Skip to content

Social Engineering Toolkit – 3 Minute Credential Capture

DISCLAIMER:  This post is intended for educational purposes only.  Remember to always get written permission from your client before deploying this method outside of a lab environment and check your local laws.


[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]


This is a very simple, yet powerful attack that spoofs a legitimate webpage to capture credentials in minutes with the Social Media Toolkit (SET).   I use adaptations of this procedure to simulate phishing type attacks for my clients to prove how easy and simple dangerous attacks can be.  The attack described in this post can literally be run in minutes and by anyone with basic computer knowledge.

**Remember the BEST defense against an attack like this is educating your clients to identify and report these kinds of events.**



Launch the Social Engineering Toolkit (SET)

(I am assuming you have Kali Linux running and updated)

Open a new terminal window and enter:  setoolkit

start social media toolkit

Launch the Credential Harvester Attack Method

set main menu

Enter 1 to enter the “Social-Engineering Attacks”

set social media attack

Enter 2 to enter the “Website Attack Vectors”

Enter 3 to enter the “Credential Harvester Attack Method”

set website attack vectors

Enter 1 to enter the “Web Templates”
Note:  From here you could also do option 2 to clone an existing login page.  SET is scary good at cloning login pages that have a “username” and “password” field on the same page.

set choose template

You will be prompted to confirm the IP address for where the template will be hosted.  Press <ENTER> to continue.
Note:  This is the IP that your target would see.  If you are behind a firewall or in the cloud use your public IP if the target is external to your firewall.

Set IP Address

Select a pre-made template.  For this example I am using option 3 and then press <RETURN> when prompted.

Executing the Attack

Point your browser to the IP you entered (or accepted) when launching the attack in a web browser.  In my example I would enter:


Looks pretty legit.  Its an older style template but other than the IP at the top it could easily pass.  To make it look even more passable I could register a DNS name with Twitter thrown in such as  Since most browsers show non-SSL sites as warning, I would also also utilize an SSL certificate to try to make the page look more authentic.

What a Target Would See

The target would be presented with a seemingly valid login page, in this example Twitter.  The user would login as normal.

Upon hitting “Sign in” the targets credentials will be captured and they will be redirected to the actual Twitter login page. The goal is to fool the target in to think they have entered the wrong credentials or something went wrong on Twitter’s end.  That way they login again, gain access to Twitter and no concerns or red flags are raised.

Viewing the Captured Credentials

There are a few ways to view captured credentials.

First, through the console logging.  All activity on your credential harvesting site will be displayed in real-time on your console.  I have highlighted the credentials I entered into the fake Twitter site.

SET captured redentials

To exit the attack click Ctl-C and a report will be generated in an HTML and XML format.

SET Generate Report

All you have to do is browse to the folder listed in blue and open the HTML file to see the report.


That’s it!

Leave a Reply