There is another method to gather credential from victim by using a tool called Social Engineer Toolkit that is commonly used for penetration testing. Believable attacks can be customized to fit the needs of the victim and objectives.

You will need 2 virtual machines, one using Kali Linux and one using any OS (preferred Kali Linux), and attacker must know the victim’s IP address.

First, type “setoolkit” in command line on attacker’s virtual machine to open Social Engineer Toolkit. Then it is prompted to select from the menu via entering a number. We want to do Social Engineer Attack, so we type in “1”.

Then, it display what types of attack are used to attack the victim. We want to do Website Attack Vendors to impersonate a real website, so we type in “2”.

We want to harvest victim’s email and password of a website by using Credential Harvester Attack Method, so we type in “3”.

To make the fake website looks similar, real and safe, we need to clone it from the real website. Type in “2” to do so. Then it is prompt to enter the website URL to clone. As an example, I use https://ottencoffee.com login page. It is asked to enter the IP address to listen to the payload, leave it blank so that the attacker can receive it.

Wait for some time for the framework to clone the machine and when the IP address of attacker are typed in, it redirects to the website that looks real and trustworthy. However, do not judge the book by its cover as it sends back the victim’s login item to the attacker’s machine after the user logs in.

After the victim logs in, they will return back to the original site without knowing that their login items are sent back to the victim. The attacker successfully get the victim’s email address and password of the site.

Bonus: To mask the malicious IP address you created, just convert it with any link shorter so that the victim will be less suspicious.