- I started by opening the linux terminal and ran the command 'sudo setoolkit' to launch the Social Engineering Toolkit (SET).
- Once Setoolkit is launched and running, I navigate to the appropriate sections: Social-Engineering Attacks > Website Attack Vectors > Credential Harvester Attack Method > Site Cloner to set up the cloning process of the login page of my target website.
- I chose hackthissite.org as my target site, intending to replicate it as part of my test environment. I copied the target URL for cloning.
- Next, I entered the IP address or domain name of the server where the spoofed website will be hosted, which, in my case, is the Kali VM's IP address: 128.0.0.1. After that, I paste the URL of the legitimate website in the command to initiate the cloning process.
- After cloning, I tested my setup by opening a browser and navigated to 128.0.0.1, the spoofed website's web address. I simulated user interactions by entering fake credentials, which were successfully captured on my terminal end.
- In a real attack scenario, the attacker would now have access to the victim’s credentials, allowing them to log in and potentially perform malicious activities without the victim ever even realizing it!
- To ensure reliability, I tested this method on another intentionally vulnerable site and successfully received the expected output as well. Notice that both cloned webpages look identical to their legitimate counterpart, making it highly convincing to an unsuspecting user. When combined with a phishing email campaign, this attack technique can be an effective way to socially engineer a victim.
Now that I have validated the reliability of this tool, I wanted to explore its application in a controlled, ethical scenario to simulate an attack flow for educational purposes. My goal was to better understand how attackers might retrieve credentials, allowing me to develop stronger countermeasures and security awareness strategies for protecting users against such threats.
- First I began by crafting a fake Google Support email.
- Once I have my fake Google Support email set up, I created a phishing email to closely resemble something Google might send to any user.
- There are no links for the victim to click into yet, but I will be making that next.
- I then went to dns.checker.org to convert my attack box's ip address into decimal form to make our malicious link look more legitimate to an unsuspecting user.
- Now our malicious domain is ready to be used: hxxp[://]google[.]com@2147483649.
- By putting the @ symbol instead of a slash, when searched in a browser, it will ignore everything before the @ symbol and will re-direct the victim to my spoofed website's login page.
- I edited the hyperlinks of my fake Google Support email and 'Google Support login page' to my spoofed website's address so that in the event that a victim is fooled into thinking this email is legitimate, they would be redirected to the spoofed site and any activity that happens will be logged and received on my attack box's terminal.
- Once I set up the required configurations in Setoolkit and the tool is actively listening for input, my phishing email is prepared and ready to be sent.
- If the victim falls for this phishing attack and clicks on one of the malicious links, they are redirected to my spoofed website. Upon entering their credentials, the attack is successful, and their activity and information is captured.
