Social Engineering Toolkit - Credential harvesting via https
I have SET up and running and functional for harvesting credentials for a cloned https site. However, the site is hosted in SET on standard http port 80. I am looking to be able to host the cloned site using https as it adds an additional layer of reality to the cloned site. I think that it is also prudent to encrypt this traffic since you are capturing users credentials. In the set_config file, you can change the web port and I am able to change it to port 443, however it still uses only standard http without encryption. Has anyone tried something like this?
Re: Social Engineering Toolkit - Credential harvesting via https
There's about 5 different ways I can think of right now, but the easiest is probably pound. And or one of the ssl* tools.
Re: Social Engineering Toolkit - Credential harvesting via https
I spoke with Dave the developer of SET and he is adding in this capability. It should be realeased shortly.
Re: Social Engineering Toolkit - Credential harvesting via https
Just pushed an update for 0.6.1, now supports SSL encrypted traffic for credential harvester and tabnabbing. Enjoy :)
Re: Social Engineering Toolkit - Credential harvesting via https
Keep in mind that your modern web browser will start screaming at the user that he is trying to connect to a site with an unrecognized certificate ...
Re: Social Engineering Toolkit - Credential harvesting via https
Quote:
Originally Posted by
Agarax
Keep in mind that your modern web browser will start screaming at the user that he is trying to connect to a site with an unrecognized certificate ...
Agarax, it depends on whether SET does something like spoofing arp or if it rewrites an HTML landing page to strip out SSL like Moxie's sslstrip. The former will result in screaming and the latter requires the user to not notice the missing padlock.
Frank
Re: Social Engineering Toolkit - Credential harvesting via https
Quote:
Originally Posted by
frankpuccino
Agarax, it depends on whether SET does something like spoofing arp or if it rewrites an HTML landing page to strip out SSL like Moxie's sslstrip. The former will result in screaming and the latter requires the user to not notice the missing padlock.
Frank
Frank,
My understanding was that the OP was specifically talking about cloning the site and having the user connect to you with HTTPS instead of HTTP. In order for it to be HTTPS you need a cert. Otherwise the default use of Port 80 already in the program would be adequate.
Only exception would be if you were able to grab the legit private key from the website during the pentest. But if you have enough access to the website to grab the private keys you don't need to go through the trouble of spoofing it and getting a user to connect, you can just set up listeners on the server.
Cheers,
Agarax
