Introduction

Hello Everyone! I am @the_c0nd0r. This is my first post here…so…wohooo!! This post is going to be a little illustrative. Although in the future posts, I’ll keep it short and up to the point so that it doesn’t become boring.

---

Alright! Today, we will be setting up a fake Facebook login page to get our victim’s credentials. The method we are going to use is the Credential Harvester method and we will be using the Social Engineering Toolkit (present in Kali Linux) for the same. The process itself is very easy to implement and if the victim is not alert enough to notice the URL, he/she will fall in and end up being pwned.

Note: I have made hyperlinks for the terms which new users might find difficult to begin with. Alternatively, google things you fail to understand and look up different sources. @unh0lys0da has already made a point on that.

---

What you’ll need:

1. Kali Linux
2. A little background on Networking and its terms (Private vs Public IPs esp.) would be good.
3. This one is obvious-> You should be online.

---

The Demonstration:

I’ll use a live Kali Linux session on VirtualBox with Bridged Networking Mode. My host machine is Windows 10 (I’ll use it as the victim’s machine - and i’ll be a super dumb user!).

STEP 1: Check the Network settings in VirtualBox

The Attacker and the Victim should be on the same network. Here, the victim’s Windows 10 and the attacker’s Kali are on the same Wi-Fi network so we are using Bridged Networking. This is how it looks:

STEP 2: The setoolkit

Go to Applications > Kali Linux > Exploitation Tools > Social Engineering Toolkit > setoolkit

Alternatively, in terminal, you can type: setoolkit

STEP 3: Let’s get our hands dirty – for real!

Now, you will get a prompt asking you to agree to the terms and conditions (if you are running it for the very first time). Enter y and move on!

You get this menu now:

The 1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)

Then, we get this menu:

The 2 selects Website Attack Vectors. Not that obvious. The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the victim.

We have this menu now:

The 3 selects Credential Harvestor. The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.

Now we’ll be cloning the login page:

Now that is obvious!

Next we find the IP of our machine:

1. Open a new terminal window.
2. Type: ifconfig
3. Since all the VMs in VirtualBox use a Virtual Ethernet Adapter, so Bridged mode would bridge your Wi-Fi’s connection to the VM through the Virtual Ethernet and all the machines on the Wi-Fi Network would be accessible. So, the Private IP appearing in the eth0 category is what we want to know here:

Now we have a prompt for entering the Harvester’s IP in the setoolkit(We will enter our IP used on the network):

set:webattack> IP address for the POST back in Harvester/Tabnabbing: 192.168.XXX.XX

There we go! Now press enter. We have the following prompt now:

set:webattack> Enter the url to clone: https://www.facebook.com/

We enter facebook’s URL here.
Press Enter again.

Now, if the Apache Web Server is not running, setoolkit will ask for your permission. Simply enter y and proceed.

Finally, you should have this on your terminal:

Now we will try to see if this works.

STEP 4: The Victim’s Desktop

Now to get the victim to open your site, you’ll need to work out something. If he/she is on Windows, edit the hosts file to redirect facebook.com to your machine’s IP. You’ll have to think of that since I can’t be situation specific here. I am going to use my Host OS to open the site.

dumb_c0nd0r enters 192.168.XXX.XX in the address bar…

He then gets the fake Facebook login page:

He enters his email and password.

On pressing enter, he is redirected to the original facebook login page. He thinks he accidentally refreshed the browser and re-enters his credentials but dumb_c0nd0r failed to realise that he got pwned. Poor man!!!

Getting the credentials:

1. Open up a terminal window.
2. Type the following commands:
   cd /var/www/
   ls
3. You should see your harvester file in there. Type: nano harvester [press TAB to complete the filename]

Look for these two fields:

So there you have it! The account is compromised.

---

Avoiding such a hack:

Educating the people is the key here because even if you use all the latest anti phishing software the user could still be the weakest link by opening a link that comes from an unknown origin.They must be aware about what is phishing, not to open any links and to put their details and to always check the address bar and things that would not look normal in order to avoid being scammed.

Going a step ahead:

If you want to this to work online, you’ll have to port forward. Then use no-ip or shorten the URL or do something similar to evade detection. Further reading on this: Click Here

Skid’s feed:

As far as they are concerned >

Isn’t there a tool where I could enter the User ID and pwn the account? HUH???

Well, the answer is this.

---

I’ll be posting more articles in the future. Hope you enjoyed it!

---

EDIT: Similarly, we can make phishing pages for Gmail, Yahoo etc. by using Web Templates after selecting the Credential Harvester option. It all depends on how creative you are!

Awesome article! I love how you so clearly explained everything!
Great for a first article if I may add…!

The Social Engineering Toolkit is simply great! There are many ways one can use it to get someones credentials or whatever you desire.
Also it is really simple to create a payload which is embedded in a PDF or other media type.
SET can be a really powerful tool.

Nice how-to! That skid link is great

Nice one there by the way can u hit me PM i’ve some questions !

Good shit. Everyone should know how to do this and how to avoid it. Fuck people that don’t pay attention to URLs they’re asking for it. I’m driun,k Kthxbyte I lvoe you. <3

Side note - This is applicable only in LANs since the ip is internal. If you want to perform this out of your LAN, you can port forward or rent a VPN/VPS to host your phishing site. Great post!

Regards,

Cal0X

What if the victim isnt conected in the same network as attacker??? how can i attack some1 from diferent city or Country???

Ah and 1 thing, there’s no way to use kali Linux tools on a diferent distro ( i’m using Elementary Os)?

This is especially huge if you can use that within a company/university network with dozens of computers. Also I’m sure this isn’t just limited to facebook logins .
So with some work you can collect tons of personal login data for multiple websites easily… Scary world.
And the most scariest thing? “Normal” people won’t have a clue about that…

just read the other commands first

almost all Linux programs run on any distro. Because they are all Linux. Kali just got them pre-installed

Wifi Pineapple’s make this an easy attack and powerful attack. Remember to always VPN to a known trusted location, and always verify certificates! Never trust public wifi networks.

Well they would get a warning about the HTTPS cerificate(Most users won’t care) but HSTS will make your life hard IIRC. You would need to use a timeserver forgery attack.

Exactly thats a really important point you’re making here. The “normal user” won’t care about an invalid certificate or a strangely looking website or a delayed response from let’s say our “fake server”.
Alll they want is accessing facebook and if someone/something is to blame it’s “the shitty pc which doesn’t work correctly”
Saw this way too many times already.

For your other argument true. I never said it was that easy just doable and if applicable it’s scary

Quick tip: It become quite interessting when combined with DNS spoofing

hmm thanks, i will read more about it @BO41