Sunday, January 20, 2019

The Complete Guide to Phishing Attack

Do you know the most dangerous hacking method is social engineering?

Why it is called the most dangerous? because it doesn't literally hack machines, it hacks the human brain.

Here we will discuss and demonstrate a part of social engineering i.e. phishing attack.

There are various phishing methods but the most common are Deceptive phishing, Spear phishing, and Whaling. In deceptive phishing, we do not target anyone, we just create and share the phishing pages. If we attempt phishing on the employees of a company or a group of people with same job or interest, it'll be called spear phishing. And if we attempt phishing on one person that'll be called whaling


But here we are going to explain only the common deceptive phishing attack. We are not targeting anyone.

Attackers keep eye on the victims for a month or for a year and collect data on the basis of their every single interest and daily routine to create a successful phishing attack.

Collecting information about the victim is the first step if you want to play with the victim's brain without showing any suspicious activity.

This tutorial is not on Social Engineering toolkit. It is on setting up a perfect environment for phishing. Don't leave the tutorial in the middle.

Let us use and demonstrate the tools to attempt a successful phishing attack.

Initiating the SEToolkit

Fire up your Kali Linux machine and open up the Social Engineering toolkit from the Application menu.

We are selecting here the [2]Website Attack Vectors>[3] Credential Harvester Attack Method>[1] web Templates.

You can use the site cloner option and also the custom import to import a custom phishing web template if you created one.

Okay, here it is asking the Local IP address for the POST. Type the Local IP address and hit Enter.
The Complete Phishing Guide: Ngrok And Cuteit

Here we got the templates. The first one is Java Required which prompts a warning that you require java to access the web page. And the other two are Google and Twitter.
The Complete Phishing Guide: Ngrok And Cuteit

We will select the Twitter. It cloned the twitter login page. And it shows the necessary things you may need to do or remember. Do not close this SEToolkit terminal because the logged credentials will be shown here.
The Complete Phishing Guide: Ngrok And Cuteit

There is a problem that we can't convince the victim by sending an ugly IP address. We must make it look cute and as believable as possible. In this case, we can take Cuteit in use.

Convert the IP To a Cute URL using Cuteit

Download Cuteit from Github. Open up a new terminal, don't close the previous one. Change the directory to the Cuteit folder and execute the Cuteit.py script. You can take these commands in use-

cd Desktop/   (if you cloned it to the Desktop)
cd Cuteit/
ls
python Cuteit.py

Cuteit doesn't convert URLs, it only converts IP address. So don't put URLs. We entered the local IP address and gave us a list of URLs we can use instead of the IP address.
The Complete Phishing Guide: Ngrok And Cuteit

When the victim opens up the URL, it redirects to a fake login page of facebook/twitter. When the victim enters the credentials, it redirects to the original login page of facebook/twitter.

But it prompts a warning which shows the real URL but that can be sorted using Ngrok.

Once the victim enters the credentials you will get them on the SEToolkit.
The Complete Phishing Guide: Ngrok And Cuteit

There are a few chances of getting credentials if the victim is that stupid if he doesn't check the address bar.

Apply Phishing Over WAN Using NgRok

The things we've discussed above were for the Local Network but if we want to apply it over WAN then port forwarding comes into place.

No doubt that Ngrok is the best tool for this purpose and it really something different from others.

Ngrok is totally free. You just need to create an account on Ngrok official website and download the appropriate version for your operating system.


Ngrok basically creates a tunnel between the localhost and the Internet and gives a URL that you can share with anyone.

You just need to extract the Ngrok file and move the executable to the Desktop. Now hit the command-

./ngrok htttp 80
The Complete Phishing Guide: Ngrok And Cuteit

It gives the URL that can be accessed over WAN. The best part is, it gives both HTTP and HTTPS service.

Mask The URL

Ngrok gives a pretty much good looking URL but it will be better if you mask the URL before sending it to the victim. 
The Complete Phishing Guide: Ngrok And Cuteit

This can be done using link shortener services. Bitly, Adfly is the best in this business. You can create your own URL if you have a paid account.

Distributing The URL

You can share the URLs on Social Media because people click on attractive stuff. But in the case of E-mailing, The Gmail service doesn't offer a lot of customization and also sometimes it sends suspicious E-mails to the spam folder.

But we can use Emkei's Mailer service instead of Gmail. Emkei's Mailer is a brilliant tool but the only problem is, you can't use a legitimate address that already exists. You must set your own address.
The Complete Phishing Guide: Ngrok And Cuteit

And this is the time where your social engineering skill takes place. Now it depends on you how you trick with the victim's mind. You can also use HTML here to make it look more familiar

Conclusion

This was a simple demonstration on Phishing attack. You can use the Homograph technique to create a URL that looks more familiar. 

If you don't know what Homograph is, there is a simple example given below for you.

Original


Homograph


Social Engineering completely depends on how tricky you are. You have to know the victim's behavior to play with his/her brain.

Did you find the information valuable? How can you gonna use phishing? Tell us your trick you are gonna use in the comment box below.

Comments 0

Thanks for visiting us. Please Do comment with a valid name. Don't comment as Unknown.
(Warning: Do not spam in the comment box. Repetitive comments will not be moderated.)
EmoticonEmoticon