 | The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. SET is the standard for social-engineering penetration tests and supported heavily within the security community. |
|---|
1. Open Terminal from the left panel. Type setoolkit. Type y and Enter to accept the term of services.
2. Type 1 and Enter to select Social Engineering Attack.
3. Type 2 and Enter to select Website Attack Vector.
4. Type 3 and Enter to select Credential Harvester Attack Method.
5. Type 2 and Enter to select Site Cloner.
6. Open new Terminal window and type ifconfig to check for your IP address. Then key in your IP address to SEtoolkit terminal.
7. Next, Key in the url that the website you wish to clone and use for scam.
Eg: https://facebook.com
8. Type y and Enter to run the Apache server.
9. Facebook login page have been cloned to var/www directory. Press Enter to continue. Now, Open Files > Computer > var > www > html to check whether the directory consist of those files.
10. Then launch Iceweasel or other Web Browser to enter your IP address to test whether the Apache server is running. If successful, it will display the cloned website.
11. Now, go to www.tinyurl.com to convert your IP address to normal url in order to increase the success rate.
12. Try enter the login ID hackwithbrain@yahoo.com and password hacktolearn.
13. The login credential will record in the harvester_date.txt (located in var/www/html).
Keys to Success
- This tutorial only cover local network attack, please make sure your victim is using the same network with you.
- The cloned website must consist of Login ID field and Password field.
- Limited awareness of victim.
Countermeasure
- Always check through the URL before login.
- For Developer, Please implement Personal Login Phases(PLP) to prevent this kind of attack.
- Separate the Login ID filed and Password field with two different pages or post request. This is why some secure websites (E-banking/Gmail) do so.
No comments:
Post a Comment