TheNerdinTheCorner Posted December 8, 2013 Share Posted December 8, 2013 Is there any possible way to add the same HTML code to any web page the victim loads? (For example add a Facebook like button that leads people to a phishing page?) Thx, ThatNerdinTheCorner Quote Link to comment Share on other sites More sharing options...
zz2Fac3zz Posted December 8, 2013 Share Posted December 8, 2013 In this life there is nothing but possibilities. Your welcome, Thatdudeonastool Quote Link to comment Share on other sites More sharing options...
Z4ub4d3 Posted December 8, 2013 Share Posted December 8, 2013 there certainly are ways... sure that this is not the space to be asking..... perhaps one of the mods can clarify. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 8, 2013 Share Posted December 8, 2013 Is there any possible way to add the same HTML code to any web page the victim loads? (For example add a Facebook like button that leads people to a phishing page?) Thx, ThatNerdinTheCorner Is this a Pineapple related question or general question? Quote Link to comment Share on other sites More sharing options...
TheNerdinTheCorner Posted December 8, 2013 Author Share Posted December 8, 2013 @Mr-ProtocolIt is a pineaple question, Wouldint it be great if you coluld use your karma clients cpu power when on a page? like, for bitcoin mining or something? -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- With Google and a libary, you can be anything you want. Quote Link to comment Share on other sites More sharing options...
Dazzle Posted December 9, 2013 Share Posted December 9, 2013 You could do something like DNS spoofing all domains and then load the actual domain they requested in an iframe and you can add any code to the page containing the iframe. I don't think your Bitcoin mining has any useful pen-testing purpose though Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 9, 2013 Share Posted December 9, 2013 @Mr-Protocol It is a pineaple question, Wouldint it be great if you coluld use your karma clients cpu power when on a page? like, for bitcoin mining or something? -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- With Google and a libary, you can be anything you want. I think you would have to give out your wallet credentials to the users in some way, which is never good. You could do something like DNS spoofing all domains and then load the actual domain they requested in an iframe and you can add any code to the page containing the iframe. I don't think your Bitcoin mining has any useful pen-testing purpose though And yes, I'm pretty sure doing something like that is a form of theft. Not 100% and IANAL (I Am Not A Lawyer). Quote Link to comment Share on other sites More sharing options...
tom564 Posted December 9, 2013 Share Posted December 9, 2013 I don't think you would be able to leverage much CPU power using that method as anything you do will need to be run within the browsers limits unless you make them download something. Quote Link to comment Share on other sites More sharing options...
DyFukA Posted December 10, 2013 Share Posted December 10, 2013 (edited) @Mr-Protocol It is a pineaple question, Wouldint it be great if you coluld use your karma clients cpu power when on a page? like, for bitcoin mining or something? -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- With Google and a libary, you can be anything you want. You can use dnsspoof to send them to browser based miner. Or maybe inject iframe using the following litecoin miner. Change the auth value to your worker if you plan to use this pool. Edited December 10, 2013 by Mr-Protocol Let's not encourage code to perform illegal activities. Quote Link to comment Share on other sites More sharing options...
eth0 Posted December 17, 2013 Share Posted December 17, 2013 I've been looking at something like this my self. Koto's fork of sslstrip has been modified so you can change the response, i.e. inject HTML. It also makes use of HTML5s AppCache thus attacks will continue to work even if the user has disconnected from your network. I've not got around to getting a PoC setup on the pineapple yet but I would recommend checking it out and having a play with it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.