Easily hack user credentials with Social Engineer Toolkit

DISCLAIMER: The technique explained below is intended for educational purposes only. I'm not responsible for any unlawful actions resulting from an unduly use of such information.

Social Engineer Toolkit makes it very easy to steal user credentials to websites.

One of its features, called credential harvester, is a lot of fun.

You can create a clone of a very popular website, such as Facebook or Gmail, and then either send a link to it to your victims through a phishing email or convince the victims to click it by using social engineering techniques.

How-To

 
To access this tool, from SET main menu, you need to choose Social Engineering Attacks (item 1).

Then , choose 2 (Website attack vectors) and finally 3 (Credential Harvester).

Advantages 

Once the victims enter their credentials, Social Engineer Toolkit displays them and generates a report for you in both HTML and XML format.

The best part of this attack is that the victims will not suspect anything because, after logging to the fake website, they will be redirected to the real one, as if they had logged in normally.

No red flag is raised and no security alerts like the one below should pop up.

This technique is as stealthy as can be.

The best results can be obtained when the page displays both a username and a password field.

In fact, Gmail isn't a good target, because Google created a separation between the login page to your Google account and Gmail login page.

Now you need to go through https://accounts.google.com, enter your username first and then you get redirected to the real logging page.

So, credential harvester can only grab the username but not the password, in this case.

On the other hand, this attack can work great with social media websites.

In the embedded video, I successfully used LinkedIn for this attack.

Wrap-up

Many people wonder how their social media or email accounts get hacked, maybe thinking there's some sort of magic involved.

This is not really the case. It's much easier than you might think.

A careless click on a malicious link is all that's needed for the trick to succeed.

This shows once again the need for a healthy paranoid attitude when dealing with the Internet and inbound emails.

Don't trust it, don't ignore the voice in your brain telling you something doesn't look right here. 

That's survival instinct and you should always trust your guts.

NOTE: In the video, I wrongly refer to the /var directory talking about the location where SET used to store credentials, but it's indeed the /var/www/html directory.

Another thing. Don't try to hack the Gmail account shown in the video. I'd know about it, you'd waste your time (I don't click any links I'm unsure of in a production system, I'm a professional paranoid) and anyway I deleted it already.