Credential Harvesting

Credential harvesting is one of the techniques used by attackers to gain credentials of users. The user will be presented an impersonated site with a form accepting user inputs [email address, username, password, SSN, credit card number, CVV, etc.]. Because of unawareness, the user fails to validate the authenticity of the web page presented to him/her. As the user types the credentials, the same is retrieved in the back end. The user gets fooled because of the similarity in the web page and they just scan the web page and once they find the usual color and logo on the page, they go ahead and input their credentials.

The technique in combination with phishing is deadly and have resulted in many successful campaigns to retrieve user credentials. The retrieved credentials can then be further used to exploit the server to extract more sensitive information or damage the infrastructure. There are many techniques which are deadly but looks tough or not very practical while employing in the attack phase if we compare efforts to be put and output of the activity.  But credential harvesting is not one of them. It is very easy if proper reconnaissance has been performed on the user base to understand their browser login activities and which are the sites where they use corporate credentials [if corporate servers are under the scope of the test]. If the attack has to be performed on the personal account of the users, widely used email account, cloud data storage can be faked. Let’s go ahead and see how this can be done in practical life.

I have identified my blog’s contact page as the site which will be impersonated. I will be using SET, an inbuilt tool with Kali Linux to clone the site.

Step 1: Please identify the server which will host impersonated web page. I have selected my Kali VM.

Ip Address
Impersonating Server Address

Step 2: Please start Social Engineering KIT from Kali Linux. Select the 1st option for social engineering attacks.

Select Social Engineering Attack

Step 3: Select Website Attack Vectors as we will be using the impersonated website for collecting user information.

Select Website Attack Vectors

Step 4: Select Credential Harvester Attack Method from the available options.

Select Credential Harvester Attack method

Step 5: Select the kind of technique to generate the website. We can provide the web templates to generate or the site address to clone the look and feel of the page. We will be selecting the site cloner as we need to generate a page with the same look and feel of the website.

Select Site Cloner

Step 6: Enter the IP address of the server which will host the impersonated web page. After specifying the server IP, provide the site page which needs to be cloned. In this example, I have used the contact page of this blog.

Provide IP address and Site Page information

Step 7:  Once the site has been cloned, the tool will be ready to accept the details being entered on the page. Phishing technique will come in the picture for delivering a mail/message to the victim prompting them to enter launch this page and enter the information. The whole mechanism relies on how effectively the mail/message has been drafted so that the victim falls prey to it. Once the victim launches the page, the below page would be presented. If you see everything is the same including the Privacy banner.  This would make the victim believe that he is at the correct page and he will proceed with entering the details. One way to identify is the URL being displayed in the address bar. Since this is a lab demonstration, so you will be easily able to figure out the IP address which will not be associated with the public facing websites. In the practical scenario, the website is hosted and the domain is registered which looks familiar to the target domain, mostly change with character placement so that eyes fail to detect it.

Impersonated Web Page

Step 8: As soon as the victim will enter the details, the same will be reflected at the attacker console and the information would be dumped for further usage. In the below screenshot you can see, I have entered Utkarsh Utsava in the name field and as an email address. These fields can be user name and password or something more critical information from the use case perspective.

Attacker Console

As soon as the user submits the form, the victim is redirected to the original website making him/her think something went wrong and he/she will continue the process and it will happen correctly. The victim never gets to know there was an impersonated site page placed and he/she has fallen prey to some credential harvesting campaigns.

Redirected to Correct Site page after Submit Action


These kinds of attacks can only be avoided when the users are aware of each action they are performing and specifically form submit actions. We should try to give a minute more and try to ensure the site where we are entering information is the correct one. When getting emails asking urgently to enter information by visiting page, ensure you try to go through email twice or thrice to verify if unusual sentence forming, spelling mistakes or grammar issue. This can help us to identify phishing emails which are crafted by attackers. We should also try to verify the incoming email address from where email is sent to verify if they are from the same domain or something different. Sometimes in the body of email, the URL name is aligned to the target domain but the linked URL behind the text would be something different. As an aware individual, we should try to make sure the address resolved in the address bar is the same what was mentioned in the email. In laptop/desktop, by hovering over URL, we can figure out but from a cellphone, it is difficult to identify.  Through this post, I tried to showcase how easy is to clone a page and perform attacks. There are many such specialized tools in the market, hence we need to be extra cautious while dealing with emails urging immediate actions.

Critical Feedback is always welcome!

Plagiarism Score: 0% Calculated from SmallSEOTools. This post is just to showcase the demo associated with the topic. The tools should be only used for the legitimate purpose with prior approval as instructed by the developer of the tool.




Up ↑

%d bloggers like this: