Phishing Using Shellphish
What is a Phishing Attack?A Phishing Attack is a fraud attempt to obtain sensitive information like usernames, passwords, credit card information, Bank Account Numbers, etc. Phishing is an example of Social Engineering technique being used to deceive users. The way phishing works is that an attacker clones a trusted website or spoofs an email of a known target which leads the person to believe that he is visiting a trusted website like social media sites, e.g., Facebook, SnapChat, Instagram, Google, Netflix, and so on. The target will then put his/her username and password on the malicious website (cloned website) and then the username and password will be sent to the attacker instead of the real website, and the target will be redirected to the real website. Let's do a demo of phishing using shellphish.
Things Needed:1. Kali Linux or any other Linux Operating system.2. Internet Connection.3. Shell Phish that we will be using for this practical.4. Firefox or and other browsers.
Steps:1. Open Firefox in your Kali Linux.2. Type (github.com) in the URL.3. In the search box type (shell phish).4. Select the first repository.5. Click on the (Clone or Download) button and copy the URL.6. Open your Terminal 7. Type (git clone URL) and paste the URL you have copied and press enter. 8. It will start downloading the shellphish file. 9. When the download is complete. 10. Change your directory to shellphish by typing (cd shellphish). 11. In the Shellphish directory type command(ls -l) it will show all files and their permissions. 12. Now what we will need to change is the permissions of (shellphish.sh) 13. As you can see its permissions are (-rw-r–r– ) by (-r) it means (read) permission by (w) it means (write) permission 14. There is no execute permission, i.e., x. To add an execute permission, we need to give command (chmod +x shellphish.sh) it will provide it with new permission that is (x). 15. Now we can execute it by typing (./shellphish.sh) 16. Shellphish has started. Choose any option from above just by typing their number, e.g. if I want to make an Instagram phishing page, I will type (1) as insta is written on number one. 17. Then choose a port forwarding service that will give you the phishing URL I will go with ngrok so I typed 2. 18. If using for the first time, it will start downloading ngrok wait for it. 19. When the download is complete, it will give you a URL, which is the URL we will use to phish our target. 20. Now you can send this link via email, WhatsApp, Messenger or any other media. 21. When the target clicks on this link, you will get its location and IP address 22. After that, the page will open, and when the target types his/her username and password, it will be sent to the attacker. And the target will be redirected to their Instagram. Because I was using TOR, the location is unknown, but it will show the exact location of the target otherwise. Notice: This article is for ethical hacking and educational purpose only.p>Start A Career in Ethical Hacking >>
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!