background image

The Social-Engineer Toolkit

149

After you select 

Website Attack Vectors

 and the 

Credential Harvester

  , 

choose 

Site Cloner

  . The configuration for this attack is minimal and requires 

only that you pass a URL (

http://www.secmaniac.com

)   to SET that contains a 

login form.

The web server runs and waits for the target’s response. As mentioned 

previously, you could in this instance set 

WEBATTACK_CONFIG=ON

, and SET would 

prompt you to attempt mass emails to coax targets into clicking the link. The 
target would be presented with a web page that looks identical to Gmail’s 
website and initial login page. When the target enters his password, the 
browser automatically redirects to the original Gmail website, while the fol-
lowing information is presented to the attacker:

10.10.1.102 - - "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: ltmpl=default
PARAM: ltmplcache=2
PARAM: continue=https://mail.google.com/mail/?
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-1174166214807618980
PARAM: ltmpl=default
PARAM: ltmpl=default
PARAM: scc=1
PARAM: ss=1
PARAM: GALX=S3ftXFIww0E

POSSIBLE USERNAME FIELD FOUND: Email=ihazomgsecurity2390239203
POSSIBLE PASSWORD FIELD FOUND: Passwd=thisisacomplexp@55w0rd!!!!!

PARAM: rmShown=1
PARAM: signIn=Sign+in
PARAM: asts=
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

SET uses a built-in dictionary to mark form fields and parameters on 

sites that might contain sensitive information. It red-highlights potential 
username and password parameters to indicate that they could be sensitive 
parameters that are worth investigating.

Once you’ve finished harvesting all of the target’s credentials, press 

CTRL

-C 

to generate a report, as shown in Figure 10-3. The report uses XML and HTML 
formatting.

SET’s web server is multithreaded and can handle as many requests as 

your server can handle. When a number of targets enter their credentials 
into the site, SET will automatically parse those results into a report format 
that separates the form fields in a readable format.

You can also export the credential harvesting results in an XML-compliant 

format to later import into tools or parsers that you’re already using.