So you've been forced by your program director to take a course you didn't want to do. Let's say said course starts with 'A' and ends with 'ED'. Well you think, consoling yourself, at least I will make some new friends... Three months later. Having sat through hours of endless lectures, you realize this hasn't worked out as you'd hoped. You've made acquaintances, got their email addresses, and at times even supposedly worked together in so-called 'teams'... but you wouldn't go so far as to say they're your friends. So, what do you do? You have a thought... to create some mischief and liven up the last few weeks of class. You've heard about hacking, know that everyone probably still uses Facebook, and stumble upon this guide... So you have your shiny new Kali 2019.4 installed and running. If not, that's the first step...please go ahead and do so by 'legally' torrenting it from: https://www.kali.org/downloads/ (Kali's earliest appearance in Hindu mythology is as a destroyer of evil) Plan of Attack So we want to know the usernames and passwords of all our peers in a certain class. Let's just say the class is huge, and owning all their credentials would give you cult status. Of course you don't intend to do anything other than getting some fame and then telling them to use 2FA and change their passwords. So how do we do it.... Clone the Facebook login web page Spin up a web server that hosts the cloned web page on your Kali box Create a pathway for others to reach back to your box over the internet Compose a phishing email that appeals to the students greed / fear / sympathy and makes them click on a link that connect to the fake fb login Let's work backwards... Step 1: Set up Ngrok So Ngrok allows you, with just one command, give a instant, secure URL to your localhost server, through any NAT or firewall. This means when you host your evil cloned FB login page on localhost:80 (port 80), Ngrok will give you a link that you can email your victims to click on and reach. So go ahead and sign up to Ngrok: https://dashboard.ngrok.com/signup Once logged in...go ahead and download ngrok as showcased in step 1. Then follow the setup instructions as follows (remember to do step 3 with your own ngrok auth token Here I am doing it on my machine: Keep ngrok running and make a note of the random url it generates for you: Remember: Ngrok assigns a new random url everytime you stop/start in its free tier, so make sure you are using the right url for the following steps Step 2: Cloning Facebook Login with Social Engineering Toolkit (SET) So now let's unleash the power of Kali Linux! Kali is the offensive hacker's dream armory. It has ready-made tools for you to create mischief. Let's fire up the social engineering toolkit by first opening up a new terminal with Ctrl + Alt + T. Next type in (we want to run social engineering toolkit as root user) and type in your . sudo setoolkit root password Next type in to select from the opening menu. 1 1) Social-Engineering Attacks Then type in to select from the second menu. 2 2) Website Attack Vectors Now type in to select from the third menu 3 3) Credential Harvester Attack Method (credential harvesting is a posh way of saying you want to steal your mate's passwords...'elizabeth may i possibly harvest your banking credentials') Finally type in to select from the fourth menu to start the process of cloning the FB login page. 2 2) Site Cloner Now carefully make sure you the bit after the http:// from your running ngrok terminal for e.g. and that into the terminal on the , and then . copy 29102647.ngrok.io paste prompt Social Engineering Toolkit hit enter For the next SET prompt, copy your target Facebook login page for e.g. and it in, then . https://ar-ar.facebook.com/login/ paste hit enter the next message that comes up and . Ignore hit enter again Now your is up and running on Kali, page and actively any input data ( ) that are entered. Once you successfully email out the link to your target victims / pseudo-friends and trick them into clicking it, they will be to your where they will unwittingly enter their usernames and passwords. fake server serving a FB login lookalike listening for usernames and passwords http://9102647.ngrok.io redirected fake FB login page Here I am doing it on my machine: Step 3: Create a Phishing email with Emkei's Fake Mailer So now for the part to get creative. Since this was originally an academic assignment for INFO 7300 at Northeastern, I'd like the students to get creative... Make up your most convincing argument to your intended classmates, in the text body of an email, to try and get them to click on the link. Send the phishing email to yourself so that you can take a screenshot that the attack works and submit on Blackboard. For bonus points, also send the email to me so I can judge your creativity. Do not send it to any other classmates! Most convincing email will get a prize! Note: chakravarty.s@husky.neu.edu Let's head over to Emkei: https://emkei.cz/ In the section labelled select the radio button and check the box. Content-Type: text/html Editor Now, write a convincing email pretending to be a person in a position of influence in the section. The criteria you will be graded on includes: Text: The in the email replicates the person you are mimicking. tone of voice The mail is in a realistic manner addressed to the victim The of the sender is believable signature The address accurately mimics the person of influence from You incorporate a to legitimize the email further relevant attachment You email out at a to when the person usually emails time akin You covertly implant the into an looking ngrok url innocuous hyperlink From advanced settings, you take appropriate safeguards with and to ensure the actual person you are mimicking is never alerted Reply-To: Errors-To: Step 4: Capture victim's credentials on disk for perusal Having sent out the phishing email in the previous step, let's assume you have had your Kali sever/listener running for days. Victims have been entering their credentials and you have been capturing them. Now hit at which point the SET prompt will print the following message: Ctrl + C [*] File XML format exported to /root/. /reports/2020-01-17 16:07:35.782953.xml your reading pleasure... in set for Hit again to save the report. Hit two more times to exit out of the Social Engineering Toolkit. enter Ctrl + C Now you can head on over to the saved location and then open up the report with or your favorite IDE so that you can within the file and look for usernames and passwords captured. atom-nightly Ctrl + F eos@kali:~$ /root/. /reports/ eos@kali:/root/. /reports$ ls -al total 16 drwxr-xr-x 3 root root 4096 Jan 17 16:07 . drwxr-xr-x 4 root root 4096 Jan 17 16:10 .. -rw-r--r-- 1 root root 96 Jan 17 16:07 drwxr-xr-x 2 root root 4096 Jan 17 16:07 files eos@kali:/root/. /reports$ cat 2020-01-17\ 16\:07\:35.782953.xml cd set set '2020-01-17 16:07:35.782953.xml' set Stay Tuned!