Jump to content

Credential harvester being detected by chrome phishing filter


thelocotauren
 Share

Recommended Posts

Hi guys, im having troubles with the credential harvester. Im testing it with facebook on my local network, and firefox/Iceweasel doesn't detect anything, but chrome detects it after 5'. I've read that this is a built in function, not a blacklisted url. Does anybody know how to bypass this phishing alert? I've tried obfuscating the html code and that didin't work out.

Thanks!

Link to comment
Share on other sites

Same network, or same machine?

In either case, google probably hard codes certain https sites for TLD things like Facebook, Twitter, etc, so you may not be able to override their browser's internal hard coded site lists and they may do secondary DNS verifications which some browsers can do, especially google products since they have their own DNS servers (8.8.8.8). If the user has something like OpenDNS hard coded as well, it should also detect it vs just the browsers, but not a guarantee, but they also offer phishing detection, as well as Opera for some sites.

Link to comment
Share on other sites

Hi Digip, the problem is not with the dns server, i understand why a dns poisoning attack wouldn't work, either by an internal verification or by hsts. But i'm accesing directly via another url, not facebook's url. Also, i've noticed that when i use it with an internal ip eg 192.168.0.X or 10.10.16.X, it works perfectly and doesn't show any alert. However, when i try it with a public ip or a free url service such as 000webhosting, it shows a phishing alert. I'm thinking maybe it detects certain known websites, but it's definitely strange. No other browser is picking it up.

Link to comment
Share on other sites

Hi Digip, the problem is not with the dns server, i understand why a dns poisoning attack wouldn't work, either by an internal verification or by hsts. But i'm accesing directly via another url, not facebook's url. Also, i've noticed that when i use it with an internal ip eg 192.168.0.X or 10.10.16.X, it works perfectly and doesn't show any alert. However, when i try it with a public ip or a free url service such as 000webhosting, it shows a phishing alert. I'm thinking maybe it detects certain known websites, but it's definitely strange. No other browser is picking it up.

Only thing i can think is, it knows what it wants from the web, and internal overrides, such as a hosts file pointing locally, don't qualify for the blocking, but that is just my theory.

https://hstspreload.appspot.com/

Take a look in your Chrome settings at chrome://net-internals/#hsts

Also, Chromium based browsers: https://www.chromium.org/hsts

Only thing I can think, something you cloned, calls external scripts or such from the real site. You may have to go through and manually fix any code that points to real files, ie: js files, css, images, etc.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...