nedd a little help with fake login page

[0pt1musPr1m3]

.

[TheWormKill]

I don't know anything about the software framework you use, but  would find out where the files are located that execute the logging functionality and go from there. Either modify the source or try to find information in the docs.
The second way is probably much easier but might not work if the framework doesn't support custom actions on
input by default.
Hope that helps.

[v32itas]

I'm noob, but i was thinking about this long time ago. And IMO simplest solution would be making victim to enter his creds like 3 times. Just to give an error for first 2 tries. Never tried pishing by myself, I was just thinking about it. And i have no experience at all in this field

[sh4d0w_w4tch]

You can try making the script send a login request to the actual site to see if it works.  The IP of any actual phishing site would likely be banned from logging in very quickly so you might try doing the login with JavaScript so everything comes from the browser.  I don't know if this can be done with browser security, but you could try passing the session data to the user so the phishing site will log them in and it will feel legitimate.

I'm noob, but i was thinking about this long time ago. And IMO simplest solution would be making victim to enter his creds like 3 times. Just to give an error for first 2 tries. Never tried pishing by myself, I was just thinking about it. And i have no experience at all in this field

Don't.  Multiple failed logins when the user is using the correct password will raise a lot of suspicion.  If they entered their password wrong without verification then you didn't get them and you move on to other targets.  Phishing is a mass attack.  You don't try to get everyone, unless it's spear phishing, but I don't see any legal reasons to spear phish someone's Facebook information.

[v32itas]

You can try making the script send a login request to the actual site to see if it works.  The IP of any actual phishing site would likely be banned from logging in very quickly so you might try doing the login with JavaScript so everything comes from the browser.  I don't know if this can be done with browser security, but you could try passing the session data to the user so the phishing site will log them in and it will feel legitimate.

Don't.  Multiple failed logins when the user is using the correct password will raise a lot of suspicion.  If they entered their password wrong without verification then you didn't get them and you move on to other targets.  Phishing is a mass attack.  You don't try to get everyone, unless it's spear phishing, but I don't see any legal reasons to spear phish someone's Facebook information.

That might rise a lot of suspicion among this forum members, but target is just a casual victim. And I've seen tons of them rampaging when they see shit like incorrect password and entering it over and over again. So I think that is worth to try, because most people enter their password quickly and they cant see wtf they entering so suspicion comes only to advanced computer users and like 90% of users are just casual user level.

[sh4d0w_w4tch]

That might rise a lot of suspicion among this forum members, but target is just a casual victim. And I've seen tons of them rampaging when they see shit like incorrect password and entering it over and over again. So I think that is worth to try, because most people enter their password quickly and they cant see wtf they entering so suspicion comes only to advanced computer users and like 90% of users are just casual user level.

I suppose there's a lot of people who would go for it without paying attention.  It would only work on people who aren't aware of how convincing phishing sites are, and there are plenty of them.  It would inevitably last longer than a phishing site that tries to log in to the real site because that would be obvious and get IP banned.

Come to think of it I've run into some really clueless people.

[TheWormKill]

I suppose there's a lot of people who would go for it without paying attention.  It would only work on people who aren't aware of how convincing phishing sites are, and there are plenty of them.  It would inevitably last longer than a phishing site that tries to log in to the real site because that would be obvious and get IP banned.

Come to think of it I've run into some really clueless people.

Well you might as well use counter-measures against IP-bans. Say, route the request through a proxy.

[TheWormKill]

That should be doable, altough the client-side of things does not allow a great deal of obfuscation. This would involve some JS in the login page. For the server-side solution, see my answer above.

[420]

I thought SET did the check for the validation of the user, you can write an easy script to validate the credentials thought.

[0E 800]

I say give em 5 - 10 attempts at logging in; where each attempts prompts the user for the last successful password they used,  then send them to a 404 page. Something along the lines that makes the user believe that this AP they connected too is out of order.

If the user is a hardcore user, then by the 5th or 10th attempt, you should have valid emails and passwords for a variety of sites.

If you use the users actual facebook login to verify, facebook will log the last ip/location - which might not be a good idea.

[420]

Um, No it does not. Do you know what you are talking about? Did you read anything other than the initial post? Why answer?

Yes I do. I've done this before. You must have set it up wrong.

[420]

SET will check to make sure that the creds are legit working creds? Please enlighten me.

What do you mean? Just set it up.

[420]

cant tell if you are trolling or if you are actually as big of an idiot as you seem to be.

Your signature is ironic, btw.


if you have basis scripting knowledge, then should this be that had?


Use smtp to validate when input is submitted

[ColonelPanic]

It's been a little while since I've worked with SET, but IIRC, it just rePOSTs the form data to the spoofed site. I've had mixed results with the repost actually working.


That being said, look into making an ajax request to a separate page (which you'll also have to write). Use JavaScript or jQuery to interrupt the onSubmit event of the form (example: http://jsfiddle.net/36rpo3ct/)


With this method, you'll have to show/hide the appropriate error messages in your code, to make it look convincing.

[manulaiko]

You can use Facebook's api to see if it works