Stealing Credentials with Fake Login Pages

In previous entries, we’ve seen how client devices can be tricked into connecting to a rogue access point, giving the person running the AP full control over the client’s Internet access. The concept is fairly simple: present the client device with a WiFi network that looks like what it is expecting and the device will connect without a fuss.

As it turns out, humans can be tricked just as easily. As a general rule, people are trusting; as long as things look more or less as they expect them to, most users will continue on with their normal routine, blissfully unaware that they might be the victim of a sophisticated attack.

In this post, we’ll build on the EvilAP attack by presenting victims a cloned version of the Facebook login page in an effort to capture their login credentials. Facebook is used only as an example here, the same method can be used with any website that features a login dialog.

Note: The following assumes you’ve already configured an EvilAP and are ready for clients to connect. If you’d like to read up on how to launch an EvilAP,take a look at “EvilAP: A Practical Example”.

Social Engineering Toolkit

The Social Engineering Toolkit (SET) is a collection of tools designed to automate a wide array of exploits: everything from generating malicious QR codes to programming a microcontroller to act as an attack vector. In this particular example, we’ll be using the “Site Cloner” function, which will duplicate any website the operator chooses and capture information the victim sends to it.

To launch SET, tap its icon under the “Attack Tools” directory.


SET has its own menu system which you can navigate through by entering the numbers corresponding to the selection you wish to make.


First, select “Social-Engineering Attacks” by entering in the number 1, then number 2 for “Website Attack Vectors”.


Then enter 3 for “Credential Harvester Attack Method”, and finally, enter 2 for “Site Cloner”. You’ll then be asked for the IP address of the EvilAP, which is, followed by the URL of the site you want to clone.


All that’s left to do now is wait for the results to scroll across the screen. As victims connect to the EvilAP and try to login to Facebook (or whatever site you selected to clone), their login credentials will show up in red.




0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *