address of the local machine and send it to one of our victims.
To get the public IP address of the machine, you can enter $curl ifconfig.me command in another terminal window, on GNU/Linux.
Once we get the IP address, we need to spoof it, by using URL shortnining tool to make it look less suspecting. Here, you can use www.url2it.com to do your task.
Once we get the “shortned” IP address, what we need is to send it to the victim. If we use one of victim's close person's E-mail address, it will be more “trustable”. So, to do it, we can use fake mailer tool ( www.emkei.cz ). Here, we can enter the sender's (that is victim's friend/family membet/ close person) and receiver's email addresses, and the link to fake, mirrored site, which is hosted on the localhost saying something like -- check new facebook (or gmail, or yahoo).
Once our victim opens the mail, visits the link given in it, and enters account details, it'd be sent back to out localhost. This is how we can grab account details of our victim.
How to avoid to be a victim to this attack:
1. If you get any of emails, claiming to be directing to original website, check the URL. If it's the exact as the original one, there is no harm. Avoid third party services to use the original one.
2. Once you goto the login page, see the source of the page and check form “action” if it's directing to the original domain. If not, beware! it's “phishing”.
Installing SET on Ubuntu or Fedora:
To fetch the latest code of SET, you nees subversion installed.
To install it on Ubuntu >
$ sudo apt-get install subversion
To install it on Fedora >
$ sudo yum install subversion
Now, you need to fetch to SET code by using svn >
$ svn co http://svn.secmaniac.com/social_engineering_toolkit set/
In this case, you will need to switch to ~/set directory instead of /pentest/exploits/set
So, instead of cd /pentest/exploits/set, enter cd ~/set