.jpg)
■ Obtain user names and passwords using the Credential Harvester method
■ Generate reports for conducted penetration tests
Tools Needed
■ Run this tool in BackTrack Virtual Machine
■ Web browser with Internet access
■ Administrative privileges to run tools
Steps :-
1. Log in to your BackTrack virtual machine.
2. Select Applications -> BackTrack -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit and click Set.
.png)
4. You will be presented will a list o f menus to select the task. Type 1 and press Enter to select the Social-Engineering Attacks option.
5. A list o f menus in Social-Engineering Attacks will appear; type 2 and press Enter to select Website Attack Vectors.
6. In the next set of menus that appears, type 3 and press Enter to select the Credential Harvester Attack Method.
7. Now, type 2 and press Enter to select the Site Cloner option from the menu.
8. Type the IP address o f your BackTrack viruial PC in the prompt for IP address for the POST back in Harvester/Tabnabbing and press Enter.
In this example, the IP is 10.0.0.15.
9. Now , you will be prompted for a URL to be cloned, type the desired URL for Enter the url to clone and press Enter. In this example, we have used www.facebook.com. This will initiate the cloning of the specified website.
10. After cloning is completed, the highlighted message, as shown in the following screenshot, will appear on the Terminal screen of SET. Press Enter to continue.
11. It will start Credential Harvester.
12. Leave the Credential Harvester Attack to fetch in formation from the victim’s machine.
13. Now , you have to send the IP address of your BackTrack machine to a
victim and trick him or her to click to browse the IP address.
14. For this demo, launch your web browser in the BackTrack machine;
launch your favorite email service. In this example we have used
www.gmail.com. Login to your gmail account and compose an email.
15. Place the cursor in the body of the email where you wish to place the lake URL.
Then , click the Link
16. In the Edit Link window, first type the actual address in the Web address field under the Link to option and then type the fake URL in the Text to display held. In this example, the web address we have used is http://10.0.0.15 and text to display is www.facebook.com/Rini_TGIF. Click OK
17. The fake URL should appear in the email body, as shown in the following screenshot.
18. To verify that the fake URL is linked to the actual URL, click the fake URL and it will display the actual URL as Go to link: with the actual URL. Send the email to the intended user
19. When the victim clicks the URL, he or she will be presented with a replica of Facebook.com
20. The victim w ill be enticed to enter his or her username and password into the form fields as it appears to be a genuine website. When the victim enters the Username and Password and clicks Log In, it does not allow logging in; instead, it redirects to the legitimate Facebook
login page. Observe the URL in the browser.
21. As soon the victim types in the email address and password, the SET Terminal in BackTrack fetches the typed username and password, which can be used by an attacker to gain unauthorized access to the victim ’s account
22. Press CTRL+C to generate a report tor this attack performed
enjoy!! note : if u dont have backtrack OS / LINK /
0 comments:
Post a Comment