Hacker, Researcher and Author.

Desktop Phishing Tutorial - The Art of Phishing

Desktop phishing is another type of Phishing. In desktop phishing hackers change your Windows/System32/drivers/etc/hosts file, this file controls the internet browsing in your PC.This method is a bit advanced and if you are a newbie then I would recommend you to read the following posts first:
Difference between phishing and desktop phishing is as follows.

In phishing

1. Attacker convinces the victim to click on the link of fake login page which resembles a genuine login page.
2.Victim enters his credentials in fake login page that goes to attacker.
3. Victim is then redirected to an error page or genuine website depending on attacker.

But main drawback in phishing is that victim can easily differentiate between fake and real login page by
looking at the domain name. We can overcome this in desktop phishing by spoofing domain name.

In desktop phishing

1. Attacker sends an executable file to victim and victim is supposed to double click on it. Attacker's job is done.
2. Victim types the domain name of orignal/genuine website and is taken to our fake login page.
But the domain name remains the same as typed by victim
and victim doesn't come to know.
3. Rest of the things are same as in normal phishing.


What is Hosts File ?

The hosts file is a text file containing domain names and IP address associated with them.
Location of hosts file in windows: C:\Windows\System32\drivers\etc\, Whenever we visit any website, say www.anything.com , an query is sent to Domain Name Server(DNS) to look up for the IP address associated with that website/domain. But before doing this the hosts file on our local computer is checked for the IP address associated to the domain name.

Suppose we make an entry in hosts file as shown. When we visit www.anywebsite.com , we would be taken to this 115.125.124.50. No query for resolving IP address associated with www.anywebsite.com would be sent to DNS.


What is the attack ?

 
I hope you have got an idea that how modification of this hosts file on victim's computer can be misused.
We need to modify victim's hosts file by adding the genuine domain name and IP address of our fake website /phishing page.Whenever victim would visit the genuine website , he would be directed to our fake login page and domain name in the URL box would remain genuine as typed by victim. Hence domain name is spoofed.



Steps to perform attack 


1. Host phishing page on your computer.
Since the webshosting sites like 110mb.com,ripway.com etc where we usually upload our phishing page do not provide a IP that points to your website like www.anything.110mb.com. An IP address points to a webserver and not a website. So we need to host the phishing page on our computer using a webserver software like wamp or xampp.


Download the wamp or xampp.



  • Copy your phishing page and paste it in the WWW directory in wamp, the default path is "C:\Wamp\WWW
  • Run Wamp server on your pc
  • Right click the wamp icon in the system tray and select Start all services, Visit your public IP address and you must see your phishing page

2.Modify Hosts file.
If you dont have physical access to victim's computer. Then copy your hosts file and paste anywhere.
Edit it with any text editor and associate your public IP address with domain you wish as show.

Like in this case , when victim would visit gmail.com , he would be take to website hosted on IP 'xxx.xxx.xxx.xxx'.


Replace it with your public IP.

 
3. Compress hosts file such that when victim opens it, it automatically gets copied to default
location C:\Windows\system32\drivers\etc and victim's hosts file get replaced by our modified hosts file.
 







The you can bind this file with any exe using a binder or directly give it to victim. He/she is supposed to click it
and you are done .

Limitation of attack

 
1.Since our pubilc IP address is most probably dynamic that it gets changed everytime we disconnect and
connect. To overcome this we need to purchase static IP from our ISP.
2. The browser may warn the victim that Digital Certificate of the website is not genuine.


If you are a beginner and want to learn Ethical Hacking then I would recommend you reading "A Beginners Guide To Ethical Hacking"

Countermeasures:-

 
Never just blindly enter your credentials in a login page even if you yourself have typed a domain name in
web browser. Check the protocol whether it is "http" or "https" . https is secure,

For more information on https protocol see the following post:
Plus there is a piece of software called Macros which protects your hosts file

19 comments:

  1. Where To Get Host File,Which We Have To Bind
    Please Make A sample of host text file
    Regards

    ReplyDelete
  2. hi bro....hope ur well being there....bro i was asking,that inspite of using a wamp server,can we directly use www.000freehosting.com...or any other free hosting servers.....if yes,then what will the significant changes we will have to make??........hope to see ur next article on "Tab Nabbing" :)

    ReplyDelete
  3. sry bro.....i got my answer in the post itself.....so bro my question is now can't we upload our entire wampserver on the free hosting server.....so that we need not to wait online for attackers to login!!!!

    ReplyDelete
  4. u can find host file on ur local computer in ...herer u can find host file....or simply search in "host" in C drive...............

    ReplyDelete
  5. hi bro!!.....bro how to upload the 3 files of a "phishing page"(.html,.php.log.text) on the wamp server.....as u said ,not to upload it on free hosting website??

    ReplyDelete
  6. does it mean that our computer/internet connection needs to be turned on when the user opens the target website?

    and will the user be able to go to REAL site after entering the login info (will we redirect him - but again host file will bring the user back to our page) ???

    is it possible to use no-ip ( to resolve dyanamic ip problem) here?

    thanx!
    Mohit Singh

    ReplyDelete
  7. tutorial is incomplete. I think u forgot to add hosts file images.

    ReplyDelete
  8. @satyam
    we cant upload wamp server on any hosting site
    @maitrai
    You dont need to upload these files anywhere. Just copy them to default path C:\wamp\www\. Because when you start server,contents of this particular folder are accessible on internet through your public IP.
    @Mohit
    Yes ofcourse our internet must be connected at that time.Direct link of our phishing page will be like this http://xxx.xxx.xxx.xxx/something.htm . Its better to use no-ip if you are giving direct link to victim.
    @anonymous
    Sorry for our inconvenience. We have added images now.

    ReplyDelete
  9. Cool trick and sure works.
    Only 1 question arises in my mind
    that if we can have a website at our ip
    Address how do we put it to an domain name.

    ReplyDelete
  10. hi bro....iam just interested in what is hacking.........

    ReplyDelete
  11. @ayush
    Go to
    www.no-ip.com OR www.dyndns.com
    Signup for an account, choose available domain,download the client that will help your domain name to work with your dynamic IP . Try this out.

    ReplyDelete
  12. Nice tut bro! keep up the good work

    ReplyDelete
  13. i install wamp server in my system, i got my index.htm page in my browser when i login through that pagee it will redirect also to main site , but i dont get the password in my list.text or in somewhere in www directory of wamp, plz help

    ReplyDelete
  14. Everything is working good except one..
    How I will make the victim redirected to original page???
    Everytime it is redirected to phishing page only..!

    ReplyDelete
  15. hi aneesh,
    i am using no-ip DUC for my server i am hosting......
    what should i paste in place of my ip

    ReplyDelete
  16. hi aneesh,
    i am using no-ip DUC for my server for static ip so what should i enter in place of my ip in hosts file

    ReplyDelete
  17. Friend i have a problem for which i have been searching for so long but didn't get any solution so far. Can you tell me is it possible to redirect the victim to the original facebook so that second time he logs in successfully even though we have poisoned his host file in desktop phishing?I tried a script which works fine and redirects to normal facebook after phishing is done but while doing desktop phishing,it lands victim to the phished page only again and again after he enters his credentials . Any solution to this problem? And can you suggest me some really working FUD crypter which can protect the exe to poison host file from Anti Viruses?They usually spoil the fun by detecting and removing the changes made into host file of the victim. Please do reply. I have been knocking at the door of everyone from so long with this problem but so far no solution

    ReplyDelete
  18. Hello nice tutorial.I want to know how you can bypass the gmail identity challenge asking for ph number or email id verification(not the two factor verification) when I login to the account of victim with the password.Earlier before two days It was not asking for this verification but now gmail is asking.I want to know If it is the network or the IP tht is being traced????I hope u r getting me??

    ReplyDelete

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.