Phishing Attack Tutorial 

This is one way it's done!

For setting up a Phishing Attack, first thing is to set up Kali Linux in a virtual environment. For the virtual environment, I like to use VirtualBox.The reason I like Kali, is it comes with many pentesting tools. But one of the tools I like to use for this attack is SocialFish as it lets you spoof any web page you want. I should mention some Linux skills will help. We need to go to the terminal and clone the repository.   

• • • • • • •  :~git clone https://github.com/undeadsec/socialfish.git

            • :~sudo apt update

            • :~cd socialfish

Now let's install some python requirements!

• :~python3 -m pip install -r requirements.txt

Now we are ready to lunch socialfish. When you launch social fish you must be in the directory where you have cloned the repository. Launch with this command but read not below before you press enter.

• :~python3 socialfish.py username password

Note you chose a username and password goes in this order.

Now you should see

Now in the green, it says Go to http://0.0.0.0:5000/neptune to start.

Just put that URL in your browser. And you should get here!

Now with the login credentials, we provided when we run socialfish they need to go in here.

Then you should be here!

And next!

As you can see social fish has a very user-friendly dashboard you can even run your Phishing campaign on your phone with the provided app token. As I have mentioned above you can clone any web page you want, even your company login. Just go to the webpage and copy the URL and paste it here!

The box to the right is “Redirection”, here you will put the URL you want to direct the victim to, It is wise to use the same URL, as the victim will not be suspicious of what is happening.

Then click the lightning bolt to complete.

Now the Phishey bit, you will need to send the URL under the SocialFish ” Your attack URL http://0.0.0.0:5000” to the victim using social engineering technique. For this tutorial, we will just be Phishing ourselves. I will be using Facebook for this example.

Facebook login URL {https://www.facebook.com/login.php/}

So let's put that URL in both boxes and click lightning bolt.

Should say success!

Ok let's go to the browser and use the URL under the fish and we should come to Facebook login.

We should see this!

As you can see it says “ Your Request could not be processed ” this should be a lesson for you when you see this in the wild you know you are being Phished so do not put in your credentials. But for this learning experience, we will.

So let's put “mema@facebook.com” and password “123456789” and then click login.

You will notice how the login pops up again, at this time the hacker has our credentials.

Now, if we go to http://0.0.0.0:5000/neptune, or if you already have the dashboard up all we need to do is refresh, now notice at the bottom.

You can see the data collected, over to the far left click on View and you can see the username and password.

This tutorial lets you have a look at the back end of a Phishing attack and as you could see for this attack there were some tell tail signs “Your Request could not be processed”. I hope you enjoyed this lesson, and do not use this for the Darkside stay cool with Yoda and the gang!