Author Topic: nedd a little help with fake login page  (Read 2257 times)

0 Members and 7 Guests are viewing this topic.

Offline 0pt1musPr1m3

  • EZ's Asshole
  • Peasant
  • *
  • Posts: 89
  • Cookies: 90
  • Certified Asshole
    • View Profile
nedd a little help with fake login page
« on: April 26, 2015, 04:00:07 pm »
.
« Last Edit: September 14, 2015, 04:50:53 am by 0pt1musPr1m3 »
Don't measure yourself by what you have accomplished, but by what you should have accomplished with your ability.

Offline TheWormKill

  • EZ's Scripting Whore
  • Global Moderator
  • Knight
  • *
  • Posts: 257
  • Cookies: 66
  • The Grim Reaper of Worms
    • View Profile
Re: nedd a little help with fake login page
« Reply #1 on: April 26, 2015, 04:14:57 pm »
I don't know anything about the software framework you use, but  would find out where the files are located that execute the logging functionality and go from there. Either modify the source or try to find information in the docs.
The second way is probably much easier but might not work if the framework doesn't support custom actions on
input by default.
Hope that helps.
« Last Edit: April 26, 2015, 04:26:01 pm by TheWormKill »
Stuff I did: How to think like a superuser, Iridium

He should make that "Haskell"
Quote
<m0rph-is-gay> fuck you thewormkill you python coding mother fucker

Offline v32itas

  • Peasant
  • *
  • Posts: 123
  • Cookies: -4
  • coup de grâce
    • View Profile
Re: nedd a little help with fake login page
« Reply #2 on: April 26, 2015, 04:18:08 pm »
I'm noob, but i was thinking about this long time ago. And IMO simplest solution would be making victim to enter his creds like 3 times. Just to give an error for first 2 tries. Never tried pishing by myself, I was just thinking about it. And i have no experience at all in this field ;D
"There is nothing more deceptive then an obvious fact." - SH

“There was no such thing as a fair fight. All vulnerabilities must be exploited.”
― Cary Caffrey





Offline sh4d0w_w4tch

  • Peasant
  • *
  • Posts: 73
  • Cookies: -1
  • Please do not feed the skids.
    • View Profile
    • 6c.nz
Re: nedd a little help with fake login page
« Reply #3 on: April 26, 2015, 04:40:33 pm »
You can try making the script send a login request to the actual site to see if it works.  The IP of any actual phishing site would likely be banned from logging in very quickly so you might try doing the login with JavaScript so everything comes from the browser.  I don't know if this can be done with browser security, but you could try passing the session data to the user so the phishing site will log them in and it will feel legitimate.

Quote from: v32itas
I'm noob, but i was thinking about this long time ago. And IMO simplest solution would be making victim to enter his creds like 3 times. Just to give an error for first 2 tries. Never tried pishing by myself, I was just thinking about it. And i have no experience at all in this field

Don't.  Multiple failed logins when the user is using the correct password will raise a lot of suspicion.  If they entered their password wrong without verification then you didn't get them and you move on to other targets.  Phishing is a mass attack.  You don't try to get everyone, unless it's spear phishing, but I don't see any legal reasons to spear phish someone's Facebook information.
DeepCopy | Can you name a VPN provider that's like "hey use our services to hack government sites and spam the internet. Please Abuse our services"

+Polyphony | paging master hackers of evilzone: i am here to learn about your black hatted tools to hack different viruses like facebook, sql, php, and other ring zero exploits


Offline v32itas

  • Peasant
  • *
  • Posts: 123
  • Cookies: -4
  • coup de grâce
    • View Profile
Re: nedd a little help with fake login page
« Reply #4 on: April 26, 2015, 10:55:05 pm »
You can try making the script send a login request to the actual site to see if it works.  The IP of any actual phishing site would likely be banned from logging in very quickly so you might try doing the login with JavaScript so everything comes from the browser.  I don't know if this can be done with browser security, but you could try passing the session data to the user so the phishing site will log them in and it will feel legitimate.

Don't.  Multiple failed logins when the user is using the correct password will raise a lot of suspicion.  If they entered their password wrong without verification then you didn't get them and you move on to other targets.  Phishing is a mass attack.  You don't try to get everyone, unless it's spear phishing, but I don't see any legal reasons to spear phish someone's Facebook information.

That might rise a lot of suspicion among this forum members, but target is just a casual victim. And I've seen tons of them rampaging when they see shit like incorrect password and entering it over and over again. So I think that is worth to try, because most people enter their password quickly and they cant see wtf they entering so suspicion comes only to advanced computer users and like 90% of users are just casual user level.
"There is nothing more deceptive then an obvious fact." - SH

“There was no such thing as a fair fight. All vulnerabilities must be exploited.”
― Cary Caffrey





Offline sh4d0w_w4tch

  • Peasant
  • *
  • Posts: 73
  • Cookies: -1
  • Please do not feed the skids.
    • View Profile
    • 6c.nz
Re: nedd a little help with fake login page
« Reply #5 on: April 27, 2015, 05:41:58 am »
That might rise a lot of suspicion among this forum members, but target is just a casual victim. And I've seen tons of them rampaging when they see shit like incorrect password and entering it over and over again. So I think that is worth to try, because most people enter their password quickly and they cant see wtf they entering so suspicion comes only to advanced computer users and like 90% of users are just casual user level.

I suppose there's a lot of people who would go for it without paying attention.  It would only work on people who aren't aware of how convincing phishing sites are, and there are plenty of them.  It would inevitably last longer than a phishing site that tries to log in to the real site because that would be obvious and get IP banned.

Come to think of it I've run into some really clueless people.
DeepCopy | Can you name a VPN provider that's like "hey use our services to hack government sites and spam the internet. Please Abuse our services"

+Polyphony | paging master hackers of evilzone: i am here to learn about your black hatted tools to hack different viruses like facebook, sql, php, and other ring zero exploits


Offline TheWormKill

  • EZ's Scripting Whore
  • Global Moderator
  • Knight
  • *
  • Posts: 257
  • Cookies: 66
  • The Grim Reaper of Worms
    • View Profile
Re: nedd a little help with fake login page
« Reply #6 on: April 27, 2015, 02:21:46 pm »
I suppose there's a lot of people who would go for it without paying attention.  It would only work on people who aren't aware of how convincing phishing sites are, and there are plenty of them.  It would inevitably last longer than a phishing site that tries to log in to the real site because that would be obvious and get IP banned.

Come to think of it I've run into some really clueless people.
Well you might as well use counter-measures against IP-bans. Say, route the request through a proxy.
Stuff I did: How to think like a superuser, Iridium

He should make that "Haskell"
Quote
<m0rph-is-gay> fuck you thewormkill you python coding mother fucker

Offline TheWormKill

  • EZ's Scripting Whore
  • Global Moderator
  • Knight
  • *
  • Posts: 257
  • Cookies: 66
  • The Grim Reaper of Worms
    • View Profile
Re: nedd a little help with fake login page
« Reply #7 on: April 27, 2015, 02:59:34 pm »
That should be doable, altough the client-side of things does not allow a great deal of obfuscation. This would involve some JS in the login page. For the server-side solution, see my answer above.
Stuff I did: How to think like a superuser, Iridium

He should make that "Haskell"
Quote
<m0rph-is-gay> fuck you thewormkill you python coding mother fucker

Offline 420

  • /dev/null
  • *
  • Posts: 12
  • Cookies: -11
    • View Profile
Re: nedd a little help with fake login page
« Reply #8 on: April 30, 2015, 12:25:54 am »
I thought SET did the check for the validation of the user, you can write an easy script to validate the credentials thought.
"If you give a hacker a toy, they will figure out how it works instead of using it."

Offline 0E 800

  • Not a VIP
  • VIP
  • Baron
  • *
  • Posts: 895
  • Cookies: 131
  • • тнε ιηтεяηεт ιs мү яεcүcℓε-вιη •
    • View Profile
Re: nedd a little help with fake login page
« Reply #9 on: April 30, 2015, 12:48:13 am »
I say give em 5 - 10 attempts at logging in; where each attempts prompts the user for the last successful password they used,  then send them to a 404 page. Something along the lines that makes the user believe that this AP they connected too is out of order.

If the user is a hardcore user, then by the 5th or 10th attempt, you should have valid emails and passwords for a variety of sites.

If you use the users actual facebook login to verify, facebook will log the last ip/location - which might not be a good idea.
The invariable mark of wisdom is to see the miraculous in the common.

Offline 420

  • /dev/null
  • *
  • Posts: 12
  • Cookies: -11
    • View Profile
Re: nedd a little help with fake login page
« Reply #10 on: April 30, 2015, 01:28:07 am »
Um, No it does not. Do you know what you are talking about? Did you read anything other than the initial post? Why answer?


Yes I do. I've done this before. You must have set it up wrong.
« Last Edit: April 30, 2015, 01:32:43 am by 420 »
"If you give a hacker a toy, they will figure out how it works instead of using it."

Offline 420

  • /dev/null
  • *
  • Posts: 12
  • Cookies: -11
    • View Profile
Re: nedd a little help with fake login page
« Reply #11 on: April 30, 2015, 03:33:37 am »
SET will check to make sure that the creds are legit working creds? Please enlighten me.


What do you mean? Just set it up.
"If you give a hacker a toy, they will figure out how it works instead of using it."

Offline 420

  • /dev/null
  • *
  • Posts: 12
  • Cookies: -11
    • View Profile
Re: nedd a little help with fake login page
« Reply #12 on: April 30, 2015, 03:38:28 am »
cant tell if you are trolling or if you are actually as big of an idiot as you seem to be.


Your signature is ironic, btw.


if you have basis scripting knowledge, then should this be that had?


Use smtp to validate when input is submitted
« Last Edit: April 30, 2015, 03:39:41 am by 420 »
"If you give a hacker a toy, they will figure out how it works instead of using it."

Offline ColonelPanic

  • Serf
  • *
  • Posts: 27
  • Cookies: 7
    • View Profile
Re: nedd a little help with fake login page
« Reply #13 on: May 10, 2015, 06:46:27 pm »
It's been a little while since I've worked with SET, but IIRC, it just rePOSTs the form data to the spoofed site. I've had mixed results with the repost actually working.


That being said, look into making an ajax request to a separate page (which you'll also have to write). Use JavaScript or jQuery to interrupt the onSubmit event of the form (example: http://jsfiddle.net/36rpo3ct/)


With this method, you'll have to show/hide the appropriate error messages in your code, to make it look convincing.





Offline manulaiko

  • /dev/null
  • *
  • Posts: 7
  • Cookies: 1
  • If you need help, ask me
    • View Profile
    • Manulaiko's Kingdom
Re: nedd a little help with fake login page
« Reply #14 on: May 21, 2015, 12:32:25 am »
You can use Facebook's api to see if it works
New in this community, hope I can help and learn :)