Hello Everyone! I am @the_c0nd0r. This is my first post here…so…wohooo!! This post is going to be a little illustrative. Although in the future posts, I’ll keep it short and up to the point so that it doesn’t become boring.
Alright! Today, we will be setting up a fake Facebook login page to get our victim’s credentials. The method we are going to use is the Credential Harvester method and we will be using the Social Engineering Toolkit (present in Kali Linux) for the same. The process itself is very easy to implement and if the victim is not alert enough to notice the URL, he/she will fall in and end up being pwned.
Note: I have made hyperlinks for the terms which new users might find difficult to begin with. Alternatively, google things you fail to understand and look up different sources. @unh0lys0da has already made a point on that.
What you’ll need:
- Kali Linux
- A little background on Networking and its terms (Private vs Public IPs esp.) would be good.
- This one is obvious-> You should be online.
STEP 1: Check the Network settings in VirtualBox
The Attacker and the Victim should be on the same network. Here, the victim’s Windows 10 and the attacker’s Kali are on the same Wi-Fi network so we are using Bridged Networking. This is how it looks:
STEP 2: The setoolkit
Go to Applications > Kali Linux > Exploitation Tools > Social Engineering Toolkit > setoolkit
Alternatively, in terminal, you can type: setoolkit
STEP 3: Let’s get our hands dirty – for real!
Now, you will get a prompt asking you to agree to the terms and conditions (if you are running it for the very first time). Enter y and move on!
You get this menu now:
The 1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)
Then, we get this menu:
The 2 selects Website Attack Vectors. Not that obvious. The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the victim.
We have this menu now:
The 3 selects Credential Harvestor. The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.
Now we’ll be cloning the login page:
Now that is obvious!
Next we find the IP of our machine:
- Open a new terminal window.
- Type: ifconfig
- Since all the VMs in VirtualBox use a Virtual Ethernet Adapter, so Bridged mode would bridge your Wi-Fi’s connection to the VM through the Virtual Ethernet and all the machines on the Wi-Fi Network would be accessible. So, the Private IP appearing in the eth0 category is what we want to know here:
Now we have a prompt for entering the Harvester’s IP in the setoolkit(We will enter our IP used on the network):
set:webattack> IP address for the POST back in Harvester/Tabnabbing: 192.168.XXX.XX
There we go! Now press enter. We have the following prompt now:
set:webattack> Enter the url to clone: https://www.facebook.com/
We enter facebook’s URL here.
Press Enter again.
Now, if the Apache Web Server is not running, setoolkit will ask for your permission. Simply enter y and proceed.
Finally, you should have this on your terminal:
Now we will try to see if this works.
STEP 4: The Victim’s Desktop
Now to get the victim to open your site, you’ll need to work out something. If he/she is on Windows, edit the hosts file to redirect facebook.com to your machine’s IP. You’ll have to think of that since I can’t be situation specific here. I am going to use my Host OS to open the site.
dumb_c0nd0r enters 192.168.XXX.XX in the address bar…
He then gets the fake Facebook login page:
He enters his email and password.
On pressing enter, he is redirected to the original facebook login page. He thinks he accidentally refreshed the browser and re-enters his credentials but dumb_c0nd0r failed to realise that he got pwned. Poor man!!!
Getting the credentials:
- Open up a terminal window.
- Type the following commands:
- You should see your harvester file in there. Type: nano harvester [press TAB to complete the filename]
Look for these two fields:
So there you have it! The account is compromised.
Avoiding such a hack:
Educating the people is the key here because even if you use all the latest anti phishing software the user could still be the weakest link by opening a link that comes from an unknown origin.They must be aware about what is phishing, not to open any links and to put their details and to always check the address bar and things that would not look normal in order to avoid being scammed.
Going a step ahead:
As far as they are concerned >
Isn’t there a tool where I could enter the User ID and pwn the account? HUH???
Well, the answer is this.
I’ll be posting more articles in the future. Hope you enjoyed it!
EDIT: Similarly, we can make phishing pages for Gmail, Yahoo etc. by using Web Templates after selecting the Credential Harvester option. It all depends on how creative you are!