In this article, we will be looking at web based attacked using Kali Linux. Go the SE Toolkit in Kali, and set:webattack> 3
The Credential Harvester Attack Method helps create websites to trick users into giving up their credentials. Next you will be prompted to choose what sort of website sorter you will like to choose and you will pick set:webattack> 1 (Which is Web Templates)
Now enter the IP address for the website to post credentials back to. We can just use the local IP address for the Kali virtual machine, but if you use this attack against a client, you will need an Internet-facing IP address.
IP Address for the POST back in Harvester:192.168.20.9
Now choose a template. Because we want to trick users into entering their credentials, choose a template with a login field, such as Gmail (option 2), as shown in the prompt. SET shoudl now start a web server with our fake Gmail page, a clone of the actual Gmail page.
Now browse to the cloned Gmail site at the Kali Linux web server and enter some credentials to see how this works. After entering credentials you should be redirected to the real Gmail site. To a user it will just seem like he or her just typed in their password incorrectly. In the meantime, back in SET, you should see field report in your linux.
When the user submits the page, SET highlights the fields that it thinks are interesting. Note that this attack can be even more interestering if you use option 5, Site Cloner, to make a copy of your customer's site. If they do not have a page with a login form of some sort (VPN, webmail, blogging, and so on) you can even create one. Clone their site, and add a simple HTML form like this: