Use SET and Obtain The Username And Passwords Of Victim.
Hey,Today we are going to make an social harvesting attack,which will
steal all the usernames and passwords of Victims
Facebook,Gmail,Twitter,etc.We will use SET today.The Social Engineering
Toolkit (SET) included with Backtrack 5 is a great way for corporate
security experts or penetration testers/hackers to test to see how well
their network would stand up to Social Engineering attacks.
But
Before I begin,I am receiving many mails saying "You are doing wrong or
It is Illegal to put this on Hacking Skills",Well This is for security
testing
purposes/Education Purposes only, never attempt to use
any security checks or tools on a network that you do not have the
authorization to do.If you do,I'm not liable for anything.
So Lets Begin,
What Do We Need ?
#Backtrack 5
#Access To Victim PC
#Brain That works.
Step 1 :
Go To -> Social Engineering Attacks -> Website Attack Vendors -> Credential Harvester Attack Method.
Step 2 :
We now have the option to use a web template that will create a generic
website for you, we can import any webpage to use, or you can clone any
existing website and use that. Mine attack is targeted to gather the
credits of Google Mail,so i'll Select number 1, “Web Templates”
Step 3 :
As you can see in the picture above, SET comes with templates for
several popular programs. Once you select one of the templates, I'll
chose number 2 – “Gmail”, you will be given a short message about
username and password form fields, just hit “return”. SET has now
created a fake website using the template that you chose, and prepare to
harvest any credentials that are entered on the fake website.Now That
Is Some Ninja Stuff .
Step 4 :
Now you need to make the
victim click on this Page and make him enter his details.You need
Creativity for this, You can embed this on your website or spoof the
victim to the fake page,Use your imagination.
NEW : How To Protect Against This Attack :
Due to the complaints that say "you are evil or bad", now i'll tell you
how to protect against the attack listed above,See i'm not that evil .
Now What the victim is seeing is an Gmail login screen,Bu if you just
look up in the address bar,you will see the IP address ,NOT the www.gmail.com
address,Also if you use internet explorer or some modern browser,It'll
show an Certificate warning,.Also you can use that IP displayed on the
fake page to hack the hacker,Choice is your.
No comments:
Post a Comment