Shellphish – Kali Linux 2021 – How to hack a Facebook and other social media accounts

Written by Rob Parker

Written by Rob Parker

Rob is a Certified Ethical Hacker (CEH v11) from EC-Council and a certified EIPA Data Protection Officer that specialises in security and ethical hacking. He has worked in all parts of the world in various security roles and is keen on helping others in their ethical hacking journeys.

Steam Labs Ethical Hacking posts are designed to educate, introduce and demonstrate hacking tools for penetration testing purposes only. We will not be held responsible for people who use these skills for illegal or malicious attacks.

In this tutorial I will explain how hackers use tools such as Shellphish and Blackeye on Kali Linux for credential grabbing and how they will use URL shorteners to disguise the URL links of fake social media websites.

What is Social Engineering and who are the attackers main target?

Social engineering is an art of manipulating people in order to gain crucial information that can be utilized for performing malicious action. In social engineering instead of targeting on the weakness of network or a machine we target the weakness of people.

  • Receptionist and Help-Desk Personnel: Attacker can extract phone number and email id from them.
  • Technical Support Executives: Attacker can pretend to be senior manager, a customer or a vendor to gain information from them.
  • System Administrator: They are the one who maintains the systems of all the employees
  • User and Clients: Attacker can pretend as technical support and can gain information from them
  • Senior Executive: They can target HR, Finance CxO’s of company to gain critical information

What are the 4 phases of social engineering?

  • Research the Target Company: Before attacking the target organization’s network, an attacker gathers as much information as he/she can in order to infiltrate the system Social engineering is a technique which helps in extracting information. While researching attacker gets indulged in activity like dumpster driving (searching the waste coming out of the organization in order to get some crucial information) browsing company’s website and finding employee details.
  • Select a target: After an attacker has performed enough research on the target company then he selects targets for extracting sensitive information. Most preferably he targets the employee that is frustrated of his job as they are easier to be manipulated.
  • Develop Relationship: Once attacker finds out the target on which he would be performing social engineering he tries to build a relationship with that employee to gain his/her trust.
  • Exploit the Relationship: After an attacker is successful in developing a relationship, he exploits the relationship to gain crucial information about organization’s account finance information, etc.

What is credential grabbing?

We will be learning about how to create a malicious link for credentials grabbing. Credential grabbing is one of the most common phishing attack that tricks user in providing there credentials in some fake website or malicious website.

Pre Requisites

Web Browser = Victim System (compromised)

Kali Linux = Attacker (Metasploit Framework)

To install Shellphish, use the following commands

git clone

cd shellphish

chmod +x


If you get the screen on the left, you have successfully started shellphish, now let’s try to make a phishing link and perform credential grabbing

How do you login to shellphish after you have installed it for the first time?

To login to shellphish when you open up a new terminal, you use the below commands

cd shellphish


These commands will then load up the screen you can see on the left.

How to start credential grabbing?

If we choose IG from the ShellPhish menu, it will create a URL with a fake IG login page, this link can be send to your victim, to make it more believable, I would recommend using a URL shortener like

What happens once a user clicks on the link?

As soon as the victim has opened the link, it will provide you with their public IP. If they enter their credentials, these will be sent back to Shellphish, see the image on the left for details.

Use the video at the top of this blog post if you are looking learn how to install and use Blackeye and get in touch with us if you have any questions.

You May Also Like