The Social Engineering Toolkit (SET) included with Backtrack 5 is a great way for corporate security experts or penetration testers to test to see how well their network (and users) would stand up to Social Engineering attacks. With Social Engineering and Spear Phishing attacks on the rise, it is very important to educate your users about these attacks.
In this tutorial I will demonstrate how SET can be used to set up a realistic looking website to harvest e-mail usernames and passwords.
Okay, timeout for a disclaimer: This is for security testing purposes only, never attempt to use any security checks or tools on a network that you do not have the authorization and written permission to do so. Doing so could cost you your job and you could end up in jail.
- Obtain Backtrack 5 release 2. You can use the LiveCD version, install it on a new system or run it in a Virtual Machine.
- The first thing you will want to do is update both the Metasploit Framework and the Social Engineering Toolkit to make sure you have the latest version. Update both, restart SET and check updates one more time.
- From the menu select, number 1 – “Social Engineering Attacks”
- Next select “Website Attack Vectors”
- Now “Credential Harvester Attack Method”
- We now have the option to use a web template that will create a generic website for us to use, we can import a webpage to use, or we can clone any existing website and use that. The included templates are very good, so let’s try one of them. Select number 1, “Web Templates”
- As you can see in the picture above, SET comes with templates for several popular programs. Once you select one of the templates, I chose number 2 – “Gmail”, you will be given a short message about username and password form fields, just hit “return”. SET will now create a fake website using the template that you chose, and prepare to harvest any credentials that are entered on the fake website.
And that is it!
Now if we go to the victim machine and surf to the SET created webpage we will see this:
A Gmail login screen! But wait a minute, take a look at the address bar. An IP address is listed instead of the normal google mail address. If a user enters their user name and password on this site, their credentials are harvested and collected on the SET system. So as user “Security Joe” enters his credentials, we see this on the Backtrack system:
In the picture above you can see the user’s name: “Security+Joe” and the user’s password: P@$$W0Rd!
When you are finished, hit “Control-C” to stop harvesting and view a report of all the sessions that you have captured. The report file will be stored in the SET file directory under Reports. Two reports are created, one in html and one in XML. The picture below shows the html report for this session:
As you can see, unless the user checks the address bar, there is no way he could tell that he was on a fake website handing away his login name and password. And as many users use the same password on multiple sites, this could be very valuable information for a hacker to obtain. That is why it is imperative to educate your users about Social Engineering attacks and how to defend against them.