Difference between revisions of "Social Engineering Toolkit"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
 
(35 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Summary ==  
== Summary ==  


'''Social Engineering Toolkit (SET)''' is a menu driven system that allows you to control your attacks tailored to the desired target.
'''Social Engineering Toolkit (SET)''' is a free and open-source Toolkit. It is used for Social Engineering attacks, e.g.phishing. This menu driven Toolkit allows you with several submenus to control your attacks tailored to the desired target. It is pre-installed in Kali Linux.
 
 
Run Social Engineering Toolkit with "'''setoolkit'''" and go through our example to get a first overview of this Toolkit.


== Requirements ==
== Requirements ==
Line 9: Line 12:
== Example ==
== Example ==


Below we have an example of how to start the BeEF service, and execute a "'''Google Phishing'''" client-side attack. With this example we'll see how to gather credential information of victim.
Let's see an example of how to execute a "'''Twitter Sign in Phishing Web-Attack'''" using the Social Engineering Toolkit.
For this Phishing Attack we need to go through following submenus as shown below.




[[File:s1.jpg|150px|thumb|Example|left|topmenu]]
[[File:s1.jpg|150px|thumb|Example|left|topmenu]]


=== Start: Run Social Engineering Toolkit and choose desired submenu ===
=== 1st select "'''Social-Engineering Attacks'''" ===


After launching the Social Engineering Toolkit we see the above mentioned menu.
After launching the Social Engineering Toolkit we see the above mentioned menu.
Here we can choose between submenus to specify our attack. Our Example will be about '''Twitter Sign in Phishing''',
Here we can choose between submenus to specify our attack.  
therefore we have to select through several submenus as shown below.
In our case for "'''Twitter Sign in Phishing Web-Attack'''" we have to select "'''Social-Engineering Attacks'''".




Line 32: Line 36:
<br>
<br>


=== Select 2nd submenu ===
=== 2nd select "'''Website Attack Vectors'''" ===


For '''Twitter Sign in Phishing''' Web-Attack we've to choose option 2
For "'''Twitter Sign in Phishing Web-Attack'''" we've to choose option 2




Line 47: Line 51:
[[File:s3.jpg|150px|thumb|Example|left|submenu 3]]
[[File:s3.jpg|150px|thumb|Example|left|submenu 3]]


=== Select 3rd submenu ===
=== 3rd select "'''Credential Harvester Attack Method'''" ===
 
To specify our Attack as a 'Credential Harvester Attack' we've to choose the option 3.
 


At 3rd submenu we've to choose the option 3.




Line 59: Line 65:
[[File:s4.jpg|150px|thumb|Example|left|submenu 4]]
[[File:s4.jpg|150px|thumb|Example|left|submenu 4]]


=== Select 4rd submenu ===
=== 4th select "'''Web Templates'''" ===
 
To allow Social Engineering Toolkit to import a list of pre-defined web applications that it can utilize within the attack we've to select option 1
 


There are hundreds of modules under "'''Commands'''", which include from social engineering to browser hacks.
The desired module can be selected by clicking and executed with the "'''Execute'''" button at the bottom right. I choosed the "'''Google Phishing'''" module under the "'''Social Engineering'''" Folder and clicked to "'''Execute'''".




Line 68: Line 75:
[[File:signin2.jpg|150px|thumb|Example|left|Twitter Phishing]]
[[File:signin2.jpg|150px|thumb|Example|left|Twitter Phishing]]


=== Command execution in the Browser ===
=== 5th Enter the IP address for the POST back in Harvester/Tabnabbing and select finally Twitter Template ===


There are hundreds of modules under "'''Commands'''", which include from social engineering to browser hacks.
For practicing purposes I used the localhost (127.0.0.1), of course in a real attack you would use a corresponding ip address. And then you've to select the Twitter Template (option 3).
The desired module can be selected by clicking and executed with the "'''Execute'''" button at the bottom right. I choosed the "'''Google Phishing'''" module under the "'''Social Engineering'''" Folder and clicked to "'''Execute'''".  
After the Template is selected, the choosen website is being cloned. With the next action a website will appear which is similar to the Twitter Sign in website, the victim is prompt to Sign in.




Line 79: Line 86:
[[File:signin3.jpg|150px|thumb|Example|left|result]]
[[File:signin3.jpg|150px|thumb|Example|left|result]]


=== Result ===
=== Result: Credentials entered from victim are visible for Attacker ===


After executing the "'''Google Phishing'''" module, the victim is asked to "'''Sign in'''". Victims entered credentials are visible under "'''Logs'''".
Victims user credentials are visible. At the same time the victims browser is redirected to the original Twitter Sign in website.





Latest revision as of 02:50, 11 July 2021

Summary

Social Engineering Toolkit (SET) is a free and open-source Toolkit. It is used for Social Engineering attacks, e.g.phishing. This menu driven Toolkit allows you with several submenus to control your attacks tailored to the desired target. It is pre-installed in Kali Linux.


Run Social Engineering Toolkit with "setoolkit" and go through our example to get a first overview of this Toolkit.

Requirements

As part of this guide, I used Kali (Kali GNU/Linux Rolling 5.10.0-kali3-amd64) as the OS, so it was already preinstalled. I installed Kali on a Virtual machine (VMware® Workstation 15 Pro 15.5.5 build-16285975).

Example

Let's see an example of how to execute a "Twitter Sign in Phishing Web-Attack" using the Social Engineering Toolkit. For this Phishing Attack we need to go through following submenus as shown below.


topmenu

1st select "Social-Engineering Attacks"

After launching the Social Engineering Toolkit we see the above mentioned menu. Here we can choose between submenus to specify our attack. In our case for "Twitter Sign in Phishing Web-Attack" we have to select "Social-Engineering Attacks".





submenu 2


2nd select "Website Attack Vectors"

For "Twitter Sign in Phishing Web-Attack" we've to choose option 2






submenu 3

3rd select "Credential Harvester Attack Method"

To specify our Attack as a 'Credential Harvester Attack' we've to choose the option 3.





submenu 4

4th select "Web Templates"

To allow Social Engineering Toolkit to import a list of pre-defined web applications that it can utilize within the attack we've to select option 1



Twitter Phishing

5th Enter the IP address for the POST back in Harvester/Tabnabbing and select finally Twitter Template

For practicing purposes I used the localhost (127.0.0.1), of course in a real attack you would use a corresponding ip address. And then you've to select the Twitter Template (option 3). After the Template is selected, the choosen website is being cloned. With the next action a website will appear which is similar to the Twitter Sign in website, the victim is prompt to Sign in.



result

Result: Credentials entered from victim are visible for Attacker

Victims user credentials are visible. At the same time the victims browser is redirected to the original Twitter Sign in website.




Courses

  • WFP-1

References