Monday, September 24, 2018

How to phish for username and password using Google Form

For this example, I will be using Facebook but you can set up the form to phish any type of password. You just have to be a little creative.

1. Login to your Gmail account and click on the 9 dots icon on the top right corner of your screen

2. Click on Drive

3. Click on the New button

4. Go to down to More > Google Forms > Blank form

5. Click on the question mark circle at the bottom right of your screen and click Back to the old Forms

6. On the textbox, you can type in anything you want just be creative and make it convincing

7. Click on the pencil icon to edit the first question textbox.

8. Add another text box by clicking on the Multiple choice button drop-down and select Text

9. Check the Required question box and click Done

10. Now create another textbox and call it test 2

11. Click on Required question check box for the second textbox and click Done

12. Your form should look something similar to mine below

13. Click on View live form

14. Now you can right click anywhere inside the browser and click Save as...

15. You can save this anywhere. I would just save it on the Desktop for easy access.

16. Go back to the form editing screen and click on View responses 

17. Click on the radio button New spreadsheet. In the text box you can name the file anything you want and click on the Create button.

18. Your response form should look something similar to mine below. Test 1 is where the username will be displayed and Test 2 is where the password will be displayed

19. Open the HTML file you saved to your desktop with Notepad or Notepad++ (I recommend using Notepad++ because it is much easier to see the code). Once you open the HTML file with Notepad++ press Ctrl + F to open the Find Window. Now search for test 1

20. Your screen should now look something similar to mine below

21. Replace:

test 1 with Username

test 2 to Password

The first input type="text" leave this one alone and do not change anything here

The second input type="text" change to input type="password"

22. Save the HTML form. Now you can upload this form to any free web hosting site or simply any cloud storage that allow you to render HTML so the victim can see the form without having to download it. Once the victim typed the email and password to the form and click Submit the email and password will be sent to the response form. Of course to make this more convincing remove the text that says Never submit password through Google Forms and edit the form by putting some picture in it to make it much more convincing.

Your form should look something like mine below once everything is completed

NOTE: This is for educational purpose only. Please do not use it to steal username and password from anyone, it will get you in trouble with the law depending on where you live.


Post a Comment