This is a very simple, yet powerful attack that spoofs a legitimate webpage to capture credentials in minutes with the Social-Engineer Toolkit (SET). I use adaptations of this procedure to simulate phishing type attacks for presentations to illustrate how easy and simple dangerous attacks can be. SET is a very powerful tool with many powerful options and features that SET makes easy to deploy.
DISCLAIMER: This post is intended for educational purposes only. Remember to always get written permission from your client (or person) before deploying this method outside of a lab environment and check your local laws.
Kali Linux – Download: https://www.kali.org/downloads/
–or-
Download and install from github: https://github.com/trustedsec/social-engineer-toolkit
(I will be using Kali Linux in this demonstration)
Open a new terminal window and enter:
setoolkitThis will launch SET and present a menu of options.
As you can see there are many options to explore, if you have time I highly recommend it.
For this demonstration we will be setting up a fake website which is under the Social-Engineering Attacks. Select:
1) Social-Engineering Attacks
Under the Social-Engineering Attacks Menu, select:
2) Website Attack Vectors
Select the Credential Harvester Attack Method:
3) Credential Harvester Attack Method
There are the options:
Web Templates – Stock Templates for Google, Twitter and Java Required
Site Cloner – SET scrapes a web login page of your choosing and replaces the login with our credential harvesting script
Custom Import – Import a custom built page
For this example I will be using one of the stock templates. Select:
1) Web Templates
You will be prompted to select the IP address for the Harvester Website. The default is the primary IP for you machine, in this case 172.16.234.139, but you are able to use any address configured on your machine.
Press Enter
For this example I am going to use the Twitter template. Select:
3) Twitter
SET will create and host a clone copy of the twitter login screen. All information collected will be presented on the screen and recorded in a log file.
Navigate to your IP address within your web browser: http://172.16.234.139
Looks pretty convincing!
When I login my credentials are shown on the SET terminal screen.
Now that SET has successfully captured my credentials it automatically redirects to the actual Twitter login page. By redirecting to the actual login page hopefully the user will not suspect their credentials have been compromised and rather that they mistyped their password or the website has glitched.
Conclusion
I have demonstrated a very basic, but effective credential harvesting attack. There are more advanced techniques used by bad actors and pen-testers to improve the success rate of this technique, but at the root it is the same basic method.
This book is probably the best book for someone starting in cybersecurity. OTW unequivocally lays out the case for why hacking is the most important skill set of the 21st century.
For those familiar with hacking, his chapters on Passive Recon, Password Cracking, Vulnerability Scanning, Metasploit, AV Evasion, Python, and Social Engineering are among the best I have read anywhere. These chapters alone make it an amazing book.
This book is great and has simple easily consumed techniques for the hobbyist to a more seasoned professional.