In the previous lessons you learned about what phishing is. In this lesson, we will use a tool called setoolkit to create (clone) a website and use that fake cloned website to harvest username and passwords (credentials).

Normally, the first thing we will do is to start the setoolkit program, which you can do by typing './setoolkit' within the 'set' folder, in a hacker distro. But we have already done this for you.

You should see a list of different options that you can select from.

Since we are going to be tricking the user into giving secretive information. We are going to be performing a Social Engineering Attack. Select option number 1.

Next choose the Website Attack Vectors option since we will clone a real website and use the fake cloned website to trick someone. Select option number 2.

Using that fake cloned website, we will attempt to steal an unsuspecting (phished) use of their username and password (or credentials). So we will choose the Credential Harvesting attack type, which is option number 3.

We will be creating a website that looks and seems exactly like another website. In other words we will clone a real website. Select the Site Cloner option, which is option number 2.

Go to the next step.

As a hacker, once the victim enters their username and password, we will want to capture that information. In order to do so, we will have to post that information to a location where we can access it. This is the postback IP address or the IP address of the server where the fake cloned website is running.

Normally, we can use ifconfig to find the IP address of the webserver, but since we are using a cloud learning environment, we will use the URL that is generated for us when the learning environment is setup.

This URL is [[HOST_SUBDOMAIN]]-8099-[[KATACODA_HOST]].environments.katacoda.com

You can click on the URL above to copy it or you can also select the URL shown above and copy it using the keyboard shortcut (Ctrl+C) if you are using Windows keyboard or Cmd+C if you are using Mac keyboard.

Now in the terminal, where it asks for IP address, using the keyboard shortcuts, (Ctrl+V for Windows or Cmd+V for Macs), paste that copied URL.

Then press the enter or return key to continue.

Go to the next step.

You should see a prompt that says set:webattack> Enter the url to clone:

The website you will be cloning today is https://skyward.pfisd.net/StudentSTS/. If you try to just enter this website into the suggested prompt box it will not work, because Skyward has some security measures built into place.

So what we did was we copied the HTML code from Skyward, removed the security measures and created a fake clone of Skyward.

Now to social engineer someone you still can't send them this fake cloned Skyward, because there is no code to harvest the credentials (username and password) just yet. So now we have to clone the clone to harvest the credentials.

So click on the tab that says Skyward. This is the cloned website which we are going to duplicate within the social engineering toolkit to harvest credentials. The URL for this website is [[HOST_SUBDOMAIN]]-80-[[KATACODA_HOST]].environments.katacoda.com

Then copy this link and paste it where it says set:webattack> Enter the url to clone:

Once you have pasted your prompt should look like set:webattack> Enter the url to clone: [[HOST_SUBDOMAIN]]-80-[[KATACODA_HOST]].environments.katacoda.com

You will see a message as shown below:

[*] Cloning the website:
https://[[HOST_SUBDOMAIN]]-80-[[KATACODA_HOST]].environments.katacoda.com
[*] This could take a little bit...

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.

[*] You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.
Press {return} if you understand what we're saying here.

Press the enter or return key to continue.

Go to the next step.

You will see a message like [*] Apache is set to ON - everything will be placed in your web root directory of apache. [*] Files will be written out to the root directory of apache. [*] ALL files are within your Apache directory since you specified it to ON. [!] Apache may be not running, do you want SET to start the process? [y/n]:

Press y to start the Apache web server.

Now you will see the following message Apache webserver is set to ON. Copying over PHP file to the website. Please note that all output from the harvester will be found under apache_dir/harvester_date.txt Feel free to customize post.php in the /var/www/html directory [*] All files have been copied to /var/www/html [*] SET is now listening for incoming credentials. You can control-c out of this and completely exit SET at anytime and still keep the attack going. [*] All files are located under the Apache web root directory: /var/www/html [*] All fields captures will be displayed below. [Credential Harvester is now listening below...]

Leave the credential harvester running for now. We will come back to this later.

Go to the next step.

Now, generally the hacker (you) will send a phishing email to a target user telling them to check out a cool new post/tweet and give them the URL of the website that is cloned. Some will even go to the extent of masking the IP or the URL link so that the link looks legitimate. For time purposes, we won't do this. Normally most people would click on it, especially if they trust you.

Now think of yourself as the one receiving the phishing email and you clicked on the link.

To simulate this, click on the tab that reads Hacker Website (this will be the phishing website that a real user would get redirected to when they click on the phishing link). It will open up the page and show the cloned (fake) website. You should see the fake website looks like the website that was cloned.

Type in a username and password. It can be anything. For example you can use CyberShaolin for the username and cyb3rn1nja for the password. It is advisable that for this learning purposes, you do NOT use your real skyward account username and/or password. Click on the button that says Login.

Go to the next step.

Click on Terminal tab where the Credential harvester was left running.

When the user (victim) types in their username and password and clicks on the button that says Login, you should see the username and password that you typed in the browser displayed as shown below:
('Array\n',) ('(\n',) (' [UserName] => CyberShaolin\n',) (' [Password] => cyb3rn1nja\n',) (' [Area] => \n',) (' [Controller] => \n',) (' [Action] => \n',) (' [Tab] => \n',) (' [Id] => \n',) (')\n',)
Go to the next step.

To exit out of the setoolkit program, on the terminal window, use the keyboard shortcut, Ctrl+C in both Windows and in Mac OS.

Press Ctrl+C

You will get a notice stating that though you are exiting the program, the social engineering credential harvester request is still running and logging as shown below. [*] Exiting the menu - note that everything is still running and logging under your web directory path: /var/www/html {Press return to continue}

Press the enter key or return key to continue.

Then type exit in the prompt set:webattack> to get out of the setoolkit tool.

Go to the next step.

The setoolkit also logs the same information that you see displayed on the terminal window into a log file or harvester file. This harvester file is in the /var/www/html directory. The file is named with with the timestamp when the credential harvester attack was initiated.

In the command prompt, type cd /var/www/html to navigate to directory where the log files are.

Type ls -la and see that there is a harvester file with a new timestamp - it should be the harvester file with the current date. E.g., harvester_2020-01-11 21:39:55.714597.txt The credentials we hacked will be in this file.

Note: There may be other harvester files in that directory and so make sure that you see the one created with the timestamp when you were running the attack.

Go to the next step.

To read the contents of the harvester file, we can use the cat command.

cat the harvester file that was created with the timestamp when you conducted the credential harvested attack. It will usually the one with the latest timestamp. Example: cat harvester_2020-01-11 21:39:55.714597.txt

Once you cat that file, you should see in it the credentials that were logged (as shown below). ( [UserName] => CyberShaolin [Password] => cyb3rn1nja [Area] => [Controller] => [Action] => [Tab] => [Id] => )

You have learned how to successfully social engineer and hack someone!

In this lesson, you have learned about social engineering techniques using the setoolkit program.

Hope you had fun learning! :-)