The Social-Engineering Toolkit (SET) is a product of TrustedSec. SET is a Python-driven suite of custom tools created by David Kennedy (ReL1K
) and the SET development team, comprising of JR DePre (pr1me
), Joey Furr (j0fer
), and Thomas Werth. For reference visit http://trustedsec.com/.
SET is a menu-driven attack system that mainly concentrates on attacking the human element of security. With a wide variety of attacks available, this toolkit is an absolute must-have for penetration testing.
SET comes preinstalled in Kali Linux. You can simply invoke it through the command line using the command se-toolkit
:
/usr/share/set# ./set
root@Kali:/usr/share/set/# python set
Or, you can choose it through the Applications menu:
Once the user clicks on the SET toolkit, it will open with the options shown in the following screenshot:
Note
Before you can use the software, you must read and accept the BSD license and also pledge that you will not use this tool for any unlawful practice. This agreement covers any future usage as well, and you will not be prompted again after accepting by pressing Y (yes) at the prompt.
In this attack, we will mirror a web page and send that mirror page link to the target. As this is the first attack that takes place, I would suggest you to go through the options available in the different sections of the SET toolkit.
The following screenshot displays the SET toolkit menu:
Select 1) Social-Engineering Attacks to receive a listing of possible attacks that can be performed.
You can select the attacks that you want to perform from a menu that appears as follows:
Option |
Attack |
---|---|
1 |
Spear-Phishing Attack Vectors |
2 |
Website Attack Vectors |
3 |
Infectious Media Generator |
4 |
Create a Payload and Listener |
5 |
Mass Mailer Attack |
6 |
Arduino-Based Attack Vector |
7 |
SMS Spoofing Attack Vector |
8 |
Wireless Access Point Attack Vector |
9 |
Third Party Modules |
99 |
Return back to the main menu |
We will start with the Website Vectors. Enter 2
to move to the next menu. For this example, on the list, we will take a look at the third option, Credential Harvester
Attack Method
. The following is the list of vectors available:
1. Java Applet Attack Method 2. Metasploit Browser Exploit Method 3. Credential Harvester Attack Method 4. Tabnabbing Attack Method 5. Web Jacking Attack Method 6. Multi-Attack Web Method 7. Create or import a CodeSigning Certificate 99. Return to Main Menu
The following menu provides three options. We will be using one of the provided templates for this example:
[TRUNCATED…] 1) Web Templates 2) Site Cloner 3) Custom Import
99) Return to Webattack Menu set:webattack>2
The second method will completely clone a website of your choosing and allow you to utilize the attack vectors within the same web application that you were attempting to clone.
The IP address the user needs to enter is the IP address of Kali Linux, which can be found using the following command:
ifconfig –a
For instance, the IP address of my machine comes out as 192.168.30.145
. Enter the URL to clone, for example, http://www.facebook.com, as shown in the following screenshot:
Now we have created a cloned Facebook login page that is listening on port 80
. We can check the source code of the clone of the website that we have created for the phishing attack. It is stored at /usr/share/set/src/program_junk/Web Clone/~Index.html
. The following screenshot shows the content of the index.html
file:
This is the source of the web page the attacker has cloned through the SET toolkit. Navigate to the 127.0.0.1:80
(localhost port 80
) URL in the browser. The phishing page is hosted on your machine's IP address.
The following IP address needs to be sent to the target; this can be sent through an e-mail or can be uploaded on any web hosting site:
Once the user visits the link and enters the username and password, the login credentials are redirected to our Kali Linux server that we have set up as shown in the preceding screenshot.