Step 1: Creating your Malicious Site
We’re going to use the Social Engineering Toolkit to generate a malicious site, this site is going to look just like Facebook.
- So let’s load up SET and choose the following options.
- 2. Website Attack Vectors
- 3. Credential Harvesting Method
- 1. Web Site Templates
- 4. Facebook
Once you’re done and begin the task it will create something that looks like this.
Step 2. Delivering it to our Target
So the next thing we have to do is deliver this to our target, if you were clever and checked your address bar you’ll notice this is running on localhost or your external IP, obviously nobody is going to buy that Facebook moved to myevilplaypen.ru , so… We need to bury this a little bit so the average user will click on it. To do this we’re going to use Facebook to help us.
Create a Fan Page
No , seriously do it. On your Fan Page share a link to your external IP. In the case of this test I used dangertux.no-ip.org as my external IP address. If you click this link it should now take you to your fake facebook page…Still not quite there, plus we’re not trying to get people to go to your fan page. What we are going to do is abuse the Facebook Link system a little bit. If you note the link URI it will look something like this.
http://www.facebook.com/l.php?u=http%3A%2F%2Fdangertux.no-ip.org%2F&h=in 1AQBLHNJFAQA9XKOYmX3_jL-_LvCFztf1Mn0zx70LzshzSA
Ok — that’s pretty decent but let’s take it one step further since you can still see the URL in the link, we don’t want this. So we’re going to be a little bit clever, we are going to encode the dangertux.no-ip.org in hex. Which will leave us with something that looks like this.
%64%61%6e%67%65%72%74%75%78%2e%6e%6f%2d%69%70%2e%6f%72%67
Perfect, now let’s plug our hex encoded address into our link in place of our external IP and we’re left with something like this.
http://www.facebook.com/l.php?u=http%3A%2F%2F%64%61%6e%67%65%72%74%75%78%2e%6e%6f%2d%69%70%2e%6f%72%67%2F&h=in 1AQBLHNJFAQA9XKOYmX3_jL-_LvCFztf1Mn0zx70LzshzSA
Now that we have our link which sends people to our fake Facebook login page. So we’re going to deliver it to them. So email them or send them a message saying something like… Hey check out this stupid person’s profile picture. Or whatever thing you think they’ll click on it for.
What will likely happen is they will click the link, think they must have gotten logged out and that they have to log in. Once they log in they will be redirected to the REAL Facebook, and they will assume your link didn’t work. However, SET will have logged their credentials. Now — keep in mind you may want to have an ACTUAL link handy so you can say oops I copied the wrong link, this will help keep their suspicion from being too high.
SUCCESS!
Now check your SET session and you will notice that it has logged their credentials. It will look something like the following.
If you did everything correctly you should have logged their email address and password. That being said this attack isn’t going to work against everyone. It’s also a great way to lose friends, get banned from Facebook for life, and possibly depending on what you do with it go to prison.
Who this isn’t going to work on
This won’t work on pretty much anyone who actually looks at their URL bar (which isn’t most people). Nor will this work if they are smart enough to know that they need to be using SSL to transmit this type of data. It also won’t work if they understand how Facebook sessions work. However, the truth of the matter is it will work quite effectively against MOST Facebook users.
No comments:
Post a Comment