How to Find your Friend’s Twitter Password (Special Halloween 2020)
It’s illegal to perform any type of IT attack without victim’s permission, the use that you will give to the following information it’s entirely your responsibility.
In every Hollywood movie, IT guys always found a way of getting their enemies social media passowords. Normally you see a lot of code happening directly into terminals for a few seconds and then… Jackpot, they have full access to that person’s life. My mission today it’s to explain the true story behind the scenes of any Phishing Attack, and hopefully in the end of this tutorial you’ll be able to perform one.
Some numbers: (source phishingbox.com)
- 33% of outbreaks use some kind of social attack.
- 65% of information criminals use Phishing Attacks as their primary infection vector.
- 64% of organizations have experienced Phishing Attacks last year.
This data shows how important is to understand and invest on cybersecurity measures. Phishing Attacks can be avoid with network protection and URL check.
Now let’s start.
Requirements:
- Any Linux distribution (I will be using Kali)
- SEToolkit (Social Engineering Toolkit) Download link: https://github.com/trustedsec/social-engineer-toolkit
- No-IP account www.noip.com
- A public IP or a shared network with the victim
Step 1: Install SEToolkit
Download SET folder:
sudo git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/Once it’s installed you should see the folder on your file system:
Now you need to go to SET’s folder and setup the software. To do so, use the terminal:
cd setoolkitOnce you’re inside the folder check if all the files are there. Do the following command:
lsYou should get the following output:
Now, to install missing python requirements just execute:
pip3 install -r requirements.txtWhen the previous operation is finished, run the setup file:
python setup.pyStep 2: Clone Twitter’s website with SET
Open SET on your terminal:
sudo setoolkitThe output should be:
Now choose 1) Social-Engineering Attacks, by pressing 1 follow by Enter.
Now you will have a second menu:
In this menu, choose 2) Website Attack Vectors, by pressing 2 follow by Enter.
The third menu should look like this:
In this menu, choose 3) Credential Harvester Attack Method , by pressing 3 follow by Enter.
Finally you arrive to the last menu:
Here you should choose to clone the website, by pressing 2, follow by Enter.
You will be asked which IP you want to use:
To choose yours just press Enter (recommended).
Now you will need to input the website’s url you want to clone:
In this case I will use https://twitter.com/, and the press Enter.
Now your clone is ready!
Step 3: Test Credential Harvest
Now that your clone is created, let’s test it. Open another terminal without closing SET, and execute the following command: (depends if you want to do it with a public IP or a local one)
Local IP: (recommended for beginners)
ip addr
Public IP:
curl ifconfig.me
Now, introduce your IP on your browser:
You should have a perfect clone of your target website.
Now try to Log In:
When you press Log In look for the credentials on SET terminal:
And if you look again to the website, you will see that was redirect to the real one, so the victim will not be suspicious:
Great it works!!
Step 4: Create a domain, and send it to your victims
Go to www.noip.com and create an account.
Then, on Dashboard, create a new hostname with your IP:
Test it:
Perfect, it’s done, now just send this link to your victim, and you have completed a phishing attack!
Bibliography:
