Philip Kozman

setoolkit credential harvester doesn't detect credentials over internet

Discussion created by Philip Kozman on May 18, 2017

When I use the credential harvester site cloner in SEToolKit over a LAN connection (for cloning facebook in this case), it works smooth and the credentials I enter in the supposed victim's devise appear and all, however, when I do the same exact thing over the internet on port 80 (by entering the external IP address in the victim's browser) it still opens the phishing page on the victim's device and the device's info instantly appears to me on the terminal, but when I enter the credentials on the page from the victim they are not detected or whatsoever and I don't understand what the things that appear actually are. I have tried many times, like I stated, over LAN everything works,,, over the internet the page displays fine and the host is detected but credentials and possibly other info just don't display.

 

Also, after I enter the credentials in the page over LAN and press the login button, it redricts to 192.168.1.6/login.php?login_attempt=1&lwv=100 (192.168.1.6 is my internal IP by the way) which instantly redirects to the real facebook.com login page. However, after I login in the page over the internet it redirects to the very same address 192.168.1.6/login.php?login_attempt=1&lwv=100 which naturally doesn't redirect me to the actual facebook.com login page (as I am on another network and the internal IP won't do any good because it doesn't exist on the network). So this means that the cloned page is only made for LAN connections? It directs me to the internal IP of the network even when I am logging in from another. If anyone can help me with the tool not detecting credentials over the internet as it does over LAN and can also tell me why after I press login it just redirects to the internal IP. I'd be very grateful.

 

The following output is when this is performed over LAN:

 

 

192.168.1.5 - - [18/May/2017 18:55:43] "GET / HTTP/1.1" 200 -

[*] WE GOT A HIT! Printing the output:

PARAM: __a=1

PARAM: __af=iw

PARAM: __be=-1

PARAM: __dyn=7AzHK4GgN1t2u6XolwCwRAKGzEy4S-C11xG3Kq2i5U4e2O2K48jyRyUcWwADKaxeUW2y7E4iu m2S4oW5ob8uz8bo5S9ADwHx61Bxqq2l0WDxW267E560FopCK598qxmeyo-1vzU9oK

PARAM: __pc=PHASED:DEFAULT

PARAM: __req=1

PARAM: __rev=3029867

POSSIBLE USERNAME FIELD FOUND: __user=0

PARAM: lsd=AVr1MzsK

PARAM: ph=C3

POSSIBLE USERNAME FIELD FOUND: q=[{"user":"0","page_id":"ns4658","posts":[["script_path_change",{"source_path" :null,"source_token":null,"dest_path":"/login.php","dest_token":"ad976420","impr ession_id":"e216ca0e","cause":"load","referrer":""},1495126549045,0],["scuba_sam ple",{"int":{"clientWidth":980,"clientHeight":1408},"normal":{"view":"tiny"},"_d s":"www_tinyview_port","_options":{"addBrowserFields":true}},1495126549699,0],[" time_spent_bit_array",{"tos_id":"ns4658","start_time":1495126549,"tos_array":[41 3,0],"tos_len":9,"tos_seq":0,"tos_cum":6},1495126557468,0],["ods:ms.time_spent.q a.www",{"time_spent.bits.js_initialized":[1]},1495126557475,0]],"trigger":"ods:m s.time_spent.qa.www","send_method":"ajax"}]

PARAM: ts=1495126557539

[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

 

 

[*] WE GOT A HIT! Printing the output:

POSSIBLE USERNAME FIELD FOUND: __user=0

PARAM: __a=1

PARAM: __dyn=7AzHK4GgN1t2u6XolwCwRAKGzEy4S-C11xG3Kq2i5U4e2O2K48jyRyUcWwADKaxeUW2y7E4iu m2S4oW5ob8uz8bo5S9ADwHx61Bxqq2l0WDxW267E560FopCK598qxmeyo-1vzU9oK

PARAM: __af=iw

PARAM: __req=2

PARAM: __be=-1

PARAM: __pc=PHASED:DEFAULT

PARAM: __rev=3029867

PARAM: lsd=AVr1MzsK

[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

 

 

[*] WE GOT A HIT! Printing the output:

PARAM: lsd=AVr1MzsK

PARAM: display=

PARAM: enable_profile_selector=

PARAM: isprivate=

PARAM: legacy_return=0

PARAM: profile_selector_ids=

PARAM: return_session=

POSSIBLE USERNAME FIELD FOUND: skip_api_login=

PARAM: signed_next=

PARAM: trynum=1

PARAM: timezone=-120

PARAM: lgndim=eyJ3IjozMjAsImgiOjUzNCwiYXciOjMyMCwiYWgiOjUzNCwiYyI6MjR9

PARAM: lgnrnd=095529__eXt

PARAM: lgnjs=1495126549

POSSIBLE USERNAME FIELD FOUND: email=theusernameityped

POSSIBLE PASSWORD FIELD FOUND: pass=thepasswordityped

[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

 

 

 

 

 

 

 

 

 

 

The following output is when this is performed over the internet:

 

 

156.194.137.176 - - [18/May/2017 19:00:30] "GET / HTTP/1.1" 200 -

[*] WE GOT A HIT! Printing the output:

PARAM: __a=1

PARAM: __af=iw

PARAM: __be=-1

PARAM: __dyn=7AzHK4GgN1t2u6XolwCwRAKGzEy4S-C11xG3Kq2i5U4e2O2K48jyRyUcWwADKaxeUW2y7E4iu m2S4oW5ob8uz8bo5S9ADwHx61Bxqq2l0WDxW267E560FopCK598qxmeyo-1vzU9oK

PARAM: __pc=PHASED:DEFAULT

PARAM: __req=1

PARAM: __rev=3029867

POSSIBLE USERNAME FIELD FOUND: __user=0

PARAM: lsd=AVr1MzsK

PARAM: ph=C3

POSSIBLE USERNAME FIELD FOUND: q=[{"user":"0","page_id":"azmban","posts":[["script_path_change",{"source_path" :null,"source_token":null,"dest_path":"/login.php","dest_token":"ad976420","impr ession_id":"e216ca0e","cause":"load","referrer":""},1495126853077,0],["scuba_sam ple",{"int":{"clientWidth":980,"clientHeight":1408},"normal":{"view":"tiny"},"_d s":"www_tinyview_port","_options":{"addBrowserFields":true}},1495126853728,0],[" time_spent_bit_array",{"tos_id":"azmban","start_time":1495126853,"tos_array":[44 9,0],"tos_len":9,"tos_seq":0,"tos_cum":4},1495126861513,0],["ods:ms.time_spent.q a.www",{"time_spent.bits.js_initialized":[1]},1495126861519,0]],"trigger":"ods:m s.time_spent.qa.www","send_method":"ajax"}]

PARAM: ts=1495126861811

[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

 

sorry if i did anything wrong i am new here

Outcomes