PHISHING (II) - DATA URIs SCHEME WITH Base64 ENCODING
- Layout for this exercise:
- This exercise is based in the previous one:
- The goal of this exercise is to launch a page-less phishing attack, meaning that there is no need of hosting an html file on a server.
- The phishing bait will be embedded in a URI, using the Data URIs scheme.
1 - Redirecting user input to the attacker machine
- At the attacker machine Windows 10 let's open the index.html file inside xampp > htdocs using Notepad:
- Finding action= and replacing the line with the below string, where 192.168.1.6 is the Windows 10's attacker IP:
- In this way, any user input entered in a connection to the fake web page will be redirected to the file mail.php, where the credentials will be harvested.
2 - Encoding index.html with Base64
- Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.
- Each Base64 digit represents exactly 6 bits of data, so three bytes (24 bits) can therefore be represented by 4 six-bit Base64 digits:
- These encoded characters must be copied and stored for further use.
- Finally, before launching the attack let's remove index.html from xampp > htdocs, because this will be a page-less phishing attack:
3 - Data URIs scheme
- The data URIs scheme is an Uniform Resource Identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources:
- This technique allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request, which may be more efficient than multiple HTTP requests.
- In other words, small files can be incorporated online into documents.
- The syntax of data URI schema using base64 is composed of four parts:
data: <mediatype> ; <base64> , <data>
- In our case let's prepend data:text/html;base64, to the encoded index.html:
1) data: <- prefix for the schema
2) text/html <- MIME data type
3) ;base64 <- Base64 encoding is in use
4) ,PCFET0.... <- index.html encoded with Base64
4 - Launching the attack
- Now, when the victim enters the data URI schema into the browser (it could be provided by spam email or social engineering), a Facebook fake home page is presented.
- Entering credentials:
- Immediately a log.txt is created at the attacker side, where email and password are harvested: