Credential Harvesting Attack
Using Kali Linux SEToolkitoolkit
by Jaco Kirsten
University of Denver Cybersecurity Bootcamp, Bootcon, Project 4
Project Goal:
To successfully employ a credential harvesting attack vector of the Social Engineering Toolkit, or SEToolkit, on Kali Linux.
Why a Credential Harvesting Attack?
This is a form of social engineering that is surprisingly common and easy to perform with the right tools. It was also one of the few topics that wasn’t covered during the Bootcamp.��We’ve all heard about phishing. But I didn’t know how these attacks actually function. How are they employed? How do they achieve their goal? And would I be able to execute one in a safe laboratory environment?��So I set out to perform some Google-Fu, and enlighten myself about this uptil now unfamiliar subject.��
What exactly is Social Engineering Toolkit?
The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing around Social-Engineering via Kali Linux.
It has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over 2 million downloads, it is the standard for social-engineering penetration tests and supported heavily within the security community.
It is aimed at leveraging advanced technological attacks in a social-engineering type environment. ��
Security concepts applied:
Credential Harvester is just one of the methods in SET. It is used when you don’t want to specifically get a shell, but perform phishing attacks to obtain usernames and passwords from the system.
In this attack vector, a website will be cloned, and when the victim clicks on the URL to the fake sign in page and enters their user credentials, the username and password will be displayed in real time in SEToolkit.
After that, the victim will be redirected back to the legitimate site.
Research
Through internet research I figured out that SEToolkit is an easy way to perform a phishing attack. Just download install it on your Kali Linux machine and you’re good to go.
In real life you’d mail the fake link to an unsuspecting victim to click on, but in my case I did it on one of the Kali machines in an Azure labs, clicking on my own link to demonstrate how SEToolkit receives the data the victim of a phishing attack would enter.��Here’s a good SEToolkit tutorial:
https://www.yeahhub.com/setoolkit-credential-harvester-attack-tutorial/
Useful SEToolkit links and references:
https://infosecwriteups.com/sending-emails-using-social-engineering-toolkit-setoolkit-97427712c809
https://www.geeksforgeeks.org/how-to-install-social-engineering-toolkit-in-kali-linux/
https://medium.com/@leandro.almeida/setoolkit-fake-facebook-site-e0b21fb08a50
https://forums.kali.org/showthread.php?813-se-toolkit
Installation and configuration
Do the following in Kali Linux:
So you want to perform a
Credential Harvesting Attack?
Simply follow the next 10 easy steps:
Step 1: Open SEToolkit on Kali Linux
Step 2: Get your IP address
Step 3: Choose Attack Vector
Step 4: Website Attack Vector
Step 5: Choose Credential Harvester Attack
Step 6: Choose Web Template
Step 7: Select Twitter
Step 8: Set IP address
Step 9: Enter my IP address into fake Twitter template
This link is then sent via an email to an unsuspecting victim with a message along the lines of:
“Due to a safety breach you immediately need to log into your Twitter account to update your info. Click here.”��When they open the fake Twitter login page and enter their credentials, the following happens…
Step 10: Target enters username and password…
Result!
Mitigation:
Never click on suspicious links! In other words, if you haven’t asked for some kind of password reset or had any communication with an account, it is HIGHLY UNLIKELY that they’ll send you a link via email to verify your details again.��Also educate employees as to the severe cybersecurity risk of phishing emails.
Video of Credential Harvesting Exploit: