Use SET and Obtain The Username And Passwords Of Victim.
Hey,Today we are going to make an social harvesting attack,which will steal all the usernames and passwords of Victims Facebook,Gmail,Twitter,etc.We will use SET today.The Social Engineering Toolkit (SET) included with Backtrack 5 is a great way for corporate security experts or penetration testers/hackers to test to see how well their network would stand up to Social Engineering attacks.
But Before I begin,I am receiving many mails saying "You are doing wrong or It is Illegal to put this on website",Well This is for security testing purposes/Education Purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization to do.If you do,I'm not liable for anything.
So Lets Begin,
What Do We Need ?
#Backtrack 5
#Access To Victim PC
#Brain That works.
Step 1 :
Go To -> Social Engineering Attacks -> Website Attack Vendors -> Credential Harvester Attack Method.
Step 2 :
We now have the option to use a web template that will create a generic website for you, we can import any webpage to use, or you can clone any existing website and use that. Mine attack is targeted to gather the credits of Google Mail,so i'll Select number 1, “Web Templates”
Step 3 :
As you can see in the picture above, SET comes with templates for
several popular programs. Once you select one of the templates, I'll
chose number 2 – “Gmail”, you will be given a short message about
username and password form fields, just hit “return”. SET has now
created a fake website using the template that you chose, and prepare to harvest any credentials that are entered on the fake website.Now That Is Some Ninja Stuff :D .
Step 4 :
Now you need to make the victim click on this Page and make him enter
his details.You need Creativity for this, You can embed this on your website or spoof the victim to the fake page,Use your imagination.
NEW : How To Protect Against This Attack :
Due to the complaints that say "you are evil or bad", now i'll tell you
how to protect against the attack listed above,See i'm not that evil :).
Now What the victim is seeing is an Gmail login screen,Bu if you just
look up in the address bar,you will see the IP address ,NOT the
www.gmail.com address,Also if you
use internet explorer or some modern browser,It'll show an Certificate
warning,.Also you can use that IP displayed on the fake page to hack the
hacker,Choice is your.
^^^ What the Victim See's after the attack is commenced.
So i'll love to see your feedback's/suggestions in the comment section below,So don't hesitate to leave it,See you tomorrow.
0 comments:
Post a Comment