Stealing Credentials with Fake Login Pages
We’ve seen how client devices can be tricked into connecting to a rogue access point, giving the person running the AP full control over the client’s Internet access. The concept is fairly simple: present the client device with a WiFi network that looks like what it is expecting and the device will connect without a fuss.
As it turns out, humans can be tricked just as easily. As a general rule, people are trusting; as long as things look more or less as they expect them to, most users will continue on with their normal routine, blissfully unaware that they might be the victim of a sophisticated attack.
In this post, we’ll build on the EvilAP attack by presenting victims a cloned version of the Facebook login page in an effort to capture their login credentials. Facebook is used only as an example here, the same method can be used with any website that features a login dialog.
Social Engineering Toolkit
The Social Engineering Toolkit (SET) is a collection of tools designed to automate a wide array of exploits: everything from generating malicious QR codes to programming a microcontroller to act as an attack vector. In this particular example, we’ll be using the “Site Cloner” function, which will duplicate any website the operator chooses and capture information the victim sends to it.
To launch SET, tap its icon under the “Attack Tools” directory.
SET has its own menu system which you can navigate through by entering the numbers corresponding to the selection you wish to make.
First, select “Social-Engineering Attacks” by entering in the number 1, then number 2 for “Website Attack Vectors”.
Then enter 3 for “Credential Harvester Attack Method”, and finally, enter 2 for “Site Cloner”. You’ll then be asked for the IP address of the EvilAP, which is 192.168.7.1, followed by the URL of the site you want to clone.
All that’s left to do now is wait for the results to scroll across the screen. As victims connect to the EvilAP and try to login to Facebook (or whatever site you selected to clone), their login credentials will show up in red.