Skipper Posted June 27, 2013 Posted June 27, 2013 (edited) I've ordered my Pineapple, and I need to know if there is a redirect.php script for letting people login to something, but instead of redirecting them to a 503 let them login and use the site? but leaving me with the username and password? So instead of redirecting, just "monitoring" their logins etc.? Nothing malicious will be done with this, just want to give the best demonstration i can to my school in a few weeks, i will have full permission to use the pineapple for demonstration purposes only. Edited June 27, 2013 by Skipper Quote
thesugarat Posted June 27, 2013 Posted June 27, 2013 I think they're currenlty working through a bug... but the Keystroke Logger infusion may be what you're lookging for. Won't work for https sites but could be fun to ask people to go to a page you know will work. Quote
Skipper Posted June 27, 2013 Author Posted June 27, 2013 I think they're currenlty working through a bug... but the Keystroke Logger infusion may be what you're lookging for. Won't work for https sites but could be fun to ask people to go to a page you know will work. Ok thanks, do you know if sites such as facebook, twitter, youtube etc. use https? I know that banking sites will use it or some sort of higher protection. Quote
thesugarat Posted June 27, 2013 Posted June 27, 2013 From what I understand facebook uses https for login but isn't secure once you're in... So that's probably not going to get you any credentials. I don't know about the others offhand. Just go to the login webpage for each and look. You don't actually need to login or even have an account. If the webpage for login has a padlock icon on the browser or uses https it's a no go. I think there is also a post specifically for Phising Pages, more specifically it's a page about not asking for them or posting them. But, a theoretical question about how they work and/or how others have implemented credential harvesting to a log file from a phising page could probably be answered. Quote
Skipper Posted June 27, 2013 Author Posted June 27, 2013 From what I understand facebook uses https for login but isn't secure once you're in... So that's probably not going to get you any credentials. I don't know about the others offhand. Just go to the login webpage for each and look. You don't actually need to login or even have an account. If the webpage for login has a padlock icon on the browser or uses https it's a no go. I think there is also a post specifically for Phising Pages, more specifically it's a page about not asking for them or posting them. But, a theoretical question about how they work and/or how others have implemented credential harvesting to a log file from a phising page could probably be answered. Ok, thanks for all of your help :) I'll just have to look on the web for pages that they are most likely to go to during the demo and if they are a https page for the login, i'll make a copy of the page and send them to that and the rest i'll leave for them to use normally. i'll mark the thread as solved. -Skipper Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.