Phishing Demonstration and Simulation Using a Virtual Machine

Phishing can be understood more clearly through practical demonstration.
In this part, we walk through a step-by-step simulation of a phishing attack using a virtual machine environment. This example shows how attackers create a fake login page, deliver a phishing message, and collect stolen credentials. The goal is to increase awareness—not to promote illegal activity.

For the simulation, we use:

  • Kali Linux (attacker VM)

  • Windows 10 (victim VM)

  • Social Engineering Toolkit (SET)

SET is a legitimate penetration testing tool used by cybersecurity professionals to simulate social engineering attacks.


1. Tools and Setup

Attack Machine: Kali Linux

  • Installed on VirtualBox or VMware

  • SET Toolkit pre-installed

  • Internet connection enabled

Victim Machine: Windows 10

  • Browser: Chrome/Edge

  • Email client installed

  • Normal user privileges

The attacker and victim VMs are connected to the same virtual NAT network.


2. Launching the Social Engineering Toolkit (SET)

On the Kali Linux terminal:
sudo setoolkit

SET opens with multiple attack categories.

Choose the following path:

  1. Social-Engineering Attacks

  2. Website Attack Vectors

  3. Credential Harvester Attack Method

  4. Site Cloner

SET then asks for:

SET will clone the site and host the fake login page locally.

3. Hosting the Fake Login Page



SET provides an IP, for example:

Your credentials will be sent to: http://192.168.1.15

This IP is the phishing page URL that victims will be tricked into clicking.

The cloned website looks identical to the real Google login page.





4. Sending the Phishing Email

A phishing email is crafted containing:

Example message:

“Your Google account has been suspended.
Click the link below to verify your identity.”

Attackers often spoof email addresses to make messages appear legitimate.




5. Victim Interaction on Windows VM

On the Windows VM:

  1. Victim receives the phishing email.

  2. Victim clicks the link.

  3. Browser opens the cloned login page (identical to Google).

  4. Victim enters username and password.

  5. SET immediately captures the credentials.

On the attacker screen, credentials appear in real time:

USERNAME: example@gmail.com
PASSWORD: victimpassword123








https://www.youtube.com/watch?v=vI0IRAlDMIU&utm_source=chatgpt.com

6. Understanding the Attack Mechanism

What happens technically:

  • The cloned page uses HTML/CSS identical to Google

  • Form input fields send data to the attacker server using POST requests

  • The fake site does NOT log the user in

  • Attackers can immediately use the stolen credentials

  • No advanced hacking or password cracking needed—humans are the weakness

This is why phishing remains so successful.


7. Optional: MITM Phishing (Advanced Demonstration)

Using Evilginx2, attackers can:

  • Capture session cookies

  • Bypass 2-factor authentication (SMS codes, app-based codes)

  • Log in without the victim knowing

This is known as man-in-the-middle phishing, commonly used in high-level attacks.


8. Ethical Considerations

This simulation is performed in a controlled environment for educational purposes only.
Conducting phishing attacks outside a test environment is illegal.

The purpose of this demonstration is:

  • Increasing awareness

  • Showing real attacker techniques

  • Helping users identify phishing attempts

  • Training cybersecurity best practices


Comments

Post a Comment

Popular posts from this blog

Phishing Statistics and Global Impact (2020–2025)

Image
Phishing has grown rapidly over the last few years, becoming the most common cyber attack worldwide. With attackers using advanced automation, artificial intelligence, and highly convincing social engineering techniques, phishing incidents have increased in both volume and complexity. This post provides a data-based analysis of phishing activity from 2022 to 2025, highlighting trends, financial damage, and key statistics from industry reports.   Global Phishing Volume (2022–2025) 2022 Over 3.2 billion phishing emails sent daily worldwide. Attackers used mostly email-based scams, fake password resets, and delivery scams. 79% of organizations reported at least one phishing attack. 2023 Phishing emails increased to 3.4 billion per day . Rise of smishing (SMS phishing) targeting banking customers and delivery services. AI-generated emails began to appear, increasing realism and reducing spelling/grammar errors. 2024 ...
Read more

Introduction to Phishing

Image
1. Introduction Phishing is one of the most common and successful cyber attack techniques used by cybercriminals. It involves tricking individuals into revealing sensitive information such as usernames, passwords, bank details, or personal data. Unlike technical hacking, phishing depends on human psychology, making it extremely effective even against people who are aware of cyber threats. Today, phishing remains the number one cause of data breaches , affecting individuals, businesses, governments, and global institutions. This post introduces phishing, explains why it continues to be dangerous, and sets the foundation for deeper exploration in later posts. 2. What Is Phishing? Phishing is a social engineering attack where the attacker pretends to be a trusted source — such as a bank, company, delivery service, or friend — to steal information or install malware. Attackers often use: Fake emails Fake websites Fake SMS messages (smishing) Fake phone calls (vishing) Socia...
Read more