Easy Website Keylogging with Metasploit
Hello all, you all know how to create phishing pages. Here is a little preview about creating fake pages.
FREE role-guided training plans
FREE role-guided training plans
The History of Phishing:
The Phishing Method was established in 1987, and it was first disclosed in 1995.
Phishing is the technique where an attacker gathers all information from the victim's machine, like his Username, Passwords and Credit Card details, etc.
Phishing technique allows a user to enter his credentials on a fake site which looks like a real website with a login page like gmail.com, yahoo.com and Facebook.com
Procedure to create phishing page:
- For creating a phishing page of the website, you will need:
- Login Fake Page of the website
- Write.php file
- ftp account for web page hosting
- Creating the write.php file:- code as shown below and save it as write.php:
- Creating phishing page of the website:
-
- First you need to go to login URL and view the source code of the page.
- Search for "Action ="
- Then add "write.php id=" after "Action =" and method = GET.
- Refer to the figure below as highlighted:
- After that, save page as "login.html".
- Creating FTP Account: Visit www.my3gb.com , www.110mb.com or one of the many sites available on the internet that allow for free web hosting.
- After registering on free web hosting site. Upload two files ie "login.html" and write.php file.
- Attacker uses various techniques to send the fake url to victim like email, chat and other techniques.
- When a victim accesses your fake site link, it actually looks like a real login page and if he/she enters their credentials, then it will be coming out in our ftp account.
- All of the above steps are needed to create phishing pages.Now rapid7 introduced the new JavaScript keylogger auxiliary function on April 11, 2012, where it is used by an attacker to create the page and send URL to victims. As a victim enters his credentials, automatically, it comes to Metasploit msfconsole.The Metasploit JavaScript Keylogger sets up a HTTP/HTTPS listener, which serves the JavaScript keylogger code and captures the keystrokes over the network
The advantages of using JavaScript keylogger are that it does not require an ftp account to upload the fake pages, and there is no need to write code for write.php and fake page. It is a time saving method.
Easy Website Key logging with Metasploit
This is a much easier technique, which was introduced by the rapid7 Team on April 11, 2012. Here in this case an attacker creates a fake page.
Demo:Requirement:Latest/ updated Metasploit framework version.
ATTACKER SIDE STEPS:-
In order to create the phishing page, you require JavaScript keylogger.js file which will be uploaded by rapid7 very soon. Here I am going to show you the demo which was sponsored by the Rapid7 Team.
- Let's start with msfconsole:
- Let's search for Keylogger by typing "search Keylogger".
- Make a use of "Use auxiliary/server/capture/http_javascript_keylogger"
- If you want to check the information about it then type: "Info auxiliary/server/capture/http_javascript_keylogger"
- Type show options commands to check available options.
Note: - Now in this case we do not have any fake page available to show you but rapid7 team made the feature to set demo here.
I am going to show you that demo that rapid7 introduced in the webinar.- Now set demo to true "set demo true".
- After that set uripath as keylogger "Set uripath keylogger"
- After setting all the required options let's start the server by typing run command.
- Once run command gets executed, run server and generate the link as shown in screen shot above:
http://120.88.45.178:8080/keylogger - In this case, we are going to show you demo and we already set demo as true to access the demo page, just append "/demo" to the URL provided
- http://120.88.45.178:8080/keylogger/demo
- An attacker uses many techniques to send the above URL to a victim like sending a link via email or using social engineering techniques etc.
- Victim sidesteps:-
- When the victim gets the fake link, he/she might be unaware of this type of attack and enter the links shown above.
Demo Page:-
- Here in the demo page keylogger JavaScript was embedded in source code so whatever the victim will type in the login box that keystroke will be getting typed in the msfconsole of the attacker.
- If you observe the view source of the demo page. It looks like the below screen shot.
- Whatever information the victim will type in the credentials, it will be captured by JavaScript.
- Keystrokes captured and stored to loot. And same towards the attacker console.
- And the typed credentials going back to attacker and in this way the attacker hacks the credentials.
- This is the same way that an attacker can hack credit card information. He just clones the login page URL of the website which he wants to hack and diverts the victim using various techniques.
Precaution:- - Emails:-Do not trust emails requesting for personal and financial information.
- Never fill any forms from email messages which ask you to fill in personal- financial information.
- Always ensure that you are using a secure website while submitting credit card, or other sensitive information via your browsers. This means that you should always be sure to use https://www. Connection instead of http://www. This indicates that you are using a secure website.
- Ensure your browser is up to date and security patches applied.
What should you learn next?
What should you learn next?
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Easy Website Keylogging with Metasploit
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
