SEToolkit — Fake Facebook Site
In this tutorial, I will show you how to steal Facebook’s login credentials using Social Engineering Toolkit(SET). SET is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. It is developed by the David Kennedy, the founder of TrustSec.
For this tutorial, I will use Kali Linux as “main” operating system and Window 7 as our target machine. SET comes pre-installed in Kali Linux. To run SET, open the terminal in Kali Linux and type the command below.
setoolkitCreate scenario
Once SET is loaded it will show few options as shown in the image below. Select “Social-Engineering Attacks” by entering “1” and hit enter.
Now it will show you another set of options, select “Website Attack Vectors” by entering “2” and hit enter.
Then it will show you three options as shown below, the first option will be “Web Templates” it gives five pre-defined websites that you use for phishing. The second option is “Site Cloner” using this option you can clone login page of any website and the third option which we will be using for this tutorial is “Custom Import” using this you can use your own login page template. Select option “3) Custom Import” and press enter.
Next, it will ask for your IP address, if you are running the attack on LAN you can provide your internal IP address and if you are executing the attack on WAN then you have to provide your external IP address. In this tutorial, we will be executing the attack on LAN, to check you internal IP address run “ifconfig“. Enter your IP address and hit enter.
Now go to www.facebook.com, save the login page by clicking right click and selecting the “Save as” option. A new window will pop up rename the file name to “index” and select “Webpage, HTML Only” in the drop-down menu below.
Enter the path where you stored index.html file make sure to add “/” at the end of the path. Now it will show you two options, select “copy the entire folder” and hit enter. Now enter the website you are trying to hack. Follow these steps as shown in the image below.
Well done! you have successfully configured the Social Engineering Toolkit’s Credential Harvester Attack. Now your screen should look similar to the image shown below.
In this step, I will show you how the attack work by opening the phishing link on the target machine and filling by fake login credentials in our phishing facebook website. I will go to our target machine, open internet explorer and enter your IP address(10.0.0.10) and fill the login details.
Now I will go back to Kali Linux and check if we have successfully harvested the login details.
We have successfully stolen the Facebook login credentials from the target machine.
Few tips to be safe while browsing always check the address bar when you login into any website. As in the tutorial above if we have checked the address bar we would have known that its a fake login page.
