SEToolkit – Credential Harvester Attack [Tutorial]

Posted by

Screen Shot 2020-06-18 at 10.39.09 AM

As a penetration tester, there will be times that the client requirements will be to perform social engineering attacks against their own employees in order to test if they follow the policies and the security controls of the company. After all, if an attacker fails to gain access to a system then it might try alternative ways like social engineering attacks.

In this article, we will see how we can use the Credential Harvester Attack Vector of Social Engineering Toolkit in order to obtain valid passwords.

The first thing that we need to do is to attach our laptop into the network of the company that we need to do the Social Engineering Attack. When our system obtains a valid IP address from their DHCP Server we are ready to launch the attack.

To start the SEToolkit, just type “setoolkit” in your terminal window.

Our choice we will be the Website Attack Vectors because as the scenario indicates we need to test how vulnerable are the employees of our client against phishing attacks.

We will use the Credential Harvester Attack Method because we want to obtain the credentials of the users.

As we can see in the next image SET is giving us 3 options (Web TemplatesSite Cloner and Custom Import).

For this example, we will go with “Web Templates” option because it has some ready-made Web Templates which we can easily use.

Now we need to enter our IP Address where you want to receive all POST back requests.

And in the last stage, you need to choose the Web Template, and in this case, we selected Facebook because of its one of the most popular social networking platform.

Now it is time to send our internal IP to the users in the form of a website(such as This can be implemented via spoofed emails that will pretend that is coming from Facebook and they will ask the users to log in for some reason.

If a user reads the email and makes a click to our link (which is our IP address) he will see the Facebook login page.

Let’s see what will happen if the victim enters his credentials…


As we can see from the moment that the victim will submit his credentials into the fake website SET will send us his Email address and his password. This means that our attack method had success.

If many users enter their credentials to our fake website then it is time to inform our client to re-evaluate his security policy and to provide additional measures against these type of attacks.

Conclusion – 

  • In the scenario that the user would like to login with his account then our attack will have 100% success but even if the user will not log in with his email and password the attack is still successful because the user has opened a website that came from an untrusted source.
  • This means that if the website had some sort of malware then it would infect the user computer because the user simply ignores the security policy of the company and opened an untrusted link. So the company must provide the necessary training to their employees in order to have a clear understanding of the risks.
  • Educating the employees is the key fact because even if your organization is using all the latest anti-phishing software the employees could be the weakest link by opening a link that comes from an unknown origin. They must be aware of what is phishing, not to open any links and to put their details and to always check the address bar and things that would not look normal in order to avoid being scammed.
  • Always remember that a system administrator can patch a computer but there is no patch to human weakness.

Feel free to leave a comment below or reach me on Instagram @iamshubhamkumar__.

Posted by Shubham ;)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.