How to Phish websites "easy way"

dibbsydibbsy New Arrival
edited November 2011 in Tech & Games
This is a tutorial to harvest credentials over the internet aka phishing, for starters you need backtrack 5r1 to do this. We will be using the Social Engineers Toolset or SET. The general idea behind this attack is that SET will clone the target website (in this case, because everyone complains for facespace hacks XD but this will work on any site that uses a login) and host it on your personal computer. Okay so for starters were going to have to configure SET to ask for the ip we want to use as our host rather than automatically setting it to our local ip address. To do this navigate to the SET directory and modify the set_config file using your favorite text editor. In this instance, I'm using KWrite.

# cd /pentests/exploits/SET/config
# kwrite set_config

Find the line that by default reads AUTO_DETECT=ON, change it to read AUTO_DETECT=OFF, and save and close. Now SET will ask you what the ip address is that you want the site that you clone to be hosted on. To find the ip address that you need to use visit:

Now we need to set up port forwarding so login into your router by using the default gateway address, mine is and once you login find the port forwarding option and forward traffic through Port 80 on TCP/UDP to your local IP address. (for me it would be

Now that thats set up its time for the fun part, Start SET by going Start -> Backtrack -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit -> SET and it have a menu with the following options:

1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update The Social-Engineer Toolkit
6) Help, Credits, and About

99) Exit the Social-Engineer Toolkit

You want to choose: 1, which then brings up:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) Third Party Modules

99) Return back to the main menu.

Next choose option: 2 Website Attack Vectors. Then you will see:

1) The Java Applet Attack Method
2) The Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Man Left in the Middle Attack Method
6) Web Jacking Attack Method
7) Multi-Attack Web Method
8) Create or import a CodeSigning Certificate

99) Return to Main Menu

Choose option: 3 Credential Harvester Attack Method

1) Web Templates
2) Site Cloner
3) Custom Import

99) Return to Webattack Menu

Choose option: 2 Site Cloner

Next you have to input the the ip address that you got from

After entering your ip you have to type the website you want to clone in my case it will be and there you go you have a phishing site running off your computer now keep in mind you ip address is clear as day so for this to work you will have to find some one extremely stupid XD just tell them that its a link to see naked girls or somethin most guys fall for that, If you want to get serious you can make a fake facebook set up a chatbot, sign up for a fake web domain, and do stuff like that but i prefer to just do it for fun test my friends intellect and what not.... Happy Phishing

Just a share :)


  • edited November 2011
    Hell yeah, another Backtrack user! The Social Engineering Toolkit is such an awesome tool on Backtrack - one I find myself using more and more just recently. Some screenshots would be cool, although if you can't get any up then I'll happily add some when I next boot into BT5.

    And a note for non-backtrack users;
    Phishing websites isn't the only thing you can do with SET. Take a look at the list which is included in the OP, there's plenty more action to be had. Awesome tools.

    One suggestion though - give it a better title? Maybe something like.. "How to Phish Websites using Social Engineering Toolkit" ? Would generate a better response from Google.
Sign In or Register to comment.