The Social Engineering Toolkit (SET) was created by David Kennedy [ReL1K] and the SET development team of JR DePre [pr1me], Joey Furr [j0fer], and Thomas Werth. With a wide variety of attacks available, this toolkit is an absolute must have for anyone who is serious about performing penetration testing. We will only provide a brief introduction to the SET. The SET is simple to use, and the SET development team has created excellent documentation that is freely available at http://www.social-engineer.org/framework/se-tools/computer-based/social-engineer-toolkit-set/.
SET comes preinstalled on Kali and can be invoked at the command line using:
#setoolkit
An example of the main menu of SET is shown in the following image:
As the image shows, there are quite a large number of options, and it is beyond the scope of this book to cover them all; however, you are encouraged to explore the tool and gain as much experience as you can.
Social-Engineering Attacks to receive a listing of possible attacks that can be performed:
Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) Third Party Modules 99) Return back to the main menu.
We will start with the Website Vectors. Enter 2
to move to the next menu. For this example, we will take a look at the first option on the list:
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Man Left in the Middle Attack Method
6) Web Jacking Attack Method
7) Multi-Attack Web Method
8) Victim Web Profiler
9) Create or import a CodeSigning Certificate
99) Return to Main Menu
The following menu provides three options. We will be using one of the provided templates for this example:
[TRUNCATED…] 1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu set:webattack>1
Answer no to the prompt about NAT/Port Forwarding. Enter the IP address of your Kali machine for the reverse connection. In the next prompt, you have three choices for the certificate; enter option 2
. An example of this is shown in the following image:
At the next menu, select option 1. Java Required as your template:
1. Java Required 2. Gmail 3. Google 4. Facebook 5. Twitter set:webattack> Select a template:1
When asked which payload you want to use, review the options carefully and select option 3
, which is the SE Interactive Shell for SET. An example of this menu is shown in the following image:
If Apache is not started in the Kali machine, you will get an error message notifying you of that; following this, SET will attempt to start the server. An example of this is shown in the following image:
Select the default listener port at 443
and press Enter to continue. That's it! All you have to do now is wait for someone to connect to your web server. If you have an available Windows machine, browse to the site and you will see the following website: