Thursday, August 18, 2011

Desktop Phishing-Editing/changing the host file

Intro:
Whenever we type a URL in the address bar of browser, what it will do is, it will first check the system hosts file located in C:\Windows\System32\drivers\etc\, if the domain name is there or not. If the respective domain name is found then it compares the IP address in the corresponding field and direct the page to the corresponding IP address.




Now consider a situation where an attacker edit the hosts file and give the IP address of his(attacker) PC for facebook.com, now whenever the victim will type the facebook.com the page will be redirected to attackers IP address. The only thing the attacker have to do is setup a phishing page in its server.


Click here to know how to make your PC a web server.


Steps to perform the attack:
1.Create a phishing page in your PC(server). 
2.Create a modified hosts file. 
3.Hide the file inside some media(like image). 
4.Deliver the image(consisting of hosts file) to the victim.


STEP-1:-
To know how to create a phishing page Click Here.
Now the phishing page has to be upload in certain website, but unfortunetly an IP address can only point to the server not to a website , so the only possible solution is make your PC a webserver, Click Here   to know how to make your PC a web server. 

STEP-2:- 
In this step we have to modify the host file as per our need. In this article I will be explaining two methods to modify the victims hosts file.
Method-1:- Before we start,lets have a look, how "hosts" file actually looks like.


















Now, the first thing you have to do is, know your public IP address, go to cmd prompt and type"ipconfig" hit enter. Note your IP address.
Open the hosts file(located in:C:\WINDOWS\system32\drivers\etc) with notepad. To edit the file check the image below.

















Check the last two lines which I have added, now whenever a victim types facebook.com or www.facebook.com the phishing page saved in the IP 115.242.243.20(Replace this with your IP) will open which is definitely not a facebook login page.

Okay, we can now easily change the hosts file located in our PC. But the challenge is how to change the victim's hosts file.Don't worry, its not a big deal, lets see how to do it:


First of all modify the hosts file as described above and save it with name "hosts" please do not use any extension. Right click the file and select add to Archive(you must have Winrar installed in your PC).


Follow the images for further instruction:

Settings under "General Tab":
















Settings under "Advanced Tab":
Goto advanced tab in that click on "SFX options" button.
















Goto General tab inside advanced SFX options:




















Now select Update tab:




















Select the "Modes" Tab:




















Press OK and you are done...Remember sometimes antivirus may detect it as malware in that case ignore it or select No Action.


Method-2:- In this method we are not going to create any new hosts file rather we will modify the existing hosts file in the PC, using batch programming: 
1.Open notepad 
2.Copy and paste the following code in notepad. 
echo "IP address" www.facebook.com >> C:\windows\system32\drivers\etc\hosts 

echo your "IP address" facebook.com >> C:\windows\system32\drivers\etc\hosts   

Note:-Enter Your IP address without quotes.

(It will append the IP address and the respective URL at the bottom of the hosts file)
3.Save it with any name with .bat extension.
4.Convert this .bat file into .exe file using bat to exe converter, click here to download


STEP-3:-


After creating the .exe files, just deliver the files to the victim via email or upload those files on website and send the download url to victim.... Hold on guys its not that easy, do you really think that victim will click the file without knowing what that is. Unfortunately the Answer is no. So how we make them click our exe files. The one possible solution for this is use another file(say a image file) to run the exe file in CLEAR words if victim clicks the image the image file will trigger our hosts file, to know more about this trick read this post.

STEP-4:-



Before delivering the files to victim archieve those files(image and exe) with winrar, try including more images in the archieve not just your exe file and one image.
Now the only question left is, How do we deliver this file to victim? You can send it through email or upload the archieve in the website and give the download link to the victim.


Drawback:

The only major drawback of this technique is that most of us have dynamic IP address which keeps changing. That means till the victim does'nt logon you can not shutdown your internet connection.


Countermeasure:
1.Check whether the connection is https or http 
2.Be suspicion for those website whose certificates are not valid.

No comments:

Post a Comment