Harvesting Credentials with the Social Engineering Toolkit

Monday, July 09, 2012

Dan Dieterle


The Social Engineering Toolkit (SET) included with Backtrack 5 is a great way for corporate security experts or penetration testers to test to see how well their network (and users) would stand up to Social Engineering attacks.

With Social Engineering and Spear Phishing attacks on the rise, it is very important to educate your users about these attacks.

In this tutorial I will demonstrate how SET can be used to set up a realistic looking website to harvest e-mail usernames and passwords.

(click image to enlarge)

Okay, timeout for a disclaimer: This is for security testing purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail.

  • Obtain Backtrack 5 release 2. You can use the LiveCD version, install it on a new system or run it in a Virtual Machine.
  • The first thing you will want to do is update both the Metasploit Framework and the Social Engineering Toolkit to make sure you have the latest version. Update both, restart SET and check updates one more time.
  • From the menu select, number 1 – “Social Engineering Attacks”.
  • Next select “Website Attack Vectors”.
  • Now “Credential Harvester Attack Method”.
  • We now have the option to use a web template that will create a generic website for us to use, we can import a webpage to use, or we can clone any existing website and use that. The included templates are very good, so let’s try one of them. Select number 1, “Web Templates”.

(click image to enlarge)

As you can see in the picture above, SET comes with templates for several popular programs. Once you select one of the templates, I chose number 2 – “Gmail”, you will be given a short message about username and password form fields, just hit “return”.

SET will now create a fake website using the template that you chose, and prepare to harvest any credentials that are entered on the fake website. And that is it!

Now if we go to the victim machine and surf to the SET created webpage we will see this:

(click image to enlarge)

A Gmail login screen! But wait a minute, take a look at the address bar. An IP address is listed instead of the normal Google mail address.

If a user enters their user name and password on this site, their credentials are harvested and collected on the SET system. So as user “Security Joe” enters his credentials, we see this on the Backtrack system:

(click image to enlarge)

In the picture above you can see the user’s name: “Security+Joe” and the user’s password: P@$$W0Rd!

When you are finished, hit “Control-C” to stop harvesting and view a report of all the sessions that you have captured. The report file will be stored in the SET file directory under Reports. Two reports are created, one in html and one in XML. The picture below shows the html report for this session:

(click image to enlarge)

As you can see, unless the user checks the address bar, there is no way he could tell that he was on a fake website handing away his login name and password.

And as many users use the same password on multiple sites, this could be very valuable information for a hacker to obtain. That is why it is imperative to educate your users about Social Engineering attacks and how to defend against them.

Cross-posted from Cyber Arms

Possibly Related Articles:
Network Access Control
Social Engineering Access Control Penetration Testing Metasploit Attacks spear-phishing Website Security Tutorial Backtrack 5
Post Rating I Like this!
Rohit Pahan Through the process, when i give site name to clone it.. i get an error message of" Unable to clone this specific site. Check your internet connection. But i can browse the site properly using firefox
Carlson lson From so many days, I am searching for the person http://www.whowritesbest.com/ writing tips and best online writing services for good education. Now I got the write blog which provides halpful information for me in writing services. This blog is given very interesting and also provides services for our education life. Thank you so much to this blog.
Carlson lson The harvest denote the end of the developing season, or the developing cycle for a specific product, and social significance of this occasion makes it the center of regular festivals, for example, a harvest celebration, found in numerous religions.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.