Social Engineering Toolkit – Credential Harvester Attack (Port-Forwarding)

Hey everybody, Today I’ll be talking about how hackers clone websites to steal passwords but instead of doing on your local network, i’m going to show you how you can do it to someone outside your local network.

This method works for any attack in SET.

Port Forwarding The Malicious Server

The first thing you need to do is open a command prompt and type in ipconfig.

Then you need to find the default gateway this will be the IP address you log in to your router with.


It should always end with 1.

Now you need to type that IP address into the browser and log in. you should get something like this, your router might be different…


If you can’t login try the default passwords. Heres a good website to go to.

Now go back to Kali and run SET (Social Engineering Toolkit) by typing in.


And bang through the steps again but instead of your local IP Address, you need to specify your external IP Address instead.


TIP: The credential harvester runs on port 80, just to let you know.

To get your public / external IP Address go to this website

Now go back to your router and type in 80 in both Starting Port and Ending Port, also type in your local IP Address where it says Server IP Address.


Now use your social engineering skills to convince the person to type in your external IP Address, when they have typed it in, the website will appear, tell them to log in and you will harvest there username & password.


To change the URL

To find your public / external IP Address.

To get a list of default passwords for different routers

Please comment if you have any thoughts or ideas.

Leave a Reply