Credential Harvesting With Facebook and the Social Engineering Toolkit

My goal here was to create an attack that would allow me to trick someone into sending me their login and password for Facebook. The general idea behind this attack is that SET will clone the target website (in this case, http://www.facebook.com) and host it on your personal computer. The trick then is to convince someone to visit a link you crafted that points to your fake Facebook clone and get them to log in with their credentials (displaying it in Metasploit). Once they send you their credentials, the server you are hosting points the victim back to the real Facebook login page and (hopefully) they never know what happened.

1. Find the line that by default reads AUTO_DETECT=ON in the config file, change it to read AUTO_DETECT=OFF, and save and close the document. This will cause SET to prompt you for your external IP address when you launch the Credential Harvester, which you can find by going to www.whatismyip.com.

# cd /pentests/exploits/SET/config
# gedit set_config

2. Next, we need to set up the router for port forwarding so people from the outside Internet can connect to the fake web server. In order to do this with my particular router, you must first navigate to http://192.168.1.1 and login to the control panel. From there, scroll down to Port Forwarding/Port Triggering on the left-hand side. From there, add a custom service that forwards traffic through Port 80 on TCP/UDP to your local IP address (in my case, 192.168.1.4)

3. Now that our configurations are ready, the next step is to open SET. Either go to Start->Backtrack->Penetration->Social Engineering Toolkit->Social Engineering Toolkit or running the following from the command line:


# cd /pentest/exploits/SET/
# python set

4. From there, select option 2. Website Attack Vectors. Then you will see the following options:

5. Select option 3. Credential Harvester Attack Method

6. Select option 2. Site Cloner

7. Here you put in the site you want to clone. In this instance, http://www.facebook.com. SET will then clone the site you input. Press return to progress past the message that mentions username and password form fields.

8. The server is now up and running. Anyone who now navigates to your external IP address will be presented with the fake Facebook login page you have cloned. Once they input their login credentials they will show up in your terminal and the victim will be forwarded to the real Facebook site.

9. Now, obviously most people will not click on a link that looks like a random IP address. However, there are multiple ways to disguise that link.

10. My favorite of which is converting the IP address into a bit.ly link. To do this, copy your external IP address and go to http://bit.ly/. Paste the external IP address and click the 'shorten' button. This will convert the link to something like http://bit.ly/900913 that looks a bit more friendly than a raw IP address. Then, you can feel free to add it to a specially crafted email sent to your victim, or cast a wider fishnet and post a Tweet like: