Website Credential Harvesting
Utilize SEToolkit to clone a website
Social engineering toolkit credential phishing attacks
Open the SET
sudo setoolkit
Social Engineering Attacks (1)
Website Attack Vectors (2)
Credential Harvester (3)
CAN utilize HTTPS with https://github.com/trustedsec/social-engineer-toolkit/issues/467we CAN use vhosts with SET and enforce Let's Encrypt certs for legitimacy
CAN utilize HTTPS with https://github.com/trustedsec/social-engineer-toolkit/issues/467
Ok, register a new domain with freenom
https://ostechnix.com/configure-apache-virtual-hosts-ubuntu-part-1/
configure the vhosts
https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-14-04
grab new lets encrypt certificates-for-multiple-apache-virtual-hosts-on-ubuntu-14-04
update config at /etc/setoolkit to enable the APACHE server and update the location Ok, when cloning the site with the HTTPS cert enabled in the config, the POST requests in the php file send it over HTTP, which brings an error up in browsers saying that it's insecure. Even though the rest of the site is over HTTPS and has a good cert.
Looking in the index.html file we see that there's no vhost and that it has the action for http
edit lines 497 and 498 which have hardcoded apache dir in harvester.py
ok yep that was def it, create a PR to fix this? update apache2 package name as well??
Last updated