Hidden Eye – Advanced Phishing

HiddenEye is a modern-day phishing tool. The advanced capabilities and ease of use really make phishing life simple. With just a few clicks, you can spin up a fake phishing site with keylogging capabilities. It is a really cool tool to use and will help you to better understand the technique malicious parties are using. It is also one for the pentesting toolbox.

git clone https://github.com/DarkSecDevelopers/HiddenEye.git
cd HiddenEye
sudo apt install python3-pip
sudo pip3 install -r requirements.txt
chmod 777 HiddenEye.py
sudo python3 HiddenEye.py

As you can see, it’s packed with popular social media sites and templates. Using Facebook as an example:

Let select option 3 and create a Fake Security Issue. It will then ask you if you want to enable a Keylogger:

There is a always a chance that the user may change their mind and not click the submit button. They might have already populated the username and password field though and this is what you want to capture.

Next up is the redirect site. If you want to make it look somewhat genuine, you could use the actual fail URL for Facebook login. Just jump on the site, fail the login and grab the URL.

The reason you are adding this in is because once the user has entered their credentials and submitted, it will redirect to here:

It will now present you with two server options. It highlights that Serveo works better so let’s try that. The only issue I saw with Ngrok was that after I recreated the site, it kept failing. A bit flaky but still works.

You then have the option to create a custom URL or generate a random one.

I will loop back to custom but for now, lets select random. Worth noting that whatever you pick will follow the serveo.net domain. This is HTTPS though as the certificate it uses has a wildcard.

And there we have it. A fake security site in which you can phish credentials:

As you can see though, the URL stands out a bit. Therefore, you would want to create a custom URL. Something that could look genuine.

If you did have the keylogger enabled, you will now be able to capture any keystrokes, like so:

If you did manage to trick a user, you would also see their final input and a bit of information about where they are:

Now let’s revert back to the custom URL bit. You can’t be too obvious with the domain as it will be spotted straight away. Putting Facebook will result in the URL Facebook.serveo.net and will be flagged:

You could try your luck with a bit of DNStwisting but again, it might be flagged:

Instead what often works is combining words to create an unknown word. Such as Facebooksecurity. Because it isn’t a word and the certificate are applied (HTTPS), the site could look genuine:

There are plenty features to play with but as you can see, this is a very powerful tool.

From an BlueTeam perspective though, you could simply blacklist Serveo.net and Ngrok. This depends on if you are using them in production of course. Then you would look to whitelist only your own.


11 responses to “Hidden Eye – Advanced Phishing”

  1. john parker avatar
    john parker

    Ngrok works fine for me and even Serveo random url sometimes, but when i try to do the custom url option under Serveo , it just gets stuck or keeps on loading, is there a solution for this? ,thank you.


  2.  avatar

    Thanks you, am really waiting


  3. Ctrlaltdel avatar

    I’ve had a few requests so I’ll add it to my list 🙂


  4. chris chege avatar
    chris chege

    can you please give us a tutorial on evilginx tool for phishing?


  5.  avatar

    thank you very much


  6. Ctrlaltdel avatar

    You locally forward the port after you’ve established a connection but if you are using HiddenEye, it will handle all that for you


  7. CHRIS avatar

    one last question, do i have to do port forwarding on my linux machine or on my rooter, or none i assume ngrok and serveo deals with it?


  8. CHRIS avatar

    thank you, this is a nice tool


  9. Ctrlaltdel avatar

    Serveo and Ngrok allow you to forward local host to the Internet. As long as the client can reach your attacking machine, you can Phish.


  10. CHRIS avatar



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

%d bloggers like this: