Use SET and Obtain The Username And Passwords Of Victim.
Hey,Today we are going to make an social harvesting attack,which will steal all the usernames and passwords of Victims Facebook,Gmail,Twitter,etc.We will use SET today.The Social Engineering Toolkit (SET) included with Backtrack 5 is a great way for corporate security experts or penetration testers/hackers to test to see how well their network would stand up to Social Engineering attacks.
But Before I begin,I am receiving many mails saying "You are doing wrong or It is Illegal to put this on website",Well This is for security testing purposes/Education Purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization to do.If you do,I'm not liable for anything.
So Lets Begin,
What Do We Need ?
#Access To Victim PC
#Brain That works.
Step 1 :
Go To -> Social Engineering Attacks -> Website Attack Vendors -> Credential Harvester Attack Method.
Step 2 :
We now have the option to use a web template that will create a generic website for you, we can import any webpage to use, or you can clone any existing website and use that. Mine attack is targeted to gather the credits of Google Mail,so i'll Select number 1, “Web Templates”
Step 3 :
As you can see in the picture above, SET comes with templates for several popular programs. Once you select one of the templates, I'll chose number 2 – “Gmail”, you will be given a short message about username and password form fields, just hit “return”. SET has now created a fake website using the template that you chose, and prepare to harvest any credentials that are entered on the fake website.Now That Is Some Ninja Stuff :D .
Step 4 :
Now you need to make the victim click on this Page and make him enter his details.You need Creativity for this, You can embed this on your website or spoof the victim to the fake page,Use your imagination.
NEW : How To Protect Against This Attack :
Due to the complaints that say "you are evil or bad", now i'll tell you how to protect against the attack listed above,See i'm not that evil :).
Now What the victim is seeing is an Gmail login screen,Bu if you just look up in the address bar,you will see the IP address ,NOT the www.gmail.com address,Also if you use internet explorer or some modern browser,It'll show an Certificate warning,.Also you can use that IP displayed on the fake page to hack the hacker,Choice is your.
^^^ What the Victim See's after the attack is commenced.
So i'll love to see your feedback's/suggestions in the comment section below,So don't hesitate to leave it,See you tomorrow.