Credential Harvester Attack Method

24 Feb

As a penetration tester there will be times that the client requirements will be to perform social engineering attacks against their own employees in order to test if they follow the policies and the security controls of the company.

After all if an attacker fails to gain access to a system then it might try alternative ways like social engineering attacks.

In this post we will see how we can use the Credential Harvester Attack Vector of Social Engineering Toolkit in order to obtain valid passwords.

The first thing that we need to do is to attach our laptop into the network of the company that we need to do the Social Engineering Attack.When our system obtains a valid IP address from the DHCP Server we are ready to launch the attack.

We are opening SET and we will see the following options:

SET Menu

Our choice we will be the Website Attack Vectors because as the scenario indicates we need to test how vulnerable are the employees of our client against phishing attacks.In the next screenshot we can see the attacks that we have in our disposal.

Choosing the Credential Harvester Attack Method

We will use the Credential Harvester Attack Method because we want to obtain the credentials of the users.As we can see in the next image SET is giving us 3 options.

For this example we will use the Site Cloner option in order to clone the login page of a very popular website that will have the role of the bait.

Choosing the Site Cloner Method

Now we are ready for the last setting,to choose the website that SET will clone.We have chosen Facebook because it is a well-known website,most of the employees of our client will probably have an account so it will be more easier to trick them.

Entering the Website that it will be Cloned

The process of cloning the website Facebook have started and our machine is waiting to capture credentials from network users.

Waiting to capture credentials

Now it is time to send our internal IP to the users in the form of a website(such as can implemented via spoofed emails that will pretend that are coming from Facebook and they will ask the users to login for some reason.

If a user reads the email and make a click to our link (which is our IP address) he will see the Facebook login page.

Facebook Login Page


Lets see what will happen if the victim enter his credentials…


User is inserting his credentials

Grabbing the Username and the Password

As we can see from the moment that the victim will submit his credentials into the fake website SET will send us his Email address and his password.This means that our attack method  had success.

If many users enter their credentials to our fake website then it is time to inform our client to re-evaluate his security policy and to provide additional measures against these type of attacks.


In the scenario that the user would like to login with his account then our attack will have 100% success but even if the user will not login with his email and password the attack is still successful because the user have opened a website that came from an untrusted source.

This means that if the website had some sort of malware then it would infect the user computer because the user simply ignore the security policy of the company and opened an untrusted link.So the company must provide the necessary training to their employees in order to have a clear  understanding about the risks.

Educating the employees is the key fact because even if your organization is using all the latest anti phishing software the employees could be the weakest link by opening a link that comes from an unknown origin.They must be aware about what is phishing,not to open any links and to put their details and to always check the address bar and things that would not look normal in order to avoid being scammed.

Always remember that a system administrator can patch a computer but there is no patch to human weakness.


Posted by on February 24, 2012 in Social Engineering


Tags: , , , , , ,

11 responses to “Credential Harvester Attack Method

  1. abdul rehaman

    February 28, 2012 at 8:06 am

    I’m able to generate the email from BT to my inbox, but when I click on the link(https:192.168.88.xx (my BT IP and clonned facebook)) the cloned facebook page does not comeup. Am I missing something?

  2. netbiosX

    February 28, 2012 at 2:22 pm

    You should check if both your hosts (Backtrack and Victim) are on the same subnet.If not the clone website will not come up.

  3. samir-dz

    March 2, 2012 at 2:05 pm

    I like this

  4. jatinder kumar

    May 5, 2012 at 10:44 pm

    all steps is well but get / http/ 1.1” 200 not going a way how can get user or passw

  5. netbiosX

    May 7, 2012 at 10:22 am

    @Jatinder kumar The user must enter his credentials into the fake form and then it will be returned to you.Otherwise you will not get anything.It is a very simpe attack to implement it.

  6. Justin

    June 22, 2012 at 8:13 pm

    How can I make this attack work when I am not on the same subnet as the users. I am doing a pen test for an external company. If I paste in my public IP, it should work right?

  7. netbiosX

    June 23, 2012 at 10:33 am

    @Justin in order this attack to work externally you have got to go to the configuration file of SET and set the AUTO_DETECT option to Off.In that way SET will ask for your external IP.Also make sure that the port that SET is listening is open for outside connections.

  8. aaks

    February 4, 2013 at 11:07 am

    indeed pastin our ip right then how can it be a safe attack from our side plus i think this works only with hotmail ids

  9. netbiosX

    February 4, 2013 at 9:25 pm

    @aaks you can buy a domain or a subdomain and in that way you can hide your IP and your URL will look valid.

  10. BlackByte

    May 20, 2013 at 12:19 pm

    Wow, thanks for the tutorial. I use no-ip on my router but how i can configure the SET of backtrack to the auto_detect mode off?

  11. rajat

    December 17, 2014 at 11:01 am

    When i try to open my ip address in victim’s pc it doesn’t open!!!what should I do??plz help me!!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: