Skip to content

GUIDE

3 Minute Credential Capture using The Social-Engineer Toolkit (SET)

This is a very simple, yet powerful attack that spoofs a legitimate webpage to capture credentials in minutes with the Social-Engineer Toolkit (SET).   I use adaptations of this procedure to simulate phishing type attacks for presentations to illustrate how easy and simple dangerous attacks can be.  SET is a very powerful tool with many powerful options and features that SET makes easy to deploy.

DISCLAIMER:  This post is intended for educational purposes only.  Remember to always get written permission from your client (or person) before deploying this method outside of a lab environment and check your local laws.

Requirements

Kali Linux – Download:  https://www.kali.org/downloads/
or-
Download and install from github:  https://github.com/trustedsec/social-engineer-toolkit

 

Launch the Social Engineering Toolkit (SET)

(I will be using Kali Linux in this demonstration)

Open a new terminal window and enter: 

setoolkit

This will launch SET and present a menu of options.Main Menu

Launch the Credential Harvester Spoof Website

As you can see there are many options to explore, if you have time I highly recommend it.

For this demonstration we will be setting up a fake website which is under the Social-Engineering Attacks.  Select:

1) Social-Engineering Attacks

Social-Engineering Attacks

Under the Social-Engineering Attacks Menu, select:

2) Website Attack Vectors

website attack vectors

Select the Credential Harvester Attack Method:

3) Credential Harvester Attack Method

web-templates

 

There are the options:
Web Templates – Stock Templates for Google, Twitter and Java Required
Site Cloner – SET scrapes a web login page of your choosing and replaces the login with our credential harvesting script
Custom Import – Import a custom built page

For this example I will be using one of the stock templates.  Select:

1) Web Templates

Web Templates Menu

You will be prompted to select the IP address for the Harvester Website.  The default is the primary IP for you machine, in this case 172.16.234.139, but you are able to use any address configured on your machine.  

Press Enter

set website ip address

For this example I am going to use the Twitter template.  Select:

3) Twitter

Twitter Credential Capture

SET will create and host a clone copy of the twitter login screen.  All information collected will be presented on the screen and recorded in a log file.

Navigate to your IP address within your web browser:  http://172.16.234.139

Looks pretty convincing! 

When I login my credentials are shown on the SET terminal screen.Credential-Captured

 

Now that SET has successfully captured my credentials it automatically redirects to the actual Twitter login page.   By redirecting to the actual login page hopefully the user will not suspect their credentials have been compromised and rather that they mistyped their password or the website has glitched.

Real Twitter Login

Conclusion

I have demonstrated a very basic, but effective credential harvesting attack.   There are more advanced techniques used by bad actors and pen-testers to improve the success rate of this technique, but at the root it is the same basic method. 

 

What to Learn More?

This book is probably the best book for someone starting in cybersecurity. OTW unequivocally lays out the case for why hacking is the most important skill set of the 21st century.
For those familiar with hacking, his chapters on Passive Recon, Password Cracking, Vulnerability Scanning, Metasploit, AV Evasion, Python, and Social Engineering are among the best I have read anywhere. These chapters alone make it an amazing book.

This book is great and has simple easily consumed techniques for the hobbyist to a more seasoned professional.