HiddenEye is a modern-day phishing tool. The advanced capabilities and ease of use really make phishing life simple. With just a few clicks, you can spin up a fake phishing site with keylogging capabilities. It is a really cool tool to use and will help you to better understand the technique malicious parties are using. It is also one for the pentesting toolbox.
git clone https://github.com/DarkSecDevelopers/HiddenEye.git
sudo apt install python3-pip
sudo pip3 install -r requirements.txt
chmod 777 HiddenEye.py
sudo python3 HiddenEye.py
As you can see, it’s packed with popular social media sites and templates. Using Facebook as an example:
Let select option 3 and create a Fake Security Issue. It will then ask you if you want to enable a Keylogger:
There is a always a chance that the user may change their mind and not click the submit button. They might have already populated the username and password field though and this is what you want to capture.
Next up is the redirect site. If you want to make it look somewhat genuine, you could use the actual fail URL for Facebook login. Just jump on the site, fail the login and grab the URL.
The reason you are adding this in is because once the user has entered their credentials and submitted, it will redirect to here:
It will now present you with two server options. It highlights that Serveo works better so let’s try that. The only issue I saw with Ngrok was that after I recreated the site, it kept failing. A bit flaky but still works.
You then have the option to create a custom URL or generate a random one.
I will loop back to custom but for now, lets select random. Worth noting that whatever you pick will follow the serveo.net domain. This is HTTPS though as the certificate it uses has a wildcard.
And there we have it. A fake security site in which you can phish credentials:
As you can see though, the URL stands out a bit. Therefore, you would want to create a custom URL. Something that could look genuine.
If you did have the keylogger enabled, you will now be able to capture any keystrokes, like so:
If you did manage to trick a user, you would also see their final input and a bit of information about where they are:
Now let’s revert back to the custom URL bit. You can’t be too obvious with the domain as it will be spotted straight away. Putting Facebook will result in the URL Facebook.serveo.net and will be flagged:
You could try your luck with a bit of DNStwisting but again, it might be flagged:
Instead what often works is combining words to create an unknown word. Such as Facebooksecurity. Because it isn’t a word and the certificate are applied (HTTPS), the site could look genuine:
There are plenty features to play with but as you can see, this is a very powerful tool.
From an BlueTeam perspective though, you could simply blacklist Serveo.net and Ngrok. This depends on if you are using them in production of course. Then you would look to whitelist only your own.