T9 šŸ
Practicals/Cyber Security

Practical 9

Aim: Sniffing Website Credentials using Social Engineering Toolkit (SEToolkit).

Introduction:

The Social-Engineer Toolkit (SEToolkit) is an open-source framework designed for penetration testing and social engineering attacks. Developed by TrustedSec, SET is widely used by ethical hackers and penetration testers to identify and understand vulnerabilities in human behavior and organizational security.

What is a Credential Harvester Attack?

A Credential Harvester Attack is a form of phishing where the attacker:

  • Clones a legitimate website (like Twitter, Facebook, Gmail).
  • Hosts the fake site locally or publicly.
  • Waits for the victim to unknowingly submit credentials.
  • Captures those credentials and displays them to the attacker.

What is SEToolkit?

The SEToolkit provides multiple attack vectors for ethical testing:

FeatureDescription
Spear-PhishingSend targeted phishing emails.
Website Attack VectorsClone popular sites to harvest login details.
Credential HarvesterFake login page to collect credentials.
Web JackingRedirect users to malicious lookalike sites.
Payload GeneratorCreate and deliver backdoors or malware.
Multi-AttackCombine different social engineering techniques.

Installation of SEToolkit on Kali Linux

  1. Step 1: Clone SEToolkit from GitHub:

    git clone https://github.com/trustedsec/social-engineer-toolkit setoolkit/

  2. Step 2: Navigate into the directory:

    cd setoolkit

  3. Step 3: Install required dependencies:

    pip3 install -r requirements.txt

  4. Step 4: Install SEToolkit:

    python setup.py

  5. Step 5: Run the SEToolkit:

    setoolkit

Steps to Perform Credential Harvester Attack using SEToolkit

  1. Open terminal and run setoolkit.
  2. Select option 1 ā†’ Social-Engineering Attacks.
  3. Select option 2 ā†’ Website Attack Vectors.
  4. Select option 3 ā†’ Credential Harvester Attack Method.
  5. Select option 1 ā†’ Web Templates.
  6. Enter your IP address (e.g., 192.168.0.101).
  7. Choose template site to clone (e.g., option 3 ā†’ Twitter).
  8. SET will generate a phishing link (e.g., http://192.168.0.101).
  9. Send this link to the test victim (within the lab environment).
  10. When victim submits credentials ā†’ They appear in your terminal!

Output (Terminal View)

[*] Credential Harvester Page setup complete. [*] Listening on IP: 192.168.0.101 [*] Cloned site: https://twitter.com [*] Harvesting credentials from unsuspecting victim... [+] Username: victim_username [+] Password: victim_password

Practical 8

Previous Page

Practical 10

Next Page