phishing

Social Engineering Credential Harvester Method Phishing in SET

Spread the love

Social Engineering relies heavily on human interaction and deception, trickery you get the picture it is a specialist way of extracting data from somebody or a third party.

Today i will show you how to harvest credentials in other words obtaining usernames and passwords or other data credentials that are entered. Almost every vulnerability is exploited because of the human operating that system common faults are open ports, bad router encryption, installing bad software (backdoor.exe) or even installing outdated services due to forgetting to update their system services and software.

I will be using a software called Social Engineering Toolkit that comes pre-packed in Kali Linux also known as SET.

The way it works is pretty simple it will clone the web coding of almost any login page or webpage it will then host that website’s code through the network. First of all in a real world sanario the hacker would open port 80 in his networks port settings this is to allow the outside world to access the fake webpage this is just an example i don’t suggest doing this so instead of doing it over a public ip address we will do it over a local network connection using a local ip address.

SEToolKit is a great example of a Python Script.

To start we will open setoolkit by typing setoolkit in a command terminal. For example: setoolkit Now your will see a display in the terminal containing ASCII Art and below a new command terminal beginning with set>.

From these options choose option (1)

From these options choose option (2).

Then Select option (2) Site Cloner Now the command terminal will ask you what your IP Address is enter your local if address eg.192.168.1.4 it will also ask if your are behind a firewall or NAT/Port Forwarding Select Y for yes N for no you can check your local IP by typing ifconfig in a new command terminal.
Now go back to the SEToolKit terminal after you have entered your Local IP hit enter.

Now SEToolKit will ask what website you would like to clone eg. http://www.mywebsite.com

hit enter.

SEToolKit will now start its resources inc PostgreSQL, and other known networking services including Metasploit, BeefXSSFrameWork that can be integrated into SEToolKit.

Now keep an eye on the SEToolKit Terminal on another device load up your Local IP in any browser of your choice eg http://192.168.1.4/ You should now be able to your fake webpage that we asked SET to clone earlier will appear. Now try to login using a random username and password SEToolKit will record every keystroke in such manner as a keylogger does once you have entered your credentials. It will show in SEToolKit terminal that there is a possible username and password been found the passwords will be displayed in plain text what

makes this attack ever easier due to the fact that we no longer need to decrypt the passwords hashes.

This application is very powerful please don’t abuse it. I will not be held responsible for what the reader may do with this information.

This article was brought to you by HackingVision for educational purposes only.