This is a tutorial to harvest credentials over the internet aka phishing, for starters you need backtrack 5r1 to do this. We will be using the Social Engineers Toolset or SET. The general idea behind this attack is that SET will clone the target website (in this case,
http://www.facebook.com because everyone complains for facespace hacks XD but this will work on any site that uses a login) and host it on your personal computer. Okay so for starters were going to have to configure SET to ask for the ip we want to use as our host rather than automatically setting it to our local ip address. To do this navigate to the SET directory and modify the set_config file using your favorite text editor. In this instance, I'm using KWrite.
# cd /pentests/exploits/SET/config
# kwrite set_config
Find the line that by default reads AUTO_DETECT=ON, change it to read AUTO_DETECT=OFF, and save and close. Now SET will ask you what the ip address is that you want the site that you clone to be hosted on. To find the ip address that you need to use visit:
http://www.whatsmyip.org/
Now we need to set up port forwarding so login into your router by using the default gateway address, mine is 192.168.1.1 and once you login find the port forwarding option and forward traffic through Port 80 on TCP/UDP to your local IP address. (for me it would be 192.168.1.102)
Now that thats set up its time for the fun part, Start SET by going Start -> Backtrack -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit -> SET and it have a menu with the following options:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update The Social-Engineer Toolkit
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
You want to choose: 1, which then brings up:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) Third Party Modules
99) Return back to the main menu.
Next choose option: 2 Website Attack Vectors. Then you will see:
1) The Java Applet Attack Method
2) The Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Man Left in the Middle Attack Method
6) Web Jacking Attack Method
7) Multi-Attack Web Method
8) Create or import a CodeSigning Certificate
99) Return to Main Menu
Choose option: 3 Credential Harvester Attack Method
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
Choose option: 2 Site Cloner
Next you have to input the the ip address that you got from
http://www.whatsmyip.org/
After entering your ip you have to type the website you want to clone in my case it will be
http://www.facebook.com/ and there you go you have a phishing site running off your computer now keep in mind you ip address is clear as day so for this to work you will have to find some one extremely stupid XD just tell them that its a link to see naked girls or somethin most guys fall for that, If you want to get serious you can make a fake facebook set up a chatbot, sign up for a fake web domain, and do stuff like that but i prefer to just do it for fun test my friends intellect and what not.... Happy Phishing
Just a share
Comments
And a note for non-backtrack users;
Phishing websites isn't the only thing you can do with SET. Take a look at the list which is included in the OP, there's plenty more action to be had. Awesome tools.
One suggestion though - give it a better title? Maybe something like.. "How to Phish Websites using Social Engineering Toolkit" ? Would generate a better response from Google.