Jump to content

Transparent Phishing?


Andrei0427
 Share

Recommended Posts

I was playing around with a phishing script I had made some time ago with PHP and noticed that the www.facebook.com AND facebook.com are treated differently with ettercap's DNS_SPOOF filter. So I setup the script to forward to www.facebook.com whist having the DNS spoofed on facebook.com only. This will cause an automatic redirection to the user's real profile.

This only works if the victim types "facebook.com" in the address bar, so the probability of this working is slightly slimmed down. Obviously this will only work if the user has a 'remember me' ticked on the computer beforehand, which is mostly the case.

Heres a vid. demo..

I can post the source/method here upon request :)

Edited by Andrei0427
Link to comment
Share on other sites

I was playing around with a phishing script I had made some time ago with PHP and noticed that the www.facebook.com AND facebook.com are treated differently with ettercap's DNS_SPOOF filter. So I setup the script to forward to www.facebook.com whist having the DNS spoofed on facebook.com only. This will cause an automatic redirection to the user's real profile.

This only works if the victim types "facebook.com" in the address bar, so the probability of this working is slightly slimmed down. Obviously this will only work if the user has a 'remember me' ticked on the computer beforehand, which is mostly the case.

Heres a vid. demo..

http://youtu.be/-2bUyb7FGQQ

I can post the source/method here upon request :)

Youtube video:

"This video contains content from WMG, who has blocked it in your country on copyright grounds.

Sorry about that."

Also, I was wondering if it would work if the user uses https?

Link to comment
Share on other sites

Wow, already taken down.. Ill reupload with no music.. one sec

Edit: It shouldnt matter, your victim is entering his credentials using your non-HTTPS page then redirected to the real facebook

Edited by Andrei0427
Link to comment
Share on other sites

Wow, already taken down.. Ill reupload with no music.. one sec

Edit: It shouldnt matter, your victim is entering his credentials using your non-HTTPS page then redirected to the real facebook

To bypass the "savvy" users that check for SSL you could possibly integrate an SSLSniff proxy which will dynamically generate certs for all requested domains, but most will notice the alert for the cert validity too.

Link to comment
Share on other sites

That works slick! I think the https: would clinch it but it looked and acted good from watching the video. The only issue I could see would be any systems that cached the DNS for Facebook prior to connecting to you but chances are they would already have logged in so I suppose it would be a missed attempt either way. Have you attempted that with a profile that uses the location aware feature (aka IP address block check for new locations)? I can't see it being an issue if you're tying into the same ISP connection but it might be if they're being routed through a wireless modem such as the USB 3g or 4G.

Link to comment
Share on other sites

The only issue I could see would be any systems that cached the DNS for Facebook

Most of the time yes, it would be cached but if the client has just connected to the network it would refresh the DNS server with your spoofed one. <I imagine you would have this pre-configured with the pineapple>

Have you attempted that with a profile that uses the location aware feature (aka IP address block check for new locations)?

EDIT:

I noticed what you meant with the IP block, that account isn't mine but he logged in from a local network I was in so this didn't matter really :P

Indeed I have and it still works! Facebook probably uses the GeoLocaction of an IP rather than the block to track it, would be a pain to reset your password if you log in from a different ISP but within the same region.

-------------------------------------------------------------------

Im thinking of adding that SSLSniff you mentioned to the log in page to add more validity to it, although its up to the victim to enable SSL on his profile. The only obvious give away is the ping.. I guess theres no way to escape it..

Glad you found it useful :)

Edited by Andrei0427
Link to comment
Share on other sites

If you don't mind posting the code you're using I'd like to play around with it a bit. I just uploaded the new firmware, reset my password and already have "customers" showing up. Might as well do something interesting with them since they're using my "ISP." :D

Link to comment
Share on other sites

Note: Since I do not have my pineapple yet, I only can help so much as to websever setup.You probably can use the steps from the RockRolling Pineapple episode to setup the redirection. This is what I did on a laptop running Backtrack:

EDIT: Kinda looks shit on all browsers other than Chrome :/

1) Place contents of: http://www.mediafire.com/?o1t637acat6a116 into /var/www/

2) Append dns_spoof for ettercap with:

facebook.com A webServIP

3) Start up webserver: service apache2 start

4) Run arpspoof <arpspoof -i wlan0 192.168.1.254(GW IP)>

5) Run ettercap with:

ettercap -Tqi wlan0 -P dns_spoof

NB: The etter_dns file will need some searching to find, for some reason it changed when I upgraded distro but its in

/usr/local/share/ettercap/etter.dns

I apologize once again for not being able to provide instructions for the pineapple, although once I learn how to do this on it ill post the new instructions :)

Edited by Andrei0427
Link to comment
Share on other sites

Awesome, no worries, I take notes as I'm playing around and post them for the Mark IV unless someone beats me to the punch. Unfortunately I just found some scripting ideas I want to take a look at for automating the web traffic capturing and sorting.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...