Results 1 to 7 of 7

Thread: Social Engineering Toolkit - Credential harvesting via https

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    2

    Default Social Engineering Toolkit - Credential harvesting via https

    I have SET up and running and functional for harvesting credentials for a cloned https site. However, the site is hosted in SET on standard http port 80. I am looking to be able to host the cloned site using https as it adds an additional layer of reality to the cloned site. I think that it is also prudent to encrypt this traffic since you are capturing users credentials. In the set_config file, you can change the web port and I am able to change it to port 443, however it still uses only standard http without encryption. Has anyone tried something like this?

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Social Engineering Toolkit - Credential harvesting via https

    There's about 5 different ways I can think of right now, but the easiest is probably pound. And or one of the ssl* tools.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    2

    Default Re: Social Engineering Toolkit - Credential harvesting via https

    I spoke with Dave the developer of SET and he is adding in this capability. It should be realeased shortly.

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    19

    Default Re: Social Engineering Toolkit - Credential harvesting via https

    Just pushed an update for 0.6.1, now supports SSL encrypted traffic for credential harvester and tabnabbing. Enjoy

  5. #5
    Junior Member Agarax's Avatar
    Join Date
    Mar 2010
    Posts
    43

    Default Re: Social Engineering Toolkit - Credential harvesting via https

    Keep in mind that your modern web browser will start screaming at the user that he is trying to connect to a site with an unrecognized certificate ...

  6. #6
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    4

    Default Re: Social Engineering Toolkit - Credential harvesting via https

    Quote Originally Posted by Agarax View Post
    Keep in mind that your modern web browser will start screaming at the user that he is trying to connect to a site with an unrecognized certificate ...
    Agarax, it depends on whether SET does something like spoofing arp or if it rewrites an HTML landing page to strip out SSL like Moxie's sslstrip. The former will result in screaming and the latter requires the user to not notice the missing padlock.

    Frank

  7. #7
    Junior Member Agarax's Avatar
    Join Date
    Mar 2010
    Posts
    43

    Default Re: Social Engineering Toolkit - Credential harvesting via https

    Quote Originally Posted by frankpuccino View Post
    Agarax, it depends on whether SET does something like spoofing arp or if it rewrites an HTML landing page to strip out SSL like Moxie's sslstrip. The former will result in screaming and the latter requires the user to not notice the missing padlock.

    Frank
    Frank,

    My understanding was that the OP was specifically talking about cloning the site and having the user connect to you with HTTPS instead of HTTP. In order for it to be HTTPS you need a cert. Otherwise the default use of Port 80 already in the program would be adequate.

    Only exception would be if you were able to grab the legit private key from the website during the pentest. But if you have enough access to the website to grab the private keys you don't need to go through the trouble of spoofing it and getting a user to connect, you can just set up listeners on the server.

    Cheers,

    Agarax
    "If you haven’t trashed your computer while doing something questionable, then you’re not a computer scientist – you’re just an arts grad who didn’t get laid."

    If the time stamp for my post is less than 15 minutes old, hold off on the flamethrower, there's a pretty decent chance I'm going to change it.

Similar Threads

  1. Replies: 9
    Last Post: 03-12-2011, 10:46 AM
  2. having fun with ettercap an social-engineering-toolkit
    By hardez in forum Tutorials und Howtos
    Replies: 4
    Last Post: 06-09-2010, 05:05 PM
  3. i can't fix Social Engineering Toolkit
    By spo0fer in forum Beginners Forum
    Replies: 1
    Last Post: 05-02-2010, 04:58 PM
  4. Social Engineering Toolkit Error
    By joker5bb in forum Beginners Forum
    Replies: 9
    Last Post: 04-10-2010, 08:41 PM
  5. probleme social engineering toolkit 0.3
    By CX4STORM in forum Beginners Forum
    Replies: 1
    Last Post: 01-25-2010, 04:59 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •