Welcome!
Hacking Humans - KLMS Version
Here you will learn about how hackers use Social Engineering techniques to trick someone to reveal personal and private information.
In this training kwoon you will learn more about social engineering using phishing. You will learn how to trick a unsuspecting victim into revealing private and personal information about themselves by cloning a website and having the victim give you their username and password.
This is only for educational purposes. Please be respectful of other people's personal and private information and do not engage in any hacking techniques without adequate permissions.
© CyberShaolin. All rights reserved.
Congratulations!
You've completed the scenario!
Scenario Rating
In this course, you have learned about social engineering techniques using the setoolkit program.
Hope you had fun learning! :-)
Your environment is currently being packaged as a Docker container and the download will begin shortly. To run the image locally, once Docker has been installed, use the commands
cat scrapbook_cybershaolin_hacking-humans/hacking-humans-setoolkit-practice-klms_container.tar | docker load
docker run -it /cybershaolin_hacking-humans/hacking-humans-setoolkit-practice-klms:
Oops!! Sorry, it looks like this scenario doesn't currently support downloads. We'll fix that shortly.

Steps
Hacking Humans - KLMS Version
Start
This lesson was made specifically for Kelly Lane Middle School (KLMS) students so if you are not part of the KLMS Catapult class you may ignore this lesson and continue on with the next one.
Here you will learn about how hackers use social engineering techniques to hack humans, using the Social Engineering Toolkit (setoolkit).
Are you ready for learning?
Don’t worry, we will help you through this exercise, step by step.
setoolkit Setup
In the previous lessons you learned about what phishing is. In this lesson, we will use a tool called setoolkit to create (clone) a website and use that fake cloned website to harvest username and passwords (credentials).
Normally, the first thing we will do is to start the setoolkit program, which you can do by typing './setoolkit' within the 'set' folder, in a hacker distro. But we have already done this for you.
You should see a list of different options that you can select from.
Since we are going to be tricking the user into giving secretive information. We are going to be performing a Social Engineering Attack
. Select option number 1
.
Next choose the Website Attack Vectors
option since we will clone a real website and use the fake cloned website to trick someone. Select option number 2
.
Using that fake cloned website, we will attempt to steal an unsuspecting (phished) use of their username and password (or credentials). So we will choose the Credential Harvesting
attack type, which is option number 3
.
We will be creating a website that looks and seems exactly like another website. In other words we will clone a real website. Select the Site Cloner
option, which is option number 2
.
Go to the next step.
Postback Location
As a hacker, once the victim enters their username and password, we will want to capture that information. In order to do so, we will have to post that information to a location where we can access it. This is the postback IP address or the IP address of the server where the fake cloned website is running.
Normally, we can use ifconfig
to find the IP address of the webserver, but since we are using a cloud learning environment, we will use the URL that is generated for us when the learning environment is setup.
This URL is [[HOST_SUBDOMAIN]]-8099-[[KATACODA_HOST]].environments.katacoda.com
You can click on the URL above to copy
it or you can also select the URL shown above and copy it using the keyboard shortcut (Ctrl+C) if you are using Windows keyboard or Cmd+C if you are using Mac keyboard.
Now in the terminal, where it asks for IP address, using the keyboard shortcuts, (Ctrl+V for Windows or Cmd+V for Macs), paste that copied URL.
Then press the enter
or return
key to continue.
Go to the next step.
Cloning Website
You should see a prompt that says set:webattack> Enter the url to clone:
The website you will be cloning today is https://skyward.pfisd.net/StudentSTS/. If you try to just enter this website into the suggested prompt box it will not work, because Skyward has some security measures built into place.
So what we did was we copied the HTML code from Skyward, removed the security measures and created a fake clone of Skyward.
Now to social engineer someone you still can't send them this fake cloned Skyward, because there is no code to harvest the credentials (username and password) just yet. So now we have to clone the clone to harvest the credentials.
So click on the tab that says Skyward. This is the cloned website which we are going to duplicate within the social engineering toolkit to harvest credentials. The URL for this website is [[HOST_SUBDOMAIN]]-80-[[KATACODA_HOST]].environments.katacoda.com
Then copy this link and paste it where it says set:webattack> Enter the url to clone:
Once you have pasted your prompt should look like set:webattack> Enter the url to clone: [[HOST_SUBDOMAIN]]-80-[[KATACODA_HOST]].environments.katacoda.com
You will see a message as shown below:
[*] Cloning the website:
https://[[HOST_SUBDOMAIN]]-80-[[KATACODA_HOST]].environments.katacoda.com
[*] This could take a little bit...
The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.
Press {return} if you understand what we're saying here.
Press the enter
or return
key to continue.
Go to the next step.
Start Harvesting Webserver
You will see a message like [*] Apache is set to ON - everything will be placed in your web root directory of apache.
[*] Files will be written out to the root directory of apache.
[*] ALL files are within your Apache directory since you specified it to ON.
[!] Apache may be not running, do you want SET to start the process? [y/n]:
Press y
to start the Apache
web server.
Now you will see the following message Apache webserver is set to ON. Copying over PHP file to the website.
Please note that all output from the harvester will be found under apache_dir/harvester_date.txt
Feel free to customize post.php in the /var/www/html directory
[*] All files have been copied to /var/www/html
[*] SET is now listening for incoming credentials. You can control-c out of this and completely exit SET at anytime and still keep the attack going.
[*] All files are located under the Apache web root directory: /var/www/html
[*] All fields captures will be displayed below.
[Credential Harvester is now listening below...]
Leave the credential harvester running for now. We will come back to this later.
Go to the next step.
Hacking The Victim
Now, generally the hacker (you) will send a phishing email to a target user telling them to check out a cool new post/tweet and give them the URL of the website that is cloned. Some will even go to the extent of masking the IP or the URL link so that the link looks legitimate. For time purposes, we won't do this. Normally most people would click on it, especially if they trust you.
Now think of yourself as the one receiving the phishing email and you clicked on the link.
To simulate this, click on the tab that reads Hacker Website
(this will be the phishing website that a real user would get redirected to when they click on the phishing link). It will open up the page and show the cloned (fake) website. You should see the fake website looks like the website that was cloned.
Type in a username
and password
. It can be anything. For example you can use CyberShaolin
for the username and cyb3rn1nja
for the password. It is advisable that for this learning purposes, you do NOT use your real skyward account username and/or password. Click on the button that says Login
.
Go to the next step.
The Hacker's View
Click on Terminal
tab where the Credential harvester was left running.
When the user (victim) types in their username
and password
and clicks on the button that says Login
, you should see the username and password that you typed in the browser displayed as shown below:('Array\n',)
('(\n',)
(' [UserName] => CyberShaolin\n',)
(' [Password] => cyb3rn1nja\n',)
(' [Area] => \n',)
(' [Controller] => \n',)
(' [Action] => \n',)
(' [Tab] => \n',)
(' [Id] => \n',)
(')\n',)
Go to the next step.
Close setoolkit
To exit out of the setoolkit program, on the terminal window, use the keyboard shortcut, Ctrl+C in both Windows and in Mac OS.
Press Ctrl+C
You will get a notice stating that though you are exiting the program, the social engineering credential harvester request is still running and logging as shown below. [*] Exiting the menu - note that everything is still running and logging under your web directory path: /var/www/html
{Press return to continue}
Press the enter
key or return
key to continue.
Then type exit
in the prompt set:webattack>
to get out of the setoolkit tool.
Go to the next step.
Harvested Credentials
The setoolkit also logs the same information that you see displayed on the terminal window into a log file or harvester file. This harvester file is in the /var/www/html
directory. The file is named with with the timestamp when the credential harvester attack was initiated.
In the command prompt, type cd /var/www/html
to navigate to directory where the log files are.
Type ls -la
and see that there is a harvester file with a new timestamp - it should be the harvester file with the current date. E.g., harvester_2020-01-11 21:39:55.714597.txt
The credentials we hacked will be in this file.
Note: There may be other harvester files in that directory and so make sure that you see the one created with the timestamp when you were running the attack.
Go to the next step.
Read Hacked Credentials
To read the contents of the harvester file, we can use the cat
command.
cat
the harvester file that was created with the timestamp when you conducted the credential harvested attack. It will usually the one with the latest timestamp.
Example: cat harvester_2020-01-11 21:39:55.714597.txt
Once you cat
that file, you should see in it the credentials that were logged (as shown below).
(
[UserName] => CyberShaolin
[Password] => cyb3rn1nja
[Area] =>
[Controller] =>
[Action] =>
[Tab] =>
[Id] =>
)
You have learned how to successfully social engineer and hack someone!
The End
In this lesson, you have learned about social engineering techniques using the setoolkit program.
Hope you had fun learning! :-)