There are so many methods a hacker can use to grab someone’s online credentials. Login credentials to lets say a bank, credit card, email or social networking site arThere are so many methods a hacker can use to grab someone’s online credentials. Login credentials to lets say a bank, credit card, email or social networking site are relatively easy to attain without hacking the actual site. In this post I want to illustrate how a hacker can use a cloned site to achieve this and how you can protect yourself as well. Again I will be using the Social engineering toolkit. I mentioned in my last post that SET has a variety of tools that you can use as a pentester. One really easy tool to use is the site cloning feature.
Just like the last post we will use Kali linux and open a terminal window. We first start our SET program by typing setoolkit at the command prompt.here are so many methods a hacker can use to grab someone’s online credentials. Login credentials to lets say a bank, credit card, email or social networking site arThere are so many methods a hacker can use to grab someone’s online credentials. Login credentials to lets say a bank, credit card, email or social networking site are relatively easy to attain without hacking the actual site. In this post I want to illustrate how a hacker can use a cloned site to achieve this and how you can protect yourself as well. Again I will be using the Social engineering toolkit. I mentioned in my last post that SET has a variety of tools that you can use as a pentester. One really easy tool to use is the site cloning feature.
Just like the last post we will use Kali linux and open a terminal window. We first start our SET program by typing setoolkit at the command prompt.
Figure 1.1
You will be greeted by the screen below in Figure 1.2.
Figure 1.2
Next choose option 1, which is Social engineering attacks.
Figure 1.3
Then we choose option 2 which is the website attack vectors.
Figure 1.4
Next we choose Option 3 which is the credential Harvester attack method.
Figure 1.5
We will now choose the option 2 which is the site cloner.
Figure 1.6
We will then be asked for the IP address for the post back in Harvester/ Tabnabbing.This is actually the IP address of our Pentester machine and since I am performing this hack on my LAN. I entered 192.168.1.107, which happens to be the address of my Pentesting box that I put together using a Raspberry PI 2.
After entering the IP address above,we will be greeted by the screen below.
Figure 1.7
I wanted to clone instagram, so I copied the web address from the actual site.I could have typed www.instagram.com at the command prompt above but copying the address from the actual address leaves little room for mistakes.
Figure 1.8
Figure 1.9
After entering the address hit the return key. After SET Clones Instagram and saves it in your /var/www/html folder you will will see the screen below.
Figure 2.0
I then opened a browser and pointed it to the IP of my pentesting box by entering 192.168.1.107 into the address bar.
I was greeted by the screen below in Figure 2.0. As you can see the site was cloned and looks just like the official site. I then entered pentester as the user name and test as the password.
Figure 2.1
As you can see on the image below, SET has successfully captured the username and password and saves it to a text file which can be found in the /var/www/html folder.
Figure 2.2
This was a very easy hack to pull off and this is the scary part. Since it took little effort on my part to setup, you can see how Internet users are vulnerable to this type of hack. I performed this hack on my LAN but it can also be carried out over the Internet (WAN) with relative ease. All I would need to do is send an email to a victim with a fake Instagram link which would forward them to my pentesting machine and the cloned version of the site.
To conclude, you can protect yourself by making sure the address in your browser is the official Instagram address before entering your credentials.All secure logins will begin with HTTPS.