Dear readers of Tecnogalaxy, today we will resume the topic of Phishing, we have already talked about Phishing several times, in this article however we will go to see step by step how an attacker acts, which tool he uses and how he moves to discover the credentials of social networks , you’re happy?

Quiet of course we will also see what tricks to use to defend yourself with small tricks.

The material to do our test this time will be a script called SocialPhish and a lot of social engineering and of course our dear friend Kali Linux .

Before starting our test let’s make a small introduction.

In the 2.0 era, that of the internet, scams happen online. Not only by browsing websites, but also by e-mail: despite the enormous progress in the cybersecurity sector, with the creation of highly efficient antivirus and antispam filters for e-mail, fraudulent e-mail messages can escape these checks , also creating considerable damage to the unfortunate cheated.

For example, this is the case of phishing e-mails, which can often also come from a trusted source and sent from addresses considered “reliable” and therefore not blocked by the appropriate filters. Running into a scam is very simple, falling for it much less, but you still need to pay close attention and know how to recognize phishing emails. (See the article Examples of Phishing Attacks and How to Find Them).

Let’s go into the merits of our test … first of all the attacker writes in detail the procedure to be used, the more detailed it will be, the higher the success rate. First, he establishes a range of recipients to be hit via Phishing, writes the email trying to make a clone of the original one, activates the SocialPhish tool, leaving it listening … finally he launches the trap by sending the email and waits …

SocialPhish is a simple tool designed for phishing , the crazy thing if you think about it is the ease of use, in fact we will see how anyone who can find it and use it.

Obviously, improper use without consent is punishable by law.

I do not take any responsibility, the tests I carry out in my articles are always on systems owned by me, without permission everything becomes illegal.

We will have 30 different websites, for example eBay, Twitter, Facebook, PayPal, Microsoft etc …

This script automatically generates a fake login page apparently identical to the original one by creating a link to send to the victim.

Discover social credentials with SocialPhish

Before installing, we need to check that Kali has installed:

  1. the PHP interpreter,
  2. the curl, wget and unzip tools.

Let’s move on to the installation by running the script clone:

cd Desk (in my case)
sudo git clone

Let’s move to the newly created folder:

cd SocialPhish

Let’s take the writing rights:

sudo chmod + x

Let’s start the script:

sudo ./
Discover social media credentials through Phishing

This will be the navigation menu of our script.

Once you have chosen the site to clone, SocialPhish will take care of starting a PHP server on our Kali Linux creating the bogus page that we have decided to use, using the URL generated through ngrok.

(Url to send to the victim for our test).

How to find social media credentials using Phishing 1

Once the link containing the URL just created has been sent (using any channel, e-mail, chat, message etc …), we just have to wait, as soon as the victim clicks on the link, the login page of the social media selected above. If the victim takes this trick, he will send us in clear not only his credentials but also a whole series of information about his place of origin retrieved from his IP address.

Discover social media credentials through Phishing

Think what an attacker could do … obviously this technique could be used for any site, PayPall, Microsoft, Word Press etc … fortunately, by using small tricks we can not fall into the trap, let’s see which ones:

  1. Always inquire before opening any links if you are not 100% sure. Do a search on the internet to see if it has already happened to other users.
  2. Read the body of the mail “Origin of the message”, we will see in the next article how to do it.
  3. Hover over the link with the mouse and see which link is displayed.
  4. Contact the real support, in our case Twitter support explaining what happened.


As specified at the beginning of the article, the purpose of our test is obviously not to push users to create similar tools, but the goal is to make known the theoretical and practical ways on how an attacker could discover the social media credentials or our other sensitive information.

As always, make good use of it by testing your device / computer, doing them on devices / computers not yours is illegal.

To the next article.

NB: I do not take any responsibility for the use you will make of the guide, as it is drawn up for didactic and training use.

Read also:

Was this article helpful to you? Help this site to keep the various expenses with a donation to your liking by clicking on this link. Thank you!

Follow us also on Telegram by clicking on this link to stay updated on the latest articles and news about the site.

If you want to ask questions or talk about technology you can join our Telegram group by clicking on this link.

© - It is forbidden to reproduce the content of this article.