HiddenEye is an extremely effective Social Engineering tool that can be used to gather users credentials, and other miscellaneous information. This tool can be a great asset in an Enterprise level Penetration Test or other engagement.
The first thing you’re going to want to do is download and move to the proper directory to launch the script, as well as download the proper pre-requisites to run the script:
sudo git clone https://github.com/DarkSecDevelopers/HiddenEye
sudo pip install -r requirements.txt
Now you’re ready to run the script, type this to begin:
sudo python3 HiddenEye.py
As you can see, there are a lot of phishing options and potential vectors of attack. In this demonstration, we will focus on Facebook because of its capacity to store a lot of personal information.
We first start by choosing option number 1 for Facebook, and then option number 1 again for Standard Page Phishing.
We then put “Y” for embedding a Keylogger in the malicious link. This will ensure we can capture additional keystrokes even after the user authenticates.
For Cloudflare, we specify the “N” value because the Facebook login page doesn’t display a Cloudflare page before the redirect.
The correct Redirect link is set, “facebook.com” after a user attempts to authenticate, it will fail. The redirect will make them think that they just put in their password incorrectly, attempting to avoid suspicion.
We have to set a port, you can use anything in the specified range. This is for the listener.
When asked for the server value, select 3 for Localxpose. If you want, you can also use Serveo, but I don’t recommend Ngrok as it breaks a lot.
Choose option 1 for a Custom URL. This part is vital. Your specification of a custom subdomain will help obfuscate the malicious link and make it look at least a little more realistic. I chose facebook.com as the subdomain because a distracted user may not pay any mind to it.
We have now generated the link. In the step before this one, if you were to generate a random URL it would look something like xfgemdsjdnuj.loclx.io. Obviously, this looks highly suspicious and the user is more likely to notice. Instead, as I stated before, we used the “Custom URL” option and specified facebook.com. This ensured that we had a custom subdomain before loclx.io which would be harder to catch if a user wasn’t paying attention.
You’ll see that the login page looks fairly realistic.
End Result: We have captured the user’s public-facing IP, browser and OS details, coordinates, ISP, city, and region. More importantly, we hit the jackpot and captured their credentials.
Final Thoughts & Prevention
Obviously many people will contest the validity of a phishing attack of this sort, proclaiming that they would never fall victim to this, yet Social Engineering is continuously the most effective attack. This script, combined with phishing e-mails with the link embedded can be deadly in credential harvesting. Given complex secondary options (such as setting up a custom e-mail that looks like it came from Facebook, using a sense of urgency or scare tactic/sending it from a compromised Enterprise account) it could easily set up a multi-pronged compromise scenario.
To prevent these types of attacks, it’s important that a user:
- Verify the authenticity of links before clicking them, look for spelling mistakes in the URL or unusual additives.
- Verify that the e-mail/message with the embedded link is coming from a legitimate source (but realizing that this alone isn’t enough to ensure that the link is safe)
- Check with your local Security Operations Center, or verify that it is safe by contacting the person directly to ask if they sent it.
- If the e-mail/message is specifying that you need to do something, manually type in the correct link and check your account instead of clicking the link.
- Enable Two-Factor Authentication as another prevention mechanism, push instead of SMS if possible.