Trying to social engineer an email password but there are no password reset question
#1
So if there are no password reset questions then what is the next step in trying to social engineer someone's password? What else can I try in other words? Could someone help me with this? Let's say for Facebook passwords for example.

I'm thinking maybe reset their email maybe and use that to reset Facebook?

Let's pretend here what the hacker is doing:

First you try resetting the person's email but that email can be reset by another email. The thing is you know the person but your trying to get through each layer of email to get to the Facebook password. But then how do you get access to that email?

Let's say Facebook is linked to yahoo mail. Can yahoo mail accounts be easily cracked? Let's say that yahoo mail can be reset by a hotmail account. Could the hotmail account be easily cracked?

What's the most efficient way of doing it?
Reply
#2
Phising is pretty effective. Or for specific targets, use OSINT by looking through leaked databases. You'd be suprised how many times people reuse passwords. Just be sure to buy a local proxy in the same region/state or maybe even city as the victim. Otherwise you'll probably have a hard time logging in due to security restrictions.

I can't imagine bruteforce or cracking to be very efficient. Big email providers will probably be very quick to block you. But I can't say much more than that, I have no experience with cracking.
Reply
#3
(02-03-2018, 04:29 PM)Insider Wrote: Phising is pretty effective. Or for specific targets, use OSINT by looking through leaked databases. You'd be suprised how many times people reuse passwords. Just be sure to buy a local proxy in the same region/state or maybe even city as the victim. Otherwise you'll probably have a hard time logging in due to security restrictions.

I can't imagine bruteforce or cracking to be very efficient. Big email providers will probably be very quick to block you. But I can't say much more than that, I have no experience with cracking.

I have looked up tutorials on phishing and I can do it but the web page I make doesn't retain its CSS. I tested it on myself once and it worked in terms of collecting my FB password. It didn't work in terms of the CSS didn't apply somehow.

I'm willing to try phishing again though. I just gotta play around with it. The problem is without proper CSS, it just looks straight up obvious. If you could help me with that please do.

I'm going by this tutorial:

https://hackercool.com/2013/06/how-to-ha...-phishing/

I'm going to search for leaked databases soon haha. I'll let you know how that goes.
Reply
#4
(02-03-2018, 09:10 PM)fogbright Wrote: I have looked up tutorials on phishing and I can do it but the web page I make doesn't retain its CSS. I tested it on myself once and it worked in terms of collecting my FB password. It didn't work in terms of the CSS didn't apply somehow.

I'm willing to try phishing again though. I just gotta play around with it. The problem is without proper CSS, it just looks straight up obvious. If you could help me with that please do.

What do you mean it doesn't retain the css? If you know sufficiently of web development. You should be able to either make your own phising page to recreate the page of fix the corresponding css error. Just saying, it's not rocket science. For quicker work you can use SET (Social Engineering Toolkit).

Are you using automated tools? Like httptrack? Sometimes websites block those crawlers. 

Edit: I think you're better off using SET or GoPhish than that old outdated tutorial. If you want to make your own phising pages or templates, as exercise I recommend trying to recreate famous pages such as google using html/css and stuff without copy/pasting it. Just something I did in some of my web development classes, not in the intention of phising though :p But pretty useful.

(02-03-2018, 09:10 PM)fogbright Wrote: I'm going to search for leaked databases soon haha. I'll let you know how that goes.

Good place to start is: https://greysec.net/showthread.php?tid=2280 or online lookups @ https://snusbase.com
Reply
#5
(02-03-2018, 09:57 PM)Insider Wrote:
(02-03-2018, 09:10 PM)fogbright Wrote: I have looked up tutorials on phishing and I can do it but the web page I make doesn't retain its CSS. I tested it on myself once and it worked in terms of collecting my FB password. It didn't work in terms of the CSS didn't apply somehow.

I'm willing to try phishing again though. I just gotta play around with it. The problem is without proper CSS, it just looks straight up obvious. If you could help me with that please do.

What do you mean it doesn't retain the css? If you know sufficiently of web development. You should be able to either make your own phising page to recreate the page of fix the corresponding css error. Just saying, it's not rocket science. For quicker work you can use SET (Social Engineering Toolkit).

Are you using automated tools? Like httptrack? Sometimes websites block those crawlers. 

(02-03-2018, 09:10 PM)fogbright Wrote: I'm going to search for leaked databases soon haha. I'll let you know how that goes.

Good place to start is: https://greysec.net/showthread.php?tid=2280 or online lookups @ https://snusbase.com

I'm gonna start by trying SET. But before that I am going to look in that leaked database. That sounds awesome.
Reply
#6
(02-03-2018, 09:10 PM)fogbright Wrote:
(02-03-2018, 04:29 PM)Insider Wrote: Phising is pretty effective. Or for specific targets, use OSINT by looking through leaked databases. You'd be suprised how many times people reuse passwords. Just be sure to buy a local proxy in the same region/state or maybe even city as the victim. Otherwise you'll probably have a hard time logging in due to security restrictions.

I can't imagine bruteforce or cracking to be very efficient. Big email providers will probably be very quick to block you. But I can't say much more than that, I have no experience with cracking.

I have looked up tutorials on phishing and I can do it but the web page I make doesn't retain its CSS. I tested it on myself once and it worked in terms of collecting my FB password. It didn't work in terms of the CSS didn't apply somehow.

I'm willing to try phishing again though. I just gotta play around with it.

I'm going to search for leaked databases soon haha. I'll let you know how that goes.

What are you talking about lol? I didn't understand what you were trying to say...

What phishing method are you using?
I suppose when you talk about css you are trying to clone a website.
I don't know what css are you trying to clone but maybe you are trying with big websites such as Facebook. Good luck with that, css is pre-processed and you won't be able to get to the EXACT SAME styles. There are a lot of similar styles on the internet way clearer for you to use (or just make your own lel).
This won't be a problem with simpler websites tho; just look in the browser console some @imports, style links, etc.

You will be able to get everything front-end (all but databases, auths, etc.
If you are not very into this you can use tools like HTTrack for windows (https://www.httrack.com), SiteSucker for macOS or use wget if you are using linux.

To get the credentials use a simple script.

ALSO! If you are doing this to learn there are some scripts online that you can use just to see the code (clones already set up I mean). However, don't use them or check the code, sometimes has malicious "extra features".

(02-03-2018, 09:57 PM)Insider Wrote: -snip-

Looks like you answered already... well... you have my opinion too haha
Reply
#7
(02-03-2018, 10:04 PM)enmafia2 Wrote:
(02-03-2018, 09:10 PM)fogbright Wrote:
(02-03-2018, 04:29 PM)Insider Wrote: Phising is pretty effective. Or for specific targets, use OSINT by looking through leaked databases. You'd be suprised how many times people reuse passwords. Just be sure to buy a local proxy in the same region/state or maybe even city as the victim. Otherwise you'll probably have a hard time logging in due to security restrictions.

I can't imagine bruteforce or cracking to be very efficient. Big email providers will probably be very quick to block you. But I can't say much more than that, I have no experience with cracking.

I have looked up tutorials on phishing and I can do it but the web page I make doesn't retain its CSS. I tested it on myself once and it worked in terms of collecting my FB password. It didn't work in terms of the CSS didn't apply somehow.

I'm willing to try phishing again though. I just gotta play around with it.

I'm going to search for leaked databases soon haha. I'll let you know how that goes.

What are you talking about lol? I didn't understand what you were trying to say...

What phishing method are you using?
I suppose when you talk about css you are trying to clone a website.
I don't know what css are you trying to clone but maybe you are trying with big websites such as Facebook. Good luck with that, css is pre-processed and you won't be able to get to the EXACT SAME styles. There are a lot of similar styles on the internet way clearer for you to use (or just make your own lel).
This won't be a problem with simpler websites tho; just look in the browser console some @imports, style links, etc.

You will be able to get everything front-end (all but databases, auths, etc.
If you are not very into this you can use tools like HTTrack for windows (https://www.httrack.com), SiteSucker for macOS or use wget if you are using linux.

To get the credentials use a simple script.

ALSO! If you are doing this to learn there are some scripts online that you can use just to see the code (clones already set up I mean). However, don't use them or check the code, sometimes has malicious "extra features".

(02-03-2018, 09:57 PM)Insider Wrote: -snip-

Looks like you answered already... well... you have my opinion too haha

Thanks. That answers at least one of my two questions.
Reply
#8
(02-03-2018, 09:57 PM)Insider Wrote:
(02-03-2018, 09:10 PM)fogbright Wrote: I have looked up tutorials on phishing and I can do it but the web page I make doesn't retain its CSS. I tested it on myself once and it worked in terms of collecting my FB password. It didn't work in terms of the CSS didn't apply somehow.

I'm willing to try phishing again though. I just gotta play around with it. The problem is without proper CSS, it just looks straight up obvious. If you could help me with that please do.

What do you mean it doesn't retain the css? If you know sufficiently of web development. You should be able to either make your own phising page to recreate the page of fix the corresponding css error. Just saying, it's not rocket science. For quicker work you can use SET (Social Engineering Toolkit).

Are you using automated tools? Like httptrack? Sometimes websites block those crawlers. 

Edit: I think you're better off using SET or GoPhish than that old outdated tutorial. If you want to make your own phising pages or templates, as exercise I recommend trying to recreate famous pages such as google using html/css and stuff without copy/pasting it. Just something I did in some of my web development classes, not in the intention of phising though :p But pretty useful.

(02-03-2018, 09:10 PM)fogbright Wrote: I'm going to search for leaked databases soon haha. I'll let you know how that goes.

Good place to start is: https://greysec.net/showthread.php?tid=2280 or online lookups @ https://snusbase.com

Neither the person's username or email is in the database. Either that or I'm doing it wrong. I tried the email and the username. But I think I'm doing something wrong because I even tried using a wildcard laura% and it won't work.
Reply
#9
Quote: Neither the person's username or email is in the database. Either that or I'm doing it wrong. I tried the email and the username. But I think I'm doing something wrong because I even tried using a wildcard laura% and it won't work.

It just means that email/username does not exist in that specific database...
Reply
#10
(02-04-2018, 05:58 AM)espionage Wrote:
Quote: Neither the person's username or email is in the database. Either that or I'm doing it wrong. I tried the email and the username. But I think I'm doing something wrong because I even tried using a wildcard laura% and it won't work.

It just means that email/username does not exist in that specific database...

Ok, so you are saying there are zero usernames that begin with "laura"?! That's absurd! Ok then this database is shit.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  collegiate social engineering CTF!? QMark 0 1,499 09-06-2020, 02:08 AM
Last Post: QMark
  Practical Examples of Social Engineering Insider 2 2,068 08-15-2020, 11:03 PM
Last Post: Insider
  Which is the best type of public speaking to help with social engineering? QMark 0 1,562 08-06-2020, 08:25 AM
Last Post: QMark
  can someone with autism and psychosis learn social engineering? QMark 5 5,035 04-03-2020, 08:46 PM
Last Post: Insider