Open in app

Sign up

Sign in

Write

Sign up

Sign in

How I steal your credentials 😎

Ethical Wolf
System Weakness
Published in
5 min readJan 21, 2022

--

Hi guys, in this blog I want to show you how easy it is to create a pishing campaign to target a company or simply an individual with the intention of appropriating someone else’s credentials.

Disclaimer, this blog is for educational purposes only!

To do this we simply need:

  • Linux OS
  • Setoolkit
  • Ngrok
  • Simple Html template

First of all, let’s launch setoolkit. This is a tool that can be found pre-installed in most versions of linux.

Once you have launched setoolkit, you will be shown a menu with various options to choose from.
The option we are interested in is Social-Engineering Attacks

From the menu we have chosen, various types of attack will be shown. To create a classic pishing attack, we must choose option number 2 Website Attack Vectors

Then opt for Credentials Harvester Attack Method

And then finally choose the Site Cloner option.

At this point, we must then enter our private IP address where the page we have decided to clone will be directed.
If you are using one of the newer versions of setoolkit the address will be shown automatically. Otherwise you can check it with the usual ifconfig command.

Now we come to the interesting part.
For this example I decided to clone the Poste Italiane login page(Poste Italiane is now the largest logistics operator in Italy, and is a leading player in the financial, insurance and payment services sector.)

It should be pointed out that Poste Italiane has tightened up the methods for logging in, making it extremely difficult to log in with just what we know, i.e. username and password. But for example purpose, that’s enough for us.

To do this just go to the Poste Italiane login page and copy the url.

To check that everything has been done correctly, we enter the ip address we are using in the search bar of our browser where the page we have decided to clone will be displayed.

Now, if the victim is directed to our IP and enters their credentials, these will be displayed on the terminal where we keep setoolkit open.
But to do this our victim must not be outside our LAN.
But what if we want our malicious page to be reachable from anywhere?

Here’s where ngrok comes in handy.

Ngrok is a sensational, open source, cross-platform reverse proxy server for exposing local servers behind NATs and firewalls to the public Internet through secure tunnels.
Downloading it is extremely simple. Just register and follow the instructions on the Download page.

Once ngrock has been downloaded, all we have to do is run it.

Once run, that ngrok will automatically create a tunnel with the purpose of directing connections to our local ip.

Boom. It’s done! Now our malicious page will be reachable from anywhere!

Attempting to log in by entering our credentials as shown in the image above will show them on the terminal where setoollkit is listening:

Now that the bulk of the work has been done, all that remains is to decide how to address the victim(s).
To do this, we can always rely on setoolkit to choose the following options:

  • Open on another terminal setoolkit
  • Choose the option Social Engineering attack again
  • Then choose Mass Mailer attack
  • And finally choose either a single mail attack or a mass mailer attack
  • As an example we use the single mailer attack.
  • Then, Setoolkit will ask us who to send the e-mail to
  • Once we have entered the email address of our victim, we have to choose for the sending option if we want to use a gmail account or if we want to use our own server or an open relay (e.g. maligun).
  • For our example we will use a simple gmail account, after which we need to enter the other required parameters as shown below:

We must choose whether to use a simple text message or html code. To make the email more attractive we will use an html code. As an example I have created a rough html code to simplify, but we are free to let our imagination work.

Job completed!!!

Now all we have to do is wait for our victim to visit the page we sent them.

OK, we saw a pishing-type attack. But how can we mitigate this type of attack?

We have to say that pishing to be an attack technique that relies on human error, so being prepared for these types of attacks is crucial.
Here are a few steps a company can take to protect itself against phishing:

  • Educate your employees and conduct training sessions with mock phishing scenarios.
  • Educate your employees and conduct training sessions with mock phishing scenarios.
  • Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
  • Encrypt all sensitive company information.
  • Convert HTML email into text only email messages or disable HTML email messages.
  • Adopt DMARC solution.
Cybersecurity
Social Engineering
Phishing
Vulnerability
Ethical Hacking

--

--

Ethical Wolf
System Weakness
Follow

Written by Ethical Wolf

44 Followers

Hi, I'm the ethical wolf and I'm coming out of the IT woods to spread all the useful information regarding cybersecurity, networking and programming.

Follow

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams