Ethical Hacking Week 10
This week we are going to make a website that will be used for phishing and the tool that we are going to use is SET which is already installed in the kali linux. This purpose of this tool is to get the username and password information of the person being attacked.
First, enter the command to start the tool
Read the agreement and type ‘y’ to agree. Keep in mind that this tool should not be use for evil and doing so will violate the agreement.
You will then see the main menu of the tool.
From here, proceed by typing ‘1’ which will enter the ‘Social Engineering Attacks’ menu.
Here is the ‘Social Engineering Attacks’ menu. Now type in ‘2’ to enter Website Attack Vectors
Then choose ‘3’ to go to ‘Credential Harvester Attack Method’. Here is the description of ‘Credential Harvester Attack Method’. There are also other explanation about other attacks in above this menu.
You will then see this menu. click on Site Cloner.
You should then see a similar page. This shows what my ip address is which is 10.0.2.15 and we can enter what url we want to clone. I chose to clone www.facebook.com. If you are asked if you want to disable apache type ‘y’ otherwise the tool will crash and you will have to try again from the beginning.
Once you see this line, you can open the ip address and see the clone website.
Open your browser and type in the ip address. You can see i have successfully cloned facebook. However, if you look closely on the url, it is the ip address not facebook.com. Lets try putting in the email and password
Once i have input the email and password, it redirects to the real facebook.com. This will create the illusion that there have been an error on the part of facebook and people would type in their email and password again not suspecting anything. But what they did not know is that i have already obtained their email and password and i can view it from the terminal.
This is how a hacker can obtain information about a user from social engineering. In order to avoid this, always check the url of a website before putting in any information. And do not trust an email from a sender that you do not know. Lastly, stay away from spam email as much as possible.