The most common security incidents result from account compromises due to credential theft. Credential harvesting is a technique employed by an attacker to compromise the user credentials. There are various ways to steal credentials from the victim; in this section, we will discuss one of them: phishing.
Phishing is a technique where an attacker constructs a website designed to look and feel like a legitimate website in an attempt to trick a user into providing their credentials or other sensitive information. Typically, an attacker will host this fake web page on a web server that they control and will send the link to victims through e-mail, social networking, or other communication tools. The attack is successful if the user follows the link and submits their credentials, where they are captured by the attacker in turn. This attack, when combined with MITM, can yield a higher rate of success since the attacker is in control of other services, such as DNS, which the user might first check if they are wary of clicking on an unsolicited link. In this section, we will host a site designed to look like the https://facebook.com page on the attacker machine and redirect all wireless clients to this page in order to harvest user credentials. We will use SET (Social Engineering Toolkit) to perform this attack.
In this attack exercise, we will leverage our evil twin access point again in order to provide us with visibility on the victim's traffic. Next, we set up Ettercap to falsify the DNS reply and divert the user visiting https://facebook.com to our local machine, where we are hosting a fake Facebook page. Once the user visits our phishing page, instead of the page they intended to visit, they will be prompted for login credentials. SET will provide us with the ability to mirror the target website and log the credentials entered from the redirected clients.
To spoof DNS using Ettercap, follow these steps:
etter.dns
file located in the /usr/share/ettercap
directory, and append the following line to the end of the file: *.facebook.com A 10.0.2.15
In this example, 10.0.2.15
is the IP address of the attacker machine (Kali) where we will be hosting the mirrored website for https://facebook.com to serve the clients. This file is used by the DNS module in Ettercap to fake the DNS reply to the wireless clients. Whenever the wireless clients query for https://facebook.com, the reply will be forged to our IP address, which is 10.0.2.15
.
A
record is added to the file, as shown here:ettercap
with the –gtk
option. The GTK option (formerly known as GIMP Toolkit) enables the graphical interface for Ettercap:#ettercap --gtk
Once the plug-in is enabled, all you need to do is mirror the https://facebook.com page using SET and wait for a client to connect to your https://facebook.com page and submit the credentials.
In this part of the attack, we set up a fake Facebook page that looks similar to the original Facebook page by cloning it from the Internet using the SET toolkit. Follow these steps:
When the victim machine queries for DNS, Ettercap running in the attacker machine will respond with a spoofed reply stating that https://facebook.com is at 10.0.2.15
, which is the IP address of the attacker machine itself. SET is already hosting the mirrored https://facebook.com page on this IP. The user's browser will be directed to the local machine (DNS Spoof) and SET will display the local copy of the web page it is hosting. Once the victim submits their login credentials, SET will show them to the attacker in plain text.
The following are the credentials of the victim, shown by SET in plain text: