Phishing with data: URIs is not a new idea. The concept is relatively simple, taking advantage of many user’s inexperience with how data: URIs function in order to trick them into entering credentials into a phishing page. We’ve seen this in the wild against Gmail users for example, and we’ve even seen some cool attacks against Chrome with really long data: URIs. This post will explore how we can craft a data: URI to trick even more experienced users.
When on an assessment that involves a very large number of IP addresses it can often be hard to determine which hosts to go after. As a web hacker at heart I’m often primarily interested in the web services running on the target network. Default credentials on web administration panels are basically guaranteed given enough IPs, but how can I quickly identify which web service are interesting?
One tool I’ve used is EyeWitness, which will use a headless instance of Ghost.py to take screenshots of web services. This is nice because there’s no browser involved but I’ve had lots of problems with it. For one, you can’t see things like Flash or Java because Ghost.py doesn’t support it. It also has the bad habit of segfaulting in the middle of a scan which is very frustrating when you’ve left it overnight. While I’m certainly not bashing the tool (many of the bugs are probably the fault of Ghost.py anyways), I felt that a better solution could be created by using a full browser controlled by a custom extension.
After reading the Chrome extension API and lots of Stackoverflow posts I created wmap.
Enumeration of DNS data is nothing new. Usually this can be accomplished through a combination of Google Dorking, DNS querying, using a tool like SubBrute to bruteforce subdomains, or perhaps DNS globe transfers are enabled. However, Cloudflare, a popular CDN and DDoS mitigation service also has a very large internal database of DNS data waiting to be mined. The best part is, anyone can query this data by just attempting to setup the target domain using Cloudflare.