Though you can use the Social Engineering Toolkit to clone websites, this way is much more customisable.
For example, you could send the credentials your victim enters to a script that mails you notifying you of new data someone's just entered, or automatically store them in a database.
Let's say we want to be hideously uninventive and steal someone's Facebook email and password when they log in on our fake site.
We could redirect them to our fake Facebook site by using DNS spoofing, an XSS attack, or a variety of other attack vectors.
First we need to clone the official Facebook site. We could go to the site in a browser and save the complete webpage from there, or we could grab it from the command line using wget.
Since we're going to be using some browser Dev Tools in the next step, let's do it from the browser.
Obviously in this case we want the username and password.
Let's use Chrome Dev Tools (or anything similar) to find where in the
page source the HTML login form is.
Let's copy the form destination so we can find it in the HTML page source later:
Let's open up the page source and find that form destination we just copied.
This the place where the login credentials are sent when the Log In button is pressed. Let's change this so that those credentials are sent to us instead. Here I've changed the destination so that the data is sent to malicious.com/handler.php
This is part where we decide what to do with the data when a victim enters their credentials on our fake website.
We could do anything; store the data in a database, create an email alert, even change our MOTD to tell us we've been successful the next time we log in to Kali.
In this case, though, let's simply dump our victim's credentials in a text file.
Let's create a handler called handler.php, and put the following in it:
This will take the credentials from your fake facebook page, strip them of anything that might muck up our shell, then echo them to a text file, data.txt
Hope you enjoyed the tutorial :)