background image

The Social-Engineer Toolkit

151

Web Jacking

The 

web jacking

 attack method, new in SET version 0.7, allows you to create a 

website clone, where the target is presented with a link stating that the web-
site has moved. When the target hovers over the link, the URL presented 
is the real URL, not the attacker’s URL. So, for example, if you’re cloning 

https://gmail.com/

, the URL that would appear on the target’s machine when 

he hovers his mouse over the link would be 

https://gmail.com/

. When the tar-

get clicks the link, Gmail opens but is quickly replaced with your malicious 
web server.

This attack uses a time-based iframe replacement. When the target hov-

ers over the link, it points to whatever site you cloned. When the target clicks 
the link, the iframe replacement will initiate and replace the target’s browser 
with the malicious cloned site without the target’s knowledge. You can change 
the timing of a web jacking attack using the 

config/set_config

 

flags.

To configure SET for the attack, select 

Web Jacking Attack Method

   and 

Site Cloner

  , and then add the site you want to clone, 

https://gmail.com

  , 

as shown below.

 6. Web Jacking Attack Method

Enter your choice (press enter for default): 

6

[!] Website Attack Vectors [!]

 2. Site Cloner

Enter number (1-4): 

2

SET supports both HTTP and HTTPS
Example: http://www.thisisafakesite.com

 Enter the url to clone: 

https://gmail.com

[*] Cloning the website: https://gmail.com
[*] This could take a little bit...

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] I have read the above message. [*]

Press {return} to continue.

[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link.

When the target visits the cloned site, he will see the link shown in 

Figure 10-4. Notice that the URL at the lower-left corner shows 

https://

gmail.com/

.