<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Phishing on Ethical Hacking | Pentest e Sicurezza Informatica | Hackita</title><link>https://hackita.it/tags/phishing/</link><description>Recent content in Phishing on Ethical Hacking | Pentest e Sicurezza Informatica | Hackita</description><generator>Hugo</generator><language>it</language><lastBuildDate>Fri, 19 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://hackita.it/tags/phishing/index.xml" rel="self" type="application/rss+xml"/><item><title>Evilginx 3: AiTM Phishing and MFA Bypass for Red Teams</title><link>https://hackita.it/articoli/evilginx3-aitm-mfa-bypass/</link><pubDate>Fri, 19 Jun 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/evilginx3-aitm-mfa-bypass/</guid><description>&lt;h1
 id="evilginx-3-complete-guide-to-aitm-phishing-mfa-bypass-and-session-cookie-theft" class="group/anchor-heading"&gt;
 Evilginx 3: Complete Guide to AiTM Phishing, MFA Bypass, and Session Cookie Theft
 &lt;a href="#evilginx-3-complete-guide-to-aitm-phishing-mfa-bypass-and-session-cookie-theft" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h1&gt;&lt;p&gt;Multi-factor authentication doesn&amp;rsquo;t stop Adversary-in-the-Middle phishing. The technique doesn&amp;rsquo;t bypass MFA — it lets the victim complete it normally, then steals the session cookie Microsoft issues afterward. The attacker never touches the MFA step. They take what comes out of it.&lt;/p&gt;
&lt;p&gt;Evilginx 3 is the open-source red team framework for demonstrating this attack class in authorized engagements. Written in Go by security researcher Kuba Gretzky, it runs a self-contained reverse proxy with its own HTTP and DNS server — no nginx dependency, no external daemons. This article covers the full red team workflow: infrastructure, installation, phishlet structure, session capture, and the detection indicators every blue team should know.&lt;/p&gt;</description></item><item><title>Phishing Attack Vectors: A Red Team Technical Breakdown</title><link>https://hackita.it/articoli/phishing-techniques-red-team/</link><pubDate>Fri, 19 Jun 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/phishing-techniques-red-team/</guid><description>&lt;h1
 id="phishing-attack-vectors-a-red-team-technical-breakdown" class="group/anchor-heading"&gt;
 Phishing Attack Vectors: A Red Team Technical Breakdown
 &lt;a href="#phishing-attack-vectors-a-red-team-technical-breakdown" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h1&gt;&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Legal disclaimer:&lt;/strong&gt; The techniques and tools described in this article are intended exclusively for authorized penetration testing engagements, security research, and educational purposes. Using these methods against systems or individuals without explicit written authorization is illegal under most jurisdictions, including Italy&amp;rsquo;s D.lgs. 231/2001 and the Computer Fraud and Abuse Act (US). HackITA assumes no responsibility for any misuse of the information provided. Always operate within the boundaries of a signed scope agreement.&lt;/p&gt;</description></item><item><title>Social Engineering: Cos'è, Attacchi Reali e Difese nel 2026</title><link>https://hackita.it/articoli/social/</link><pubDate>Sat, 28 Feb 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/social/</guid><description>&lt;h1
 id="social-engineering-manipolazione-umana-nel-pentest--framework-tecniche-e-operazioni" class="group/anchor-heading"&gt;
 Social Engineering: Manipolazione Umana nel Pentest — Framework, Tecniche e Operazioni
 &lt;a href="#social-engineering-manipolazione-umana-nel-pentest--framework-tecniche-e-operazioni" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h1&gt;&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Executive Summary&lt;/strong&gt; — Il social engineering è l&amp;rsquo;arte di manipolare le persone per ottenere informazioni, accesso o azioni che normalmente non concederebbero. Nel pentest, il social engineering è il vettore che bypassa ogni controllo tecnico: non importa quanto sia forte il firewall, se convinci un dipendente a darti le credenziali VPN al telefono. Il social engineering non è solo phishing (che è una sotto-categoria) — include vishing (telefono), pretexting (costruzione di identità false), impersonation (fingere di essere qualcuno), tailgating (accesso fisico), baiting (chiavette USB) e elicitation (estrazione di informazioni in conversazione). Questo articolo copre il framework psicologico, le tecniche operative e il workflow completo per un engagement di social engineering.&lt;/p&gt;</description></item><item><title>Phishing: Tecniche, Tipologie e Difese nel 2026</title><link>https://hackita.it/articoli/phishing/</link><pubDate>Fri, 27 Feb 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/phishing/</guid><description>&lt;h1
 id="phishing-infrastruttura-tool-payload-e-campagne-operative" class="group/anchor-heading"&gt;
 Phishing: Infrastruttura, Tool, Payload e Campagne Operative
 &lt;a href="#phishing-infrastruttura-tool-payload-e-campagne-operative" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h1&gt;&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Executive Summary&lt;/strong&gt; — Il phishing è il vettore di initial access più usato nel mondo reale — oltre l'80% dei breach inizia con un&amp;rsquo;email. Nel pentest, la campagna di phishing testa la resilienza umana dell&amp;rsquo;organizzazione: quanti utenti cliccano un link, quanti inseriscono credenziali, quanti aprono un allegato malevolo. Ma una campagna di phishing efficace richiede molto più del &amp;ldquo;mandare un&amp;rsquo;email con un link&amp;rdquo;: serve un&amp;rsquo;infrastruttura credibile (dominio, certificato TLS, SPF/DKIM/DMARC), template convincenti, payload che evadono i filtri email e una landing page che cattura credenziali o esegue codice. Questo articolo copre l&amp;rsquo;intero workflow — dalla preparazione del dominio alla post-exploitation.&lt;/p&gt;</description></item><item><title>Social-Engineer Toolkit (SET): Guida Completa per Attacchi Social Engineering</title><link>https://hackita.it/articoli/socialengineer/</link><pubDate>Wed, 25 Feb 2026 00:00:00 +0000</pubDate><guid>https://hackita.it/articoli/socialengineer/</guid><description>&lt;p&gt;Il Social-Engineer Toolkit è il framework standard per automatizzare attacchi basati sul fattore umano. In questa guida impari a clonare siti per credential harvesting, generare payload malevoli, configurare campagne spear-phishing e integrare SET con Metasploit per exploitation completa. Tecniche reali da penetration test, pronte all&amp;rsquo;uso.&lt;/p&gt;
&lt;h2
 id="installazione-e-setup" class="group/anchor-heading"&gt;
 Installazione e Setup
 &lt;a href="#installazione-e-setup" class="text-inherit opacity-0 group-hover/anchor-heading:opacity-100 decoration-transparent"&gt;#&lt;/a&gt;
&lt;/h2&gt;&lt;p&gt;Su Kali Linux SET è preinstallato. Verifica e avvia:&lt;/p&gt;


&lt;div class="shadow-xl border border-primary h-fit rounded-md"&gt;
 &lt;div 
 class="w-full rounded-t-md py-3 px-[0.8571429em] header-glass flex justify-between items-center"&gt;
 &lt;div class="flex gap-x-2"&gt;
 &lt;span class="size-3 bg-red-500 rounded-full"&gt;&lt;/span&gt;
 &lt;span class="size-3 bg-yellow-500 rounded-full"&gt;&lt;/span&gt;
 &lt;span class="size-3 bg-green-500 rounded-full"&gt;&lt;/span&gt;
 &lt;/div&gt;
 &lt;span class="uppercase text-sm"&gt;bash&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;sudo setoolkit&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Per installazione manuale:&lt;/p&gt;</description></item></channel></rss>