Know how to use social engineering for easily hacking login credentials for websites like Gmail and Facebook

**The content of this post is for educational purposes only and DigiAware team strongly discourages unethical hacking**

Social engineering is an ever-growing threat to organizations all over the world. Social engineering attacks are used to compromise companies every day. Even though there are many hacking tools available with underground hacking communities, a social engineering toolkit is a boon for attackers as it is freely available to use to perform spear-phishing attacks, website attacks, etc. Attackers can draft email messages and attach malicious files and send them to a large number of people using the spear-phishing attack method. Also, the multi-attack method allows utilization of the Java applet, Metasploit browser, Credential Harvester/ Tabnabbing, etc. all at once.

Though numerous sorts of attacks can be performed using this toolkit, this is also a must-have tool for a penetration tester to check for vulnerabilities. SET is the standard for social-engineering penetration tests and is supported heavily within the security community.

As an Information Security Auditor, penetration tester, or security administrator, you should be well versant with the Social Engineering Toolkit to perform various tests for vulnerabilities on the network and take proper measures to recover them.

1. Open Kali Linux and  launch Social Engineering Toolkit (SET) by typing setoolkit. Alternatively it can also be opened from the Applications list.

2. The following Social Engineering Toolkit terminal window appears

3.Type 1 and press Enter to select Social-Engineering Attacks and Select 2 for Website Attack Vectors

4. In the next set of menu, type to select the Credential Harvester Attack Method.

5. Type 2 and to select the Site Cloner option from the menu

6. Type the IP address of your Kali Linux (External Network) machine, in the prompt for IP address for the POST back in Harvester/Tabnabbing.

7, Enter the url to clone.  Try Facebook or!!!

The cloned website is placed in /var/www/html

If Do you want to attempt to disable Apache? [y/n] request appears, type Y and press Enter.

With the above step the given url is cloned into your kali machine and the cloned website can be browsed using http://<<your Kali IP> in other machine.

Once the cloned website opens in another system, it prompts user to add authentication details i.e. Login ID and Password.


As soon as the victim (you) types in the credentials, and clicks Login, the SET fetches the entered credentials as shown in the screenshot which can be used by an attacker to gain unauthorized access to the victim’s account. It does not allow logging in; instead, it redirects you to the legitimate page of the give url.

You have successfully gained the required login credentials using SET toolkit!!


Leave a Comment