LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is httrack, and why is it useful for MitM phishing attacks?

httrack is a website mirror/copier — it follows links and downloads HTML, CSS, JS, images. The result: a perfect offline copy of a target site, ready to host as a phishing trap.

Basic usage:

httrack https://mycampus.hslu.ch -O /var/www/html/copy

It crawls the site, downloads everything, rewrites internal links so the local copy works.

Why it's perfect for phishing:

Feature Phishing benefit
Pixel-perfect copy Looks identical to the real site
Includes assets (CSS, JS, images) No broken-image red flags
Local link rewriting Internal navigation works
Configurable depth Can grab just the login page or the whole site

The MitM phishing flow:

  1. Use httrack to clone mycampus.hslu.ch
  2. Modify the login form's action attribute to point to attacker's collector
  3. Host the cloned site on attacker's webserver (e.g., Apache on Kali)
  4. Use ARP+DNS spoofing to redirect the victim to your fake site
  5. Victim logs in → credentials sent to attacker
  6. Optionally redirect to a fake "maintenance" page so user doesn't notice

The attacker's modification:

In the cloned index.html, change:

<form action="https://mycampus.hslu.ch/login.aspx" method="POST">

to:

<form action="http://mycampus.hslu.ch/de-ch/wartung.html" method="POST">

The credentials get posted to the attacker's local "wartung" (maintenance) page, which logs them and shows a fake "service down" message.

Why the URL still says mycampus.hslu.ch:

Because of DNS spoofing — the name resolves to the attacker, but the URL bar shows the legitimate domain. Visually, the victim is on mycampus.hslu.ch. Only HTTPS / cert mismatch would reveal the lie.

Defenses against this kind of phishing:

Defense How it helps
HTTPS + valid cert Fake site can't show a valid cert for the real domain → browser warning
HSTS Browser refuses HTTP for the domain after first HTTPS visit
Certificate Transparency Issued certs are logged publicly → abuse easier to detect
MFA Stolen password is useless without second factor
Password manager Refuses to autofill on a different domain (notices URL mismatch)

Tip: A password manager that won't autofill on a site that visually looks correct is a strong phishing signal — it's noticing something the human eye missed.

Go deeper:

  • tool HTTrack (Wikipedia) — the offline website copier, including link-rewriting that makes the clone self-contained.
  • doc Phishing (Wikipedia) — the credential-capture attack the cloned page serves, and its defenses.

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026