Credential Harvester Attack Using SET On Kali Linux

 

Credential Harvester Attack or a Phishing attack, as commonly known, is one of the most common attacks that is performed in the cyber world. Through this post, you will learn how to perform one using the SET (social engineering toolkit) using Kali Linux

NOTE: THIS IS FOR EDUCATIONAL PURPOSES ONLY!! WE ARE NOT RESPONSIBLE FOR THE MISUSE AND ABUSE OF THIS INFORMATION!!  

Requirements

• Kali Linux - Learn how to dualboot/install Kali Linux from here.
• Latest version of SET (comes pre-installed in Kali)

Steps 

1. Firstly start up your Kali Linux instance and open up SET from Application > Exploitation Tools > Social Engineering Toolkit(login Kali using root account).

2. A shell(terminal) will open up and will present you with a variety of options, and since we are trying to perform a phishing attack, choose the option named Social Engineering Attacks. In my case it is option 1, so i will type in "1" in the prompt.

3. Next you will be asked to choose a method of attack, in our case we want to choose the Website Attack Vectors. In my case it is option number 2, thus i'll enter "2" into the prompt.

4. In the next prompt, we need to choose the Credential Harvester Attack option, which is option number 3 in my case.

5. In the next prompt, you will be presented with three options, namely, Web Templates, Site Cloner and Custom imports. Choosing the Web Templates option will give a list of website templates that are gathered from the web. Selecting the Site Cloner, allows you to clone any site and then harvest using that webpage. Custom Import option is to custom webpage layouts. In this tutorial we will select the Web Templates option.

6. In the next window, you will be asked to provide the IP address which will act as the listener. You will need to enter your IP address. To find your IP address, open up a shell and type in "ifconfig". This will give you your IP address.

7. Next you will be asked to choose a template, here we will choose the Twitter Template.

8. After entering your option, the template will be launches as the main page on your local server. Opening up your local server by entering your IP address as the URL will show you the template.

9. Now, any information entered in the username and password field will be shown in your terminal. And that is it!! You have successfully created a Phishing Webpage on your local server

NOTE: SINCE THE IP ADDRESS THAT WAS PROVIDED AS THE LISTENER IS YOUR LOCAL ADDRESS, THIS WILL ONLY WORK ON YOUR LOCAL NETWORK. TO SOLVE THIS YOU CAN EITHER PORT-FORWARD OR USE A SOFTWARE LIKE NGROK. THIS WILL ALLOW YOU TO HOST THIS WEBPAGE GLOBALLY!!