Sethioz Industries Forum

[Sethioz]

V kind a brought this up so i tought ill post .. well more like a question.
its about making the fake login pages for some site (like hotmail) and then give link to a 'victim'. once victim uses it to login then this page will send you his/her user+pass.
if somebody is intrested on how to make such fake login pages then post a reply here. right now the topic is private with quite detailed info (which im not planning to reveale), but i will post a general guide if there's ppl who is intrested in it.
note that..if you set it up RIGHT, then there is very high chance that victim will fall for it. 90% of world has no idea tht this stuff is even possible.

[V]

so... how does one have to make a fake page so it would be almost 90% successful? and should it fail at first, i doubt the "victim" hehe falls to it 2nd time. but then again that's very individual, depends on how stupid the person is. since 90% world is bunch of fools, including myself, that's why 10% rule rest of the 90% of the world.

[Sethioz]

most likely once they will actually see this...they will use it to login. as i said .. need to make it look real and good.

[Thor~God]

plah i once falled for that fake login -_- it sux ass XD but i always figured how it worked :D must be work of art or something... seth teach me when i get to est? :D

[Sethioz]

work of art is when it actually logs you into real site too. so basically theres no way to tell if its fake or not .. only by the URL. ..but if u dont check it (99% of ppl never look at URL when they surf) then theres no way to tell.

[baalpeteor]

sure i'm interested in seeing it. I used todo the old wmv + swf exploit for myspace... and have a fake login paged hosted on my nix box. The dynamic domain was like mysapce.servebbs.com (thanks to dyndns).

Got about 20 or so before i turned it off. Used to put the big fake clear block link over a whole myspace page or over view more pics (of gurls esp. dudes would have to login to see those pics. You can easily exploit guys using the power of their own penis heheh)

To login to the real site I would think you'd have to run a proxy on the pc that has the fake login page and shuffle their credentials to the real page.. and then whatever data is loaded it loads it to the client in a mitm attack.

[Sethioz]

You can easily exploit guys using the power of their own penis heheh)

haha very well said.
i never actually tought about swf or wmv. how you inject anything in there ? or wht i am missing here?
and about links. if you send a spoofed mail from like [email protected] to somebody saying something like:

Code: Select all

Hello, we are converting data from one server to another and we need you to verify your account by simply logging in ... blablablablabla.... DO NOT send your login info to anyone...etc

it has to be really well written and polite. and link would be something like loginlive.somefreehosting.com/fdsa#"#"323dda/dsa32390¤¤%%%"2-dfsa32/account_login/23909dsa8¤%&%&
nobody even looks this ''somefreehosting'' there. it loox real, so at least 50% of ppl would actually use that link to login. you can also add something into mail like ... the new server will be faster..blabla. to get more ppl to click and use it. i cant remember where i uploaded it (prolly they deleted it by now), but i got mine working quite ok. when you used my fake page to login. it gave no errors, but it didnt log you in. it simply did click and emptyd the fields and then it was real site already. so second login was on real page, but then it already sent the info to me :)

[54321]

hey seth dude where would the login details be stored

what i want to know lets say this was my site right where would i(you) find my password

[Sethioz]

it depends what kind of method you are using. you can store them anywhere. you can make the form send it to your email, store locally (where the site is hosted), upload to another FTP ...etc.

[54321]

To be truth fully honest its on the dot the same as this 1 PHB or sum thing but it gets confusing with the database and all i wanna know is where they are im using a free host and if u could say how i get it so it could be sent via email

the login and registration is the same as this 1

and also huge favor because my site is like this well not hackong site But the same format How did u manage to change the top left with a pic of your own and change the writing

[Sethioz]

you don't need database.
here is an example. this code will save the info into a simple txt file, which will be located in same folder with the file.

Code: Select all

<?php
header ('Location: https://www.paypal.com/');
$handle = fopen("passwords.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

and the following code will go into a fake page to make it use the code above.

Code: Select all

<div class="body"><form method="post" name="login_form" action="update.php">

ofcourse you can't just copy and paste, form name need to be called "login_form" and method need to be "post" ..etc


another option is to use formmail (google for it).
form mail is something that will email the details, but you still have to integrate it into a fake page.

[54321]

and where do i run the code

[Sethioz]

mah, its php, can't you see the <php ?> brackets ?
do you even understand what you are trying to do ? it is php code, which goes INSIDE of the fake page you make and then you upload your fake page and send somebody to that page.

[54321]

ok are those 2 sep files or do they go together

[Sethioz]

uhm you can't make a fake page without any knownledge of php.
this one is for paypal. look at the fields. update.php is the file that will do the loggin and redirecting job for you. cant you see paypal.com in the code ?

[54321]

ok i made fake page and bam site closed due to illegal activity is there a way around this

[Sethioz]

haha ofcourse they close it. try netsons.org. there are some "poor" hostings that will not check what you do.

[54321]

haha thanks for telling me y not say.... hey man dont write this code unless u got unsecure site..... haha

[Sethioz]

well i was testing it here on this site, but i never put it out in public, it was in password protected area, i dont need any problems on Looney friend :) otherwise i could host it.

[54321]

so where is the data stored even without program the password has to be stored somewhere