As Internet users growing day by day, simple methods of attacking them are becoming tough.
Even the Homograph method fails sometimes.
Here we are going to talk about a little advanced method that is spoofing website certificate.
But what a website certificate exactly do?
A website certificate confirms that you are on example.com(for example) not on a fake website posing as example.com.
The tool we are going to use here to spoof the website certificate is called CarbonCopy. CarbonCopy has the ability to create self-signed certificates that look exactly the same as the original.
The best thing about this tool is, it not only spoofs certificate also signs an Executable for AV Evasion so that AV softwares can't detect it as a fake certificate.
But if the validation process is done on the certificates, no local trust anchor will be found and the certificates will be marked as untrusted and rejected.
Let's do it!
Configure CarbonCopy on Kali Linux
Fire up your Kali Linux machine, open up the terminal, change the directory to Desktop and clone the tool from Github.
Now change the directory to the 'CarbonCopy' folder. Here you can see a python script named CarbonCopy.py. Launch the script by the command-
Okay! you've launched the tool successfully. Now its time to clone a website certificate.
python3 CarbonCopy.py www.microsoft.com 443 prometheus.exe signed-prometheus.exe
Now understand the command line. First, we've put the name of the website(ex: www.microsoft.com) of which we want to clone the certificate.
In the second we've put the port i.e 443 which is a TCP port used by websites who have SSL.
In the third, we've put an AV Evasion Executable prometheus.exe.
At the last, we've signed the Executable with the command 'signed-prometheus.exe'.
It was simple, right?
Hackers, does every possible thing to hack us right? We are not aware of the security problems around us and hackers take advantage of it. We are so vulnerable. It's our responsibility to raise security awareness.
This tutorial is not for illegal purposes. It is to let you know how vulnerable we are.
When we visit a website, we do not check whether it's certificate valid or not. Do we? Even we do not check what URL is running on the Address bar or to what URL it's redirecting. That's a very bad thing. We have to take care of our security our own.
What do you think?
The tutorial you found on this website is only for educational purposes. Misuse of this information can lead you to jail or punishment. Anything you damage, we are not responsible for that. Do use it on your own property. If you want to test it on other's property, take written permission from them.