In my previous blog post, I summarized an article which went over the type of hackings beginner hackers are able to do. I wanted to have a hands-on experience, so I decided to follow a few tutorials to see what I could do. This was only for educational purposes.

 

Phishing 

Phishing is an attempt to obtain someone’s personal information or data by leading them to a disguised website. I was able to easily find a tutorial which allowed me to make a Facebook phishing page.

I started off by downloading the HTML file of the Facebook login page. Then, I created two .txt files using Notepad. One of the files was meant to stay blank because the usernames and logins were going to be saved on it. On the other file, I wrote a script from the tutorial which would redirect those who type in there credentials to a real Facebook page that would make them type their information again. In the image below, the left side shows the HTML Facebook login page and on the right side, the redirecting file.

Once I finished making the redirecting page, I was ready to upload the files to a web hosting service. In the screenshot below, the page I made is on the left side and the real Facebook page is on the right. They look almost identical to each other. The only difference is that the domain and website names are different, but it is a common mistake for people to type in their credentials on fake websites, because they don’t pay attention to the name.

I proceeded to test the website by typing a fake username and password. I typed “test” as the username and “test123” as the password.

It took me to the real Facebook page which is supposed to make it seem like I had typed in the information incorrectly.

At this point, the information I had put in was logged onto the blank text file I had saved.

This tutorial only took me a few minutes which is scary because people still fall for phishing pages sometimes and it is very simple to do.

Link for tutorial: https://www.hackingloops.com/how-to-create-a-facebook-phishing-page/

Vulnerabilities

A vulnerability is a weakness or lack of security in a system which can be used to exploit.

I used a tutorial that showed me how to use a technique called Google Dorking. Google Dorking is the ability to find information on Google that has been exposed to the public.

1. intitle:”webcamXP 5″

With the first search, I was able to find webcams which were exposed to Google and had no restrictions. Hackers are able to abuse this vulnerability by listening into any video calls that could have important information within them.

2. db_password filetype:env

With the next search, I could find leaked databases which hold sensitive information. Hackers use this search to look for passwords and usernames so they can log onto the accounts. I found a database which has the passwords and usernames of a car dealership website.

3. intitle: “report” (“qualys” | “acunetix” | “nessus” | “netspark” | “nmap”) filetype: pdf

In the last search, there were leaked penetration test reports. Penetration tests are used to test if sites are vulnerable or not and how vulnerable they are. Hackers are able to use the information from the report to see where systems are the most vulnerable at and attack them using it. The report I found was from a bank called eClipse. It shows which areas the system is vulnerable in and how vulnerable they are.

I did not expect to find information like this on Google. Even the most trusted sites could accidently leak our information on Google for others to see.

Exploits

Lastly, I wanted to try out exploits. Cross-Site Scripting (XSS) is one of the most common ways hackers can attack. With XSS, hackers are able to inject their scripts to steal person information, have control over webpages, take over accounts, and install viruses. I tested the following scripts on a site which was made for testing scripts.

1. <script>window.location=”https://example.com'</script>

In the screenshots below, I entered a script which redirected me to another website. If a hacker were to inject their script, they would be able to redirect people to another site that could download malware on their computer to harm it.

2. <script>alert(‘ALERT’)</script>

Below is an image that shows a script that pops up an alert. If hackers were to replace ALERT with their script, they would be able to steal a users cookie that contains information like usernames and passwords.

Tutorial: https://chefsecure.com/courses/xss/recipes/hacking-websites-with-cross-site-scripting

 

I expected it to be a bit harder to find tutorials and test them out. I learned that even simple scripts can do much damage which is terrifying to think about, and it makes me wonder how long it will take till hackers are able to take down every system available by using exploits against their vulnerabilities. So many cybersecurity workers are needed because making systems and trying to perfect them can lead to having many flaws within the system and it’s just a repeating process where workers fight against hackers and stop them, but then hackers are able to find new vulnerabilities. I hope that one day the amount of hackers are able to decrease, so we don’t have to worry about our information getting stolen. Remember to be careful when visiting websites and typing information as well as downloading files from them.