Required Features
Step 0: Make sure your hosts file is normal!
In Lab 4, we had you adding some lines to your hosts file to mess with Google. This lab needs Google to work, so if you didn't already, make sure you've un-done the changes from Lab 4 to your hosts file.
Step 1: Running setoolkit and Setting Up the Credential Harvester
It's been preinstalled on your Azure Labs machine, so lets try using setoolkit:
Run the setoolkit command using sudo:
sudo setoolkit
📝 Note: setoolkit needs to be run as the root user, otherwise, you will see the following message:
A menu will pop up that looks like this (the image at the top often changes, so yours might be a little different):
There will be a list of commands to choose from in the start menu.
Type 1 to begin the Social-Engineering Attacks.
The next menu shown will ask what type of attacks you'd like to run.
Select 2 for Website Attack Vectors.
Next, it will transfer to another menu which will give a selection of seven (7) different types of attacks.
Read each of the descriptions for the types of attacks. Since we want to create a clone of a website that will collect information, we will select the third (3rd) option, the Harvester Attack method.
Next, we will choose how the web application is set up. SET allows you to choose from a template, create your own, or custom import a website.
Select the first (1st) option, the Web Template.
It will then give you a new prompt for a POST back address:
The credential harvester will allow you to collect all of the data from each of the forms. An HTML form for a website will send this information to the website's server once its done (in the form of a POST). In order to set up the fake website to be able to do this successfully, we need to give it a POST back IP address. Let's find what the local IP address is for our Kali Linux machine on the network and use it as the POST back.
In a new terminal window, type the following:
hostname -I
You will see something like this print out in the terminal:
Adding the -I option to the command will list all the IP addresses for the host (Kali machine). We'll be using the second IP address shown.
Copy the second (2nd) IP address in the list.
Paste the IP address in the other (first) terminal prompt.
Now we can select a website template. Choose option two (2) for Google from the list.
It will then begin the process of cloning the website. If you see the message below, it means that you've set up the credential harvester:
⚠️ You'll want to keep this terminal window open because it will be collecting our harvested data.
🎯 Checkpoint 1: You have been able to set up the credential harvester (fake) website. Now you are ready to test it!
Step 2: Testing the Credential Harvester
In the Kali RDP Connection, open the Falkon browser (by navigating to Applications -> Internet -> Falkon) and open a new browser window.
Copy the same IP address that you used for the harvester into the web browser (this will go to that address on the local network):
Press return to navigate to the IP address. You should now see the Google form show up on the page:
Enter some information for the email and password form fields:
After you are done filling out the form, press the Sign In button. You will be redirected to the Google Search Engine page, as shown below:
Feel free to click on Not Now when it asks you if you want Falkon to remember the password. You can also click the "No thanks" when Google asks you to Sign in.
Going back to the console where the credential harvester was running, check to see the new output:
🎯 Checkpoint 2: Nice work! You have been able to collect information from the form fields and have it show in the console!
🎉 Congratulations 🎉
You've been able to learn how a social-engineering web attack happens and how one can be tempted into entering information into the wrong place. This can help you become aware of how someone's information can be vulnerable, and help to protect people against these kinds of attacks. 🔵