Hacking Into Social Media Account!
One time or the other we all wished to hack someone’s social media account (like Instagram, or Facebook…) be it our friends, relatives, or siblings, and we googled it and found some websites with surveys and fake claims to hack them. But the actual process is super easy, here the hacking technique used is Social Engineering.
Disclaimer: This article is only for educational and fun purposes, this must not be referred with ill-intent !!!
Pre-requisite:
- Kali Linux Installed
Step 1: Fire up the Kali Machine -> Launch Terminal -> Give root permissions.
sudo su
Step 2: Head to the Downloads (preferred) folder -> Install Zphisher.
cd Downloads
git clone https://github.com/htr-tech/zphisher.git
Step 3: Install Maskphish.
git clone https://github.com/jaykali/maskphish.git
Step 4: Now comes the most important part, after the victim has entered the credentials and we received them, which page will he see?
By default, in Zphisher the user will be re-directed to the official log-in page of the platform selected. But as this is a Social Engineering Attack we do not want the victim to be suspicious and change his password, do we?
So for that, we will need to change the default redirection URL of the platform on which we want our attack to be.
Now, head on to this location in File Explorer
/home/<usr>/Downloads/zphisher/.sites/<platform>
(Name of user in <usr> and platform in <platform>)
If you are going to the location manually then make sure you have “View Hidden Files” checked.
Open login.php and change the initial URL to the one to be redirected to.
Either comment on the existing URL or change it.
Now save the file and exit it.
Step 5: Get into the Zphisher directory -> Run Zphisher and get the phishing link (Here, used Instagram as an example).
cd zphisher
bash zphisher.sh
(Running the first time may take some time installing dependencies.)
Enter ‘2’ for Instagram
Then enter ‘1’ for a fake login page.
Then press ‘3’ for a Cloudflare port forwarding service (preferable).
It will run and display the links after a couple of seconds.
Step 6: Open a new tab -> Mask the phishing URL with Maskphish so the victim does not find the link to be suspicious.
Ctrl+Shift+T (New Tab)
cd Downloads
cd maskphish
bash maskphish.sh
Now paste the phishing URL obtained from Zphisher.
Ctrl+Shift+C (To copy in Linux)
Ctrl+Shift+V (To paste)
Now specify the domain to be used in the masked URL (here, used https://instagram.com).
Now give in the words to be used in the masked URL to make it more convincing (here, try-not-to-laugh-reel).
Note: Make sure there is no space in between the words, they should be separated with hyphen (-).
Maskphish URL is generated within a second or two.
Now, this is the URL that will redirect to our phishing page (looks pretty convincing, right :) ).
Step 7: Now send the maskphish URL to your target and whenever he will log in to our fake webpage he will be redirected to the new redirect URL we specified in login.php, and we will receive the credentials in our terminal and they will be saved into a file displayed below the details.
Voilà !! You made a successful Social Engineering Attack!