July 28, 2021
Phishing Using Shellphish
July 28, 2021
What is a Phishing Attack?
A Phishing Attack is a fraud that attempts to obtain sensitive information like usernames, Bank Account Numbers, credit card information, and passwords. Phishing is an example of a Social Engineering technique used to deceive users. The way phishing works is that an attacker clones a trusted website or spoofs an email of a known target, leading the person to believe that he is visiting a trusted website, e.g., Facebook, Snapchat, Instagram, Google, or Netflix. The target will then put his/her username and password on the malicious website (cloned website), and then the username and password are sent to the attacker instead of the actual website. Once the information is collected, the target is redirected to the dedicated website, where they will log in and never realize that any information was stolen. In this tutorial, we will be doing a demo of phishing using Shellphish.
ShellPhish is a tool written in bash. It offers a total of 18 phishing websites and a custom site that people can visit. Once they attempt to log in, the phisher gets the credentials, just like any actual phishing website. Tools like this can be very useful during a penetration test, where the tester wants to test a company’s employees to see how good they are at identifying phishing emails.
- Kali Linux or any other Linux Operating system.
- Internet Connection.
- Shellphish that we will be using for this practicum.
- Firefox and other browsers.
- Open Firefox in Kali Linux.
- Type github.com in the URL.
- In the search box, type shell phish.
- Select the first repository.
- Click on the Clone or Download button and copy the URL. Note ** GitHub repos can be removed or updated, so this specific repo may not be available in the future.
- Open your Terminal
- Type(git clone URL and paste the URL you have copied, then press Enter.
- It will start downloading the shellphish file.
- When the download is complete, change your directory to shellphish by typing cd shellphish.
- In the Shellphish directory, typing command ls -l will show all files and their permissions.
- Now, what we will need to change is the permissions of shellphish. sh
- As you can see, its permissions are (-rw-r–r– ). By (-r), it means (read) permission; by (w). it means (write) permission
- There is no execute permission, i.e., x. To add an execute permission, we need to give command chmod +x shellphish.sh, which provides it with new permission (x).
- Now, we can execute it by typing ./shellphish.sh
- Shellphish has started. Choose any option from above just by typing the number; e.g., if I want to make an Instagram phishing page, I will type (1) as insta is written on number one.
- Then, choose a port forwarding service that will give you the phishing URL. I will go with ngrok, so I typed 2.
- If I use it for the first time, it will start downloading ngrok. Please wait for it.
- When the download is complete, it will present a URL, which is the URL we will use to phish our target.
- Next, this link can be sent via email, WhatsApp, Messenger, or any other media.
- When the target clicks on this link, you will get the location and IP address
- After that, the page will open. When the target types his/her username and password, it will be sent to the attacker. Then the target will be redirected to their Instagram.
Because I was using TOR, the location is unknown, but the location shown will be the exact location of the target otherwise. Notice: This article is for ethical hacking and educational purposes only. If you’re interested, click here to start a career in ethical hacking.