Do you know the most dangerous hacking method is social engineering?
Why it is called the most dangerous? because it doesn’t literally hack machines, it hacks the human brain.
Here we will discuss and demonstrate a part of social engineering i.e. phishing attack.
There are various phishing methods but the most common are Deceptive phishing, Spear phishing, and Whaling. In deceptive phishing, we do not target anyone, we just create and share the phishing pages. If we attempt phishing on the employees of a company or a group of people with the same job or interest, it’ll be called spear phishing. And if we attempt phishing on one person that’ll be called whaling.
But here we are going to explain only the common deceptive phishing attack. We are not targeting anyone.
Attackers keep eye on the victims for a month or for a year and collect data on the basis of their every single interest and daily routine to create a successful phishing attack.
Collecting information about the victim is the first step if you want to play with the victim’s brain without showing any suspicious activity.
This tutorial is not on the Social Engineering toolkit. It is in setting up a perfect environment for phishing. Don’t leave the tutorial in the middle.
Let us use and demonstrate the tools to attempt a successful phishing attack.
Initiating the SEToolkit
Fire up your Kali Linux machine and open up the Social Engineering toolkit from the Application menu.
We are selecting here the Website Attack Vectors> Credential Harvester Attack Method> web Templates.
You can use the site cloner option and also the custom import to import a custom phishing web template if you created one.
Okay, here it is asking the Local IP address for the POST. Type the Local IP address and hit Enter.
Here we got the templates. The first one is Java Required which prompts a warning that you require java to access the web page. And the other two are Google and Twitter.
We will select Twitter. It cloned the twitter login page. And it shows the necessary things you may need to do or remember. Do not close this SEToolkit terminal because the logged credentials will be shown here.
There is a problem that we can’t convince the victim by sending an ugly IP address. We must make it look cute and as believable as possible. In this case, we can take Cuteit in use.
Convert the IP To a Cute URL using Cuteit
Download Cuteit from Github. Open up a new terminal, don’t close the previous one. Change the directory to the Cuteit folder and execute the Cuteit.py script. You can take these commands in use-
cd Desktop/ (if you cloned it to the Desktop)
Cuteit doesn’t convert URLs, it only converts IP address. So don’t put URLs. We entered the local IP address and gave us a list of URLs we can use instead of the IP address.
When the victim opens up the URL, it redirects to a fake login page of facebook/twitter. When the victim enters the credentials, it redirects to the original login page of facebook/twitter.
But it prompts a warning which shows the real URL but that can be sorted using Ngrok.
Once the victim enters the credentials you will get them on the SEToolkit.
There are a few chances of getting credentials if the victim is that stupid if he doesn’t check the address bar.
Apply Phishing Over WAN Using NgRok
The things we’ve discussed above were for the Local Network but if we want to apply it over WAN then port forwarding comes into place.
No doubt that Ngrok is the best tool for this purpose and it really something different from others.
Ngrok is totally free. You just need to create an account on Ngrok official website and download the appropriate version for your operating system.
Ngrok basically creates a tunnel between the localhost and the Internet and gives a URL that you can share with anyone.
You just need to extract the Ngrok file and move the executable to the Desktop. Now hit the command-
./ngrok htttp 80
It gives the URL that can be accessed over WAN. The best part is, it gives both HTTP and HTTPS service.
Mask The URL
Ngrok gives a pretty much good looking URL but it will be better if you mask the URL before sending it to the victim.
This can be done using link shortener services. Bitly, Adfly is the best in this business. You can create your own URL if you have a paid account.
Distributing The URL
You can share the URLs on Social Media because people click on attractive stuff. But in the case of E-mailing, The Gmail service doesn’t offer a lot of customization and also sometimes it sends suspicious E-mails to the spam folder.
But we can use Emkei’s Mailer service instead of Gmail. Emkei’s Mailer is a brilliant tool but the only problem is, you can’t use a legitimate address that already exists. You must set your own address.
And this is the time where your social engineering skill takes place. Now it depends on you how you trick with the victim’s mind. You can also use HTML here to make it look more familiar
This was a simple demonstration of a Phishing attack. You can use the Homograph technique to create a URL that looks more familiar.
If you don’t know what Homograph is, there is a simple example given below for you.
Social Engineering completely depends on how tricky you are. You have to know the victim’s behavior to play with his/her brain.
Did you find the information valuable? How can you gonna use phishing? Tell us your trick you are gonna use in the comment box below.
The tutorial you found on this website is only for educational purposes. Misuse of this information can lead you to jail or punishment. Anything you damage, we are not responsible for that. Do use it on your own property. If you want to test it on other’s property, take written permission from them.