Social Engineering

Social Engineering Credential Harvester Method Phishing in SET

by

Social Engineering Credential Harvester Method Phishing in SET

Social Engineering Credential Harvester Method Phishing in SET, Harvest credentials using SEToolkit SET Kali Linux tutorial, Credential Harvester Kali Linux.

Social Engineering relies heavily on human interaction and deception, trickery you get the picture it is a specialist way of extracting data from somebody or a third party.

Welcome to HackingVision today I will show you how to harvest credentials, in other words, obtain usernames and passwords or other data credentials that are entered into a fake webpage known as a phishing page. Almost every vulnerability is exploited because of human error. Common faults are open ports, bad router encryption, installing bad software (backdoor.exe) or even installing outdated services due to forgetting to update their system services and software.

I will be using a software called Social Engineering Toolkit that comes pre-packed in Kali Linux also known as SET.

The way it works is pretty simple it will clone the web coding of almost any login page or webpage it will then host that website’s code through the network. First of all, in a real-world scenario the hacker would open port 80 in his networks port settings this is to allow the outside world to access the fake webpage this is just an example I don’t suggest doing this so instead of doing it over a public IP address we will do it over a local network connection using a local IP address.

SEToolKit is a great example of a Python Script.

To start we will open SEToolkit by typing setoolkit in a command terminal. For example setoolkit

Now you will see a display in the terminal containing ASCII Art and below a new command terminal beginning with set>.

 

From the first options choose option (1)

From the second options choose option (2).

Then select option (2) Site Cloner
Now the command terminal will ask you what your IP Address is. Enter your local if address eg.192.168.1.4 SET will now ask if you are behind a firewall or NAT/Port Forwarding Select Y for yes N for no you can check your local IP by typing ifconfig in a new command terminal.
Now go back to the SEToolKit terminal after you have entered your Local IP hit enter.

Now SEToolKit will ask what website you would like to clone eg. http://www.mywebsite.com

Hit enter.

SEToolKit will now start its resources inc PostgreSQL, and other known networking services including Metasploit, BeefXSSFrameWork that can be integrated into SEToolKit.

 

Now keep an eye on the SEToolKit Terminal on another device load up your Local IP in any browser of your choice eg http://192.168.1.4/ You should now be able to your fake webpage that we asked SET to clone earlier will appear. Now try to login using a random username and password SEToolKit will record every keystroke in such manner as a keylogger does once you have entered your credentials. Credentials entered by the target will be output to SET terminal in plaint text.

What makes this attack easy is due to the fact that we no longer need to decrypt the passwords hashes.

This application is very powerful please don’t abuse it. I will not be held responsible for what the reader may do with this information.

This article was brought to you by HackingVision for educational purposes only.