The Social-Engineer Toolkit
151
Web Jacking
The
web jacking
attack method, new in SET version 0.7, allows you to create a
website clone, where the target is presented with a link stating that the web-
site has moved. When the target hovers over the link, the URL presented
is the real URL, not the attacker’s URL. So, for example, if you’re cloning
https://gmail.com/
, the URL that would appear on the target’s machine when
he hovers his mouse over the link would be
https://gmail.com/
. When the tar-
get clicks the link, Gmail opens but is quickly replaced with your malicious
web server.
This attack uses a time-based iframe replacement. When the target hov-
ers over the link, it points to whatever site you cloned. When the target clicks
the link, the iframe replacement will initiate and replace the target’s browser
with the malicious cloned site without the target’s knowledge. You can change
the timing of a web jacking attack using the
config/set_config
flags.
To configure SET for the attack, select
Web Jacking Attack Method
and
Site Cloner
, and then add the site you want to clone,
https://gmail.com
,
as shown below.
6. Web Jacking Attack Method
Enter your choice (press enter for default):
6
[!] Website Attack Vectors [!]
2. Site Cloner
Enter number (1-4):
2
SET supports both HTTP and HTTPS
Example: http://www.thisisafakesite.com
Enter the url to clone:
https://gmail.com
[*] Cloning the website: https://gmail.com
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] I have read the above message. [*]
Press {return} to continue.
[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link.
When the target visits the cloned site, he will see the link shown in
Figure 10-4. Notice that the URL at the lower-left corner shows
https://
gmail.com/
.