Posted on 33 Comments

Phishing tutorial for absolute beginners

Phishing is one of the unique method of hacking that involves social engineering. What exactly is phishing? Phishing is an act of presenting a fake page resembling the original webpage you intend to visit with the sole intention of stealing your credentials. This post  demonstrates phishing tutorial for beginners. Although we make a phishing page of Facebook in this tutorial, it can be used to make a phishing page of any website.  So now let’s phish.

Open your browser,  go to the Facebook website, Right click on the webpage and click on “view page source”.

The source of the web page is displayed in the browser. Right click on the page and click on “Save As”. Save the page as “index.html” on your computer.

Now open index.html using notepad and hit CTRL+F”.In the Find box opened, type “action” and  click on “Find Next”. Look at the value of action. This “action” specifies the website what to do after users enter credentials and submit those. 

Now change the value of action to “phish.php”. We are doing this so when the user enters his credentials the page that loads will be “phish.php” and not the usual page Facebook loads.

Now let’s create the page phish.php. Open Notepad and type the following script into it and save it as “phish.php”. What this script does is it logs the user credentials and saves it to a file named “pass.txt”.

Now our files are ready. Next step is to upload these files to any free web hosting site available on the internet. Google for free web hosting sites, select any one of them(I selected bytehost7), create an account with username as close to Facebook as possible and delete the index.html file available in the htdocs folder. Then using Online File Management upload your own index.html and phish.php files to the htdocs folder. Your htdocs folder will look like below.

 Let’s check if our phishing page is ready by typing the address of our site. If the page is like below, then our phishing page is working.

The next thing we have to do is to send address of our fake website to the victim. We will do this through sending him an email but in order for the victim not to smell something fishy, we will obfuscate the URL of the fake page we are about to send him. The sending email address should be as convincingly close to Facebook as possible.

 When the victim clicks on the obfuscated URL, it will bring him to our fake site.

 If the victim is not cautious enough as to observing the URL and enters  his username and password, our attempt is a success. To show this, I will enter random values in both username field and password field and hit Enter.

Now a txt file with name pass.txt will be created in the htdocs folder containing both the username and the password.

 Click on the file. We can see both the email and the password i have entered. The email is “don’t get hacked” and the password is “like me”. 

Find it difficult? See how to do phishing with Weeman HTTP server

 Counter Point:

If you don’t want to fall victim to phishing, you can take a few precautions . If you want to open a site type the address directly in the URL and don’t open any redirected links. Don’t click on any mails which look malicious like asking for your login credentials.

That was our phishing tutorial for beginners. If you want to learn Ethical Hacking with Rea World scenarios, Subscribe to our Digital Magazine.

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

33 thoughts on “Phishing tutorial for absolute beginners

  1. hi
    what will shows next to victim on pishing page after entering username and password .
    how can we get data in password.txt and redirect him after entering data to original page that he did,t know about pishing

    1. Hey Matty. Normally in phishing, when a user enters his credentials he will be redirected to the original webpage of the site we are trying to phish. For example, we have created a phishing page for a site xyz.com. Once a user enters the credentials for this site, he will be redirected to the original website of xyz.com. The user will think its a glitch and try to login once again.

  2. Please help me. How can i find pass.txt?

  3. Hi, I’m trying to make one for Twitter (my friend has been teasing us that we dont know her account, I just want to find it to make her shut up), and Twitter doesn’t have “action” to replace. Can anyone help with where to chuck in the phish.php?

  4. […] told, this process is same as phishing, until the creation of phishing files which you can find  here. Now Install Wamp Server on your windows machine. To see what Wamp server is and how to […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.