How to acquire a user’s facebook credentials, using the credential harvester attack 2023

In this article we will go through How to acquire a user’s facebook credentials.

How to acquire a user’s facebook credentials?

A few more definitions to make things clear before you witness some awesomeness. So what is social engineering, SET, site cloning, man-in-the-middle attack, phishing and credential harvesting attack?

SET (Social-Engineer Toolkit)


It is an open-source tool written in Python. It is a framework that offers various tools related to phishing, spoofing, etc. in a social engineering environment as the name suggests. It was created by TrustedSec and according to them, social engineering is one of the most difficult attacks to protect against and one of the most widespread at the moment.

Site Cloner, as the name suggests, is a tool that gives you the ability to clone a website locally. This means that your localhost 127.0.0.1 will run the desired website provided you enable Apache. You can find a lot of details about Apache and running the site locally in the DVWA article here (link).

Two very basic things before you start following the guide. Write down your private and public IP. You can type “ifconfig” into a terminal window to see your private IP, and for the public IP, simply google “what’s my ip”. If you know both IP addresses, skip this step. You also need to know how to use port forwarding on your router if you want to clone Facebook and target users outside your network, but more on that later in the guide.

Also read:Amazone carding 2023 method

Local network


Without further ado, launch Kali, open a terminal window and type “service start apache” to start the Apache service and start the cloned website locally, then “setoolkit” to start SET.

Next, type 1 for Social-Engineering Attacks and press Enter, then 2 for Web Attack Vectors and press Enter, then 3 for Credential Harvester Attack Method and press Enter, then 2 for Site Cloner and press Enter.

Type 1 for Social-Engineering Attacks and press Enter

Then, type 2 for Website Attack Vectors and press Enter

Then, type 3 for Credential Harvester Attack Method and press Enter

Then, type 2 for Site Cloner and press Enter

Now you are prompted to type the IP address. Both Private and Public IP methods will be presented, starting with Private IP. Go ahead and type your Private IP address and then press Enter. Next, type the desired website to be cloned, in our case, www.facebook.com and press Enter.

Type Private IP then press Enter, then type www.facebook.com and press Enter

We will wait a little longer and repeat the previous procedure. You now have the option to access Facebook by opening a web browser and typing www.facebook.com, or if you’re crazy enough, by typing one of its public IP addresses, 173.252.120.6. However, you and everyone else on your local network can now access Facebook through you, and by that I mean through your local private IP address.

By now, a sly smile should be starting to form on your face when you realize that if everyone could access Facebook through you, you would type your private IP address into the URL field instead of the typical www.facebook.com. Yes, that would be awesome because that way you would collect/obtain/harvest all the credentials from users trying to access Facebook through you. But now you are asking yourself why and how people would want to access Facebook through your private IP and not with the original link. The fact is they won’t.

Imagine trying to convince another person why they need to access Facebook through your private IP and not by entering the original link. What lie would you come up with to convince him/her? “Here, use this IP address to access Facebook, because put your imagination here.” You can use some link shorteners like Bitly or Google URL Shortener to transform your suspected private IP address into a link that looks like any other shortened link. So yes, you now have a not-so-suspicious Facebook access link. However, the shortened link alone would have no effect on above-average users.

But when you combine this with acting like a confident person, for example in the library, you let everyone around you know that if they all want to join Facebook, they have to use your shortened link for “security reasons”. You could advertise your link as “highly secure”, “encrypted”, “insert epic lie here”. And that is social engineering! Everyone will use your link, users will enter their credentials, you will harvest them, and eventually users will access their Facebook profiles because the network traffic will be automatically redirected from your (Facebook cloned) computer to the original Facebook. You and your computer will act as a man-in-the-middle.

Think about the above scenario for a moment. You won’t convince everyone, but your story will resonate with a respectable number of average users. This is why social engineering is the biggest vulnerability in almost any information system. You can’t eliminate human error, can you?

Now that your sly smile has grown and you think of yourself as a master of the arts and crafts of roleplaying, let’s continue with the guide. The next screen you will face after entering www.facebook.com as the desired website to be cloned and pressing enter is the one below.

Waiting for credentials harvesting

You can find the text file in which the credentials are being saved, in /var/www directory. The name of the file should be something like “harvester_day time.txt”.

A dummy demonstration will take place below, by clicking on the malicious link. Facebook pops up, so some fake credentials are typed.

Malicious shortened link

Fake credentials are typed

Afterwards, head over to /var/www through a terminal and type “ls” to verify that indeed there is a text file with the harvested information. Finally, open the text document with a text editor, like leafpad.

Verifying the created text document containing the harvested credentials

Harvested credentials

That’s it ladies and gentlemen. You just obtained some nice points there. And if you’re very happy with what you’ve just achieved (you should feel satisfied and awesome), you can stop reading this guide at this point. Now you have managed to get login information from an unknown Facebook user on your local network.

Public network


If you want to take it a bit further and try to harvest credentials outside of your local network and lure unsuspecting users to you (your cloned website), there are two more things to consider. First, instead of entering your private IP address when prompted to create a cloned site, you now enter your public IP address. Second, you need to access your router, enable port forwarding, and create a specific rule linking your private IP address to your public IP address.

So go ahead and create this rule in your router. Due to the large number of routers available, there are a number of ways to create a port forwarding rule. It should look more or less like the screenshot below.

Port forwarding rule

Now you can follow all of the previous steps of this guide and when prompted to type the IP address, type your Public IP.

Type your Public IP address this time

Literally, the whole process is the same as with a private network. Just remember to enter your public IP address and create a port forwarding rule in your router.

Give yourself a round of applause because you’ve made it to the end of this guide. Cheers for making it to the end after this long pile of text. To be fair, this guide is pretty thorough and comprehensive, but hey, think of all the new concepts you learned and the euphoria you felt when you saw that you could actually get someone’s Facebook login information. If your acting skills help you in an act of social engineering, you can get some important information about other users. Remember that obtaining credentials can involve even more sensitive information, such as credit card numbers.

You just learned how to use a tool in Kali, now go practice your acting skills to be convincing. Thank you very much for taking the time to read this guide. I hope you find it useful, easy to read and understand. Feel free to contact me with any questions.

Leave a Reply

Your email address will not be published. Required fields are marked *