thelocotauren Posted April 24, 2015 Share Posted April 24, 2015 Hi guys, im having troubles with the credential harvester. Im testing it with facebook on my local network, and firefox/Iceweasel doesn't detect anything, but chrome detects it after 5'. I've read that this is a built in function, not a blacklisted url. Does anybody know how to bypass this phishing alert? I've tried obfuscating the html code and that didin't work out. Thanks! Quote Link to comment Share on other sites More sharing options...
digip Posted April 25, 2015 Share Posted April 25, 2015 Same network, or same machine? In either case, google probably hard codes certain https sites for TLD things like Facebook, Twitter, etc, so you may not be able to override their browser's internal hard coded site lists and they may do secondary DNS verifications which some browsers can do, especially google products since they have their own DNS servers (8.8.8.8). If the user has something like OpenDNS hard coded as well, it should also detect it vs just the browsers, but not a guarantee, but they also offer phishing detection, as well as Opera for some sites. Quote Link to comment Share on other sites More sharing options...
thelocotauren Posted April 27, 2015 Author Share Posted April 27, 2015 Hi Digip, the problem is not with the dns server, i understand why a dns poisoning attack wouldn't work, either by an internal verification or by hsts. But i'm accesing directly via another url, not facebook's url. Also, i've noticed that when i use it with an internal ip eg 192.168.0.X or 10.10.16.X, it works perfectly and doesn't show any alert. However, when i try it with a public ip or a free url service such as 000webhosting, it shows a phishing alert. I'm thinking maybe it detects certain known websites, but it's definitely strange. No other browser is picking it up. Quote Link to comment Share on other sites More sharing options...
digip Posted April 27, 2015 Share Posted April 27, 2015 (edited) Hi Digip, the problem is not with the dns server, i understand why a dns poisoning attack wouldn't work, either by an internal verification or by hsts. But i'm accesing directly via another url, not facebook's url. Also, i've noticed that when i use it with an internal ip eg 192.168.0.X or 10.10.16.X, it works perfectly and doesn't show any alert. However, when i try it with a public ip or a free url service such as 000webhosting, it shows a phishing alert. I'm thinking maybe it detects certain known websites, but it's definitely strange. No other browser is picking it up.Only thing i can think is, it knows what it wants from the web, and internal overrides, such as a hosts file pointing locally, don't qualify for the blocking, but that is just my theory. https://hstspreload.appspot.com/ Take a look in your Chrome settings at chrome://net-internals/#hsts Also, Chromium based browsers: https://www.chromium.org/hsts Only thing I can think, something you cloned, calls external scripts or such from the real site. You may have to go through and manually fix any code that points to real files, ie: js files, css, images, etc. Edited April 27, 2015 by digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.