To do this exercise you need two different machines (one can be a mobile)
connected to the same WiFi.
Let's call them A and B.
For this exercise, you need to be in two people (i.e., do this exercise in group),
or have two different email accounts.
On A, build a Docker image from the Dockerfile in this folder, e.g.,
by running:
docker build . -t kali
Verify that such image is built with no error (at times it might fail as relying on external servers). Note: it might take several minutes to build.
Run such image by opening the port 80 (-p option) and in interactive mode
(-i option). For example:
docker run -p 80:80 -it kali
If you are running it in GitBash, you will need to use winpty, i.e.:
winpty docker run -p 80:80 -it kali
Once started from a command line, you should be prompted to a Bash shell running inside the Docker image. Note: if you have another process binding to port 80, you will need to stop that process first.
On this Bash shell, start the command setoolkit.
You need to choose the following commands in order:
- 1) Social-Engineering Attacks
- 2) Website Attack Vectors
- 3) Credential Harvester Attack Method
- 2) Site Cloner
At that point you will need to input the IP address of A, e.g.,
10.32.0.1.
Then, you need to provide the IP/hostname of the site to clone.
Choose facebook.com.
If everything is correct, you should be able to point the browser to
the IP address of A, and see a Facebook login page.
Try to login with wrong username/password.
Confirm that you can see those values in the logs of the Docker Bash shell.
Now, write an email to one of the other students doing this exercise.
Use Social Engineering to trick them to follow a specific link pointing
to a page on Facebook (e.g., "look at this cute cat picture!").
But the link should actually be pointing to the IP address of A.
When following the link on B from the email, s/he should get the fake
login page running on A on port 80.
Make sure that the target of the email does know of the exercise, and that
should NOT use his/her real credentials.
Have one wrong login attempt (do NOT use your real passwords!!!) on B.
Verify that the attempted login is logged on A, and in A you can see
the used username/password.
Repeat the previous exercise, but this time choose a different target
instead of facebook.com.
Note: depending on the target you choose, Site Cloner might or might
not work.
At home, dream about the possibility of doing an actual attack to a person that you care about and that hopefully would not report you to the police (recall, such attack is ILLEGAL). For example, one of your loving parents, if you have any. Once you dream of getting their credentials, keep on with the vision, and in such dream teach them to never follow a link from an email, not even if such email comes from a relative/friend (their accounts can be compromised via a malware).
Just dream of doing this attack. Do NOT do it in practice, as it is ILLEGAL.