You have 2 free member-only stories left this month.

Sign up for Medium and get an extra one

Replicate any websites with

HTTrack and harvest credentials
using Social Engineering Toolkit
David Artykov Follow
May 12 · 6 min read

From: Yellowj/bigstockphoto.com

The Social-Engineer Toolkit (SET) is an open-source pen-testing system for

Social-Engineering attack strategies. It was made and composed by Dave
Kennedy, the organizer of TrustedSec. SET has various custom assault
vectors that enable you to create a trustworthy assault in a small amount of
time. Let’s take a look at how to run certain types of attacks and avoid
getting detected by any anti-virus protection.

In this tutorial, we will show you how to clone any website with the
“HTTrack” tool and use it later on in social engineering attempts.

HTTrack is a free and straightforward to-utilize offline browser utility. It

enables you to download a World Wide Web webpage from the Internet to a
local directory, constructing all registries recursively, getting HTML,
pictures, and different records from the server to your PC. HTTrack
organizes the first site’s relative connection structure. It can likewise refresh
a current reflected website, and resume interrupted downloads. HTTrack is
entirely configurable and has a coordinated assistance framework.

To use this tool, go to “Applications/03-Web Application Analysis” and click

on “httrack.”

It will load the usage and help the manual page of HTTrack. We suggest you
spend some time and read the manual; hence, it provides valuable
information regarding the tool.

Type “httrack” and hit “Enter,” you’ll be asked to enter a project name. In
this example, we will be replicating Yahoo’s login page, so we named it
“Yahoo_Login.”

Open up your favorite browser and search for the website page you want to
replicate and copy the URL link.

In the HTTrack framework, you’ll be asked to enter the URL and select a
suitable action to mirror the website. Paste the URL link you copied and
select the second option, “Mirror Web Site(s) with Wizard.”

For the “Ready to launch the mirror?” option, type “Y” and hit “Enter” to start
the replicating process.

When the whole process is complete, you’ll have a new folder called Yahoo
in the “Home” directory. This folder contains all necessary packages to run
the replicated website offline.

Go into the Yahoo folder and run the “index.html” file to make sure that the
website you replicated was successful.
As you can see in the image below, the replication of the website was
successful, and all the hyperlinks in the site work as they supposed to work.

Now, it is time to use some social engineering skills and fool our victim to
compromise his/her computer. For this, we’ll be using the SEToolkit form
“Applications/13-Social Engineering Tools/SET”.

Once you launched the tool, you’ll be presented with a main menu option.
Select option “1” to list all available social engineering attack options.
Since our attack is based on the website attack vector, select option “2” to
view all attack methods.

From the list of attack methods, we’ll be using the third option, which is the
“Credential Harvester Attack Method.”

Next, select option “3” to import our custom replicated website and hit
“Enter.”

Set your IP address for the POST back in Harvester and provide the full path
to the folder of the replicated website where the “index.html” file is located.
In our example, it is located in the “/root/Yahoo/Yahoo_Login/” directory. If
the “index.html” file is found by the tool, you’ll be asked whether to copy the
entire folder or just “index.html.” Select option “2” to copy the whole folder.
Next, you’ll be prompted to provide an original URL link to the website you
replicated. Copy the URL of the site and paste it on the SEToolkit page.
If everything is set correctly, you should be able to run the replicated
website online and harvest credentials. To test whether it works or not, type
your IP address in the URL search bar and hit “Enter.”

As you can see in the screenshot, whenever the victim visits our webserver,
he/she will be redirected to the fake Yahoo page, which looks and functions
as the original Yahoo login page. To make our link less suspicious and more
legitimate, we can use some online link shortener services like “bit.do.”

Now, our new (http://bit.do/yahoo_login_account) link looks much better

and less suspicious, so we can send it to our victim and wait for the results.
Once the victim visits the page, puts the credentials, and hits “Enter,” it’ll
redirect to the original login page. The victim will not notice anything and
will think that he/she mistyped the password, so the victim will try to re-
login again.
 As a penetration tester, you might be asked by clients to conduct social
engineering
On the otherattacks on attacker
hand, the their ownwill
workers
receiveinharvested
order to see whether they are
information
adhering to
regarding the
the company’s
victim’s policiesand
credentials andlist
security measures.
them on the SEToolkit page.

Employee education is critical because, even though the company uses the
most up-to-date anti-phi
clicking on a link from a
constitutes phishing, no
information, and to always check the address bar and everything that does
not seem to be usual in order to avoid being scammed.

Always keep in mind that while a system administrator can update and
patch a computer or network, there is no such thing as a patch for human
unawareness.

Hacking Cybersecurity Penetration Testing Technology Internet

Learn more. Make Medium yours. Write a story on Medium.

Medium is an open platform where
170 million readers come to find
insightful and dynamic thinking.
Here, expert and undiscovered
voices alike dive into the heart of
any topic and bring new ideas to the
surface. Learn more
Follow the writers, publications, and
topics that matter to you, and you’ll
see them on your homepage and in
your inbox. Explore
If you have a story to tell, knowledge
to share, or a perspective to offer —
welcome home. It’s easy and free to
post your thinking on any topic.
Start a blog

About Write Help Legal