Jump to content

Recommended Posts

Posted (edited)

I've ordered my Pineapple, and I need to know if there is a redirect.php script for letting people login to something, but instead of redirecting them to a 503 let them login and use the site? but leaving me with the username and password?

So instead of redirecting, just "monitoring" their logins etc.?

Nothing malicious will be done with this, just want to give the best demonstration i can to my school in a few weeks, i will have full permission to use the pineapple for demonstration purposes only.

Edited by Skipper
Posted

I think they're currenlty working through a bug... but the Keystroke Logger infusion may be what you're lookging for. Won't work for https sites but could be fun to ask people to go to a page you know will work.

Posted

I think they're currenlty working through a bug... but the Keystroke Logger infusion may be what you're lookging for. Won't work for https sites but could be fun to ask people to go to a page you know will work.

Ok thanks, do you know if sites such as facebook, twitter, youtube etc. use https? I know that banking sites will use it or some sort of higher protection.

Posted

From what I understand facebook uses https for login but isn't secure once you're in... So that's probably not going to get you any credentials. I don't know about the others offhand. Just go to the login webpage for each and look. You don't actually need to login or even have an account. If the webpage for login has a padlock icon on the browser or uses https it's a no go.

I think there is also a post specifically for Phising Pages, more specifically it's a page about not asking for them or posting them. But, a theoretical question about how they work and/or how others have implemented credential harvesting to a log file from a phising page could probably be answered.

Posted

From what I understand facebook uses https for login but isn't secure once you're in... So that's probably not going to get you any credentials. I don't know about the others offhand. Just go to the login webpage for each and look. You don't actually need to login or even have an account. If the webpage for login has a padlock icon on the browser or uses https it's a no go.

I think there is also a post specifically for Phising Pages, more specifically it's a page about not asking for them or posting them. But, a theoretical question about how they work and/or how others have implemented credential harvesting to a log file from a phising page could probably be answered.

Ok, thanks for all of your help :)

I'll just have to look on the web for pages that they are most likely to go to during the demo and if they are a https page for the login, i'll make a copy of the page and send them to that and the rest i'll leave for them to use normally.

i'll mark the thread as solved.

-Skipper

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...