AdvPhishing is a phishing tool which allows the user to access accounts on social media even if two-factor authentication is activated. AdvPhishing allows the user to gain the target’s username, password and latest one-time password (OTP) in real-time as the target is logging in. In addition to this the user can use AdvPhishing to obtain the target’s IP address. AdvPhishing is available on both Android and Linux.
Before using AdvPhishing, the user is required to allow the target to access the local server using ‘ngrok’. ngrok will generate a token which the user must import into his local machine. Further details are available at the ngrok website.
After starting AdvPhishing, the user must select the target website from 15 different options. These options include popular websites such as Facebook, Instagram, Netflix and many more. After selecting the website, the tool will automatically download the prerequisite requirements for the website and wait for the ’ngrok’ tunnel to be activated. After the tunnel has been activated, a link will be generated which must be sent to the target. Once the link has been accessed, the target will see a clone version of the website where the target will naturally enter their confidential information and OTP.
FULL VIDEO TUTORIAL WATCH & DOWNLOAD:
In this tutorial we’re going to use a tool AdvPhishing there are so many tools we can use but this one is straight forward and it’s very easy to use, so download the tool from github from this LINK:
chmod 777 start.sh
When first run the app it’s going to check for requires and then you will see this screen:
Let’s see we are going to hack the victim with Twitter link, chose number 21 and press Enter:
Now the app is using Ngrok and gave us a link to send it to the victim, we can take this link and shorting it with https://bitly.com/
Now the link looks like something legit right, now all you have to do is send it and wait for that person to porn the link:
The victim enter their credentials and when they click on login we get their credentials back on our terminal:
As we can see the email address and the password that person has entered are showing up very clear.
Of course we could write them an email and send it to them saying that there have been some weird activity on their account and they need to login immediately and change their password, and give them out custom link to press and direct them to that fake page we made with the tool.
The lesson here is never trust a random email or message from unknown source and try not to open any link or attachment from untrusted source, and we trying to login to your social media account use the apps installed on your phone or from the official links if using a laptop.