LET’S HARVEST SENSITIVE CREDENTIALS WITH SPAM MAIL
\_(ツ)_/¯༼ つ ◕_◕ ༽つ(•_•)☆*: .。. o(≧▽≦)o .。.:*☆\^o^/¯\_(ツ)_/¯
Now, we are going to do a social engineering attack by harvesting credentials from the victim. Here, we go phishing by making the victim fish and spam mail as the bait. Interesting right ??? :D:D:D:D
So, we will send a spam mail to the victim and ask him to update the password by using the link we provided in the mail which will redirect him to our google form that we created resulting a harvesting attack. So, when he give out the credentials, our harvesting credentials attack becomes successful. Then, we can steal his email and password. Pretty easy right? :)
So, before that, let’s learn what is a social engineering attack and about techniques and tools we are using. More learning, more knowledge!!!
What is a social engineering attack?
Social engineering is the art of manipulating people to give out credentials.
One of the main flaws that exist in computer system is human error. In social engineering, that is exploited and the hacker is manipulating people to reveal their sensitive details that can be used to obtain unauthorized access to the computer system.
What is Credential harvesting ?
Credential harvesting is a technique commonly used by hackers to obtain user credentials by launching MITM attacks, phishing etc. to access sensitive data.
What is a spam mail ?
Spam mails are genuine looking emails that claim to be used by an approved entity to infect computers or steal data.
SEToolkit
The social engineering Toolkit(SET) is a standard toolset using in penetration testing to carry out many social engineering attacks.
So, let’s jump into the tutorial !!!!!
First, let’s learn how the social engineering toolkit is used to build the fake login page prototype. Open the kali terminal and type SEToolkit to start the social engineering toolkit.
As we are doing a social engineering attack, type 1 from the given list and again we get to select the attack vector types.
Here, we should give website attack vectors and then we get the list of attacking methods to select.
Select credential harvesting attack method and then we should decide whether to use a web template or clone a site or use a custom input. In this tutorial, we are using web templates.
Then we should give our internal IP address. If you want to do this remotely, use the public IP address.
Then we need to select the type of the template and as we are creating a google form, select google.
Now, we have created the google template. So, while keeping this terminal opened, go to the web browser and type the IP address and the template looks like this.
When the victim get tricked and visit our link, then he will be redirected to this template. So, when you are carrying out the attack, do not close this terminal because, all the credentials given by the victim in the template will be displayed in this terminal.
Now, we are going to create the spam mail. First, open another new terminal and again start the toolkit. Choose social engineering attack and then select mass mailer attack to create the spam mail.
Choose option 1 and then we should give the victim’s email.
Next, select option 1 to give out the e-mail which we expect to use as the sending e-mail.
Then follow the following steps and give out how the spam should be displayed. Here, you can select to send the message as a plain text or as a html or whether to attach any file to the mail. It’s up to you. ;)
Soo, finally we can see that the spam mail has been created and it has been sent to the victim. ¬_¬
So, when the victim visits the link he will be redirected to the template and when he give out the credentials, it will be displayed in our terminal as below.
