Social engineering toolkit kali linux инструкция

The Social-Engineer Toolkit (SET)

• Copyright ©️ 2020
• Written by: David Kennedy (ReL1K) @HackingDave
• Company: TrustedSec

Description

The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC – an information security consulting firm located in Cleveland, Ohio.

DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.
Please read the LICENSE under readme/LICENSE for the licensing of SET.

Supported platforms:

• Linux
• Mac OS X (experimental)

Installation

Install via requirements.txt

pip3 install -r requirements.txt
python3 setup.py 

Install SET

=======

• Mac OS X

Installation

Windows 10 WSL/WSL2 Kali Linux

Kali Linux on Windows 10 is a minimal installation so it doesn’t have any tools installed.
You can easily install Social Engineer Toolkit on WSL/WSL2 without needing pip using the above command.

Linux

git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/
cd setoolkit
pip3 install -r requirements.txt
python setup.py

SET Tutorial

For a full document on how to use SET, visit the SET user manual.

Bugs and enhancements

For bug reports or enhancements, please open an issue here.

Social engineering toolkit is a free and open-source tool that is used for social engineering attacks such as phishing, faking phone numbers, sending SMS, etc. it’s a free tool available in Kali Linux or you can directly download and install it from Github. The Social Engineering Toolkit is designed and developed by a programmer named Dave Kennedy. This tool is used by security researchers, penetration testers all around the globe for checking cybersecurity flaws in systems. Social engineering toolkit targets to perform attacking techniques on their machines. This tool kit also offers website vector attacks or custom vector attacks by which you can clone any website and can perform phishing attacks. There are various features of the social engineering toolkit some of them are given below.

Features of Social Engineering toolkit:

• SET is free and Open Source
• SET is already installed in your Kali Linux however you can also download and install it from Github.
• SET is portable, which means you can easily change attack vectors.
• SET is a Multi-platform tool: It can run on Linux, Unix, and Windows.
• SET Supports integration with third-party modules.
• SET Includes access to the Fast-Track Penetration Testing platform
• SET provides many attack vectors such as Spear-Phishing Attacks, Website Attacks, Infection Media Generator etc.

Uses of Social Engineering Toolkit:

• Phishing Attacks: Social Engineering Toolkit allows you to perform phishing attacks on your victim. By using SET you can create phishing pages of many websites such as Instagram, Facebook, Google, etc. SET will generate a link of the option that you have chosen, and then you can send that URL to the victim once the victim open that URL and he /she will see a legitimate webpage of a real website which is actually a phishing page .once he/she entered his/her id password then you will get that id password on your terminal screen this is how phishing attack using SET works.
• Web Attack: Web Attack is a module in SET. This module combines different options for attacking the victim remotely by using this module you can create a payload and can deliver payload onto your victim browser using Metasploit browser exploit. web attack has  Credential Harvester method using which you can clone any website for a phishing attack and can send the link of that webpage to the victim to harvest the information from user and password fields.
• Create a Payload and Listener: when you will first run the Social Engineering Toolkit. You will see the 4th option which is to create a payload and listener by using that module of SET you’ll be able to create malicious payloads for Windows, including Shell Reverse_TCP, Reverse_TCP Meterpreter, Shell Reverse_TCP X64, and Meterpreter Reverse HTTPS. You can use these payloads in the same way how you use payloads from metasploitable.
• Mass Mailer Attack: mass mailer attack is a module in the social engineering toolkit that is used for bombarding emails on target mail account for that you can use your own Gmail account also or you can own a server for that.

These were some attack vectors that you can perform using Social Engineering Toolkit .when you will run the SET you will feel fun because using SET is very easy now we will see how you can install Social Engineering Toolkit and how you can use it for phishing attack.

Installation of Social engineering toolkit :

Step 1: Open your Kali Linux Terminal and move to Desktop 

cd Desktop 

Step 2: As of now you are on a desktop so here you have to create a new directory named SEToolkit using the following command.

mkdir SEToolkit

Step 3: Now as you are in the Desktop directory however you have created a SEToolkit directory so move to SEToolkit directory using the following command.

cd SEToolkit

Step 4: Now you are in SEToolkit directory here you have to clone SEToolkit from GitHub so you can use it.

git clone https://github.com/trustedsec/social-engineer-toolkit setoolkit/

Step 5: Social Engineering Toolkit has been downloaded in your directory now you have to move to the internal directory of the social engineering toolkit using the following command.

cd setoolkit

Step 6: Congratulations you have finally downloaded the social engineering toolkit in your directory SEToolkit. Now it’s time to install requirements using the following command.

pip3 install -r requirements.txt

Step 7: All the requirements have been downloaded in your setoolkit. Now it’s time to install the requirements that you have downloaded 

python setup.py

Step 8: Finally all the processes of installation have been completed now it’s time to run the social engineering toolkit .to run the SEToolkit type following command.

setoolkit

Step 9: At this step, setoolkit will ask you (y) or (n). Type y and your social engineering toolkit will start running.

y

Step 10: Now your setoolkit has been downloaded into your system now it’s time to use it .now you have to choose an option from the following options .here we are choosing option 2

Website Attack Vectors:

option : 2

Step 11: Now we are about to set up a phishing page so here we will choose option 3 that is the credential harvester attack method.

Option : 3

Step 12: Now since we are creating a Phishing page so here we will choose option 1 that is web templates.

option 1

Step 13: At this time the social engineering tool will generate a phishing page at our localhost.

Step 14: Create a google phishing page so choose option 2 for that then a phishing page will be generated on your localhost.

Step 15: Social engineering toolkit is creating a phishing page of google.

As you can see on our localhost means on our IP address setoolkit created a phishing page of google. This is how the social engineering toolkit works. Your phishing page will be created by social engineering toolkit. Once the victim types the id password in the fields the id password will be shown on your terminal where SET is running.

Last Updated :
05 Oct, 2021

Like Article

Save Article

The Social Engineering Toolkit (SET) is a Kali Linux operating system software program. SET is a powerful tool for conducting various social engineering attacks, including phishing, spear-phishing, and other social engineering attacks.

Multiple attack vectors: SET provides a variety of attack vectors, including email, SMS, USB, and more.

Easy customization: SET makes it easy to customize the attack payloads to suit the target environment and objectives.

Automated attack workflows: SET automates the entire attack workflow, from payload creation to delivery, making it easy for non-technical users to carry out social engineering attacks.

Built-in reporting: SET provides detailed reporting on the success and failure of the attack, allowing users to evaluate the effectiveness of their social engineering campaigns.

Let’s see some of the options of SET in action.

Creating a  payload using Social Engineering Tool Kit in Kali Linux and exploiting it.

• Under “Social Engineering attacks” select “Create a Payload and Listener.”
• Select “Windows Reverse_TCP Meterpreter”
• Enter LHOST and LPORT.

• A payload exe file will be saved: /root/.set/payload.exe

After the above steps, msfconsole will be launched automatically with all the payloads set.

• Send the payload to the victim using any phishing technique. When the victim executes the payload file, immediately attacker will receive the reverse shell to the victim’s machine.

Using Social Engineering Tool Kit Generates QR Code

• We can see our QRCode generated.

• Scanning this QR will take the user to the evil website.

Now using any email-sending technique from the same toolkit, send the QRCode. I’ll use the Mass Mailer option from the menu for this demo.

Select Mass Mailer and enter the required details, as shown in the image below.

After giving body, it will automatically send the email to the victim.

Performing basic Pen-testing using Social Engineering Tool Kit.

• Target Host – rexxxxd.ac.in

• Our target URL uses WordPress  for managing its content.
• MySQL and Redis databases are being used at the backend.
• Operating Systems: Ubuntu.

Furthermore, it uses various JavaScript libraries and Apache Webserver.

• Our target seems to use shared web hosting owned by TataTeleServices.

The above image gives us more detail about our target, like the IP address and the target’s location.

There are two open ports and details of the same, including SSL certificates of the website. 

• The target is vulnerable to over 40+ vulnerabilities. Details of the same and CVEs assigned to them are available using them, and the target can be exploited.

Step-by-step process of getting  ID  and  Password

• Select Website Attack Vectors from the SET options.

• Select Credential Harvester Attack Method -> Web Templates -> Press Enter -> Select Google.

• The IP address shown above is hosting the fake Google sign-in page. Now an attacker can change the ip address into a URL using any online tool and can trick into opening it.

• Now, whatever details the victim enters it will get a prompt on the attacker’s terminal.

• After clicking on “Sign In” the victim will get redirected to a new tab automatically but end up giving the credentials. The URL will work until the attacker closes the terminal.

Creating a cloner for the below website

• Under “Social Engineering attacks,” select “Website Attack Vectors.”
• Select Credential Harvester Attack Method -> Site Cloner -> Press Enter -> Enter URL to clone.

• Open the IP in the browser, and it will open as Amazon.  An attacker can change the IP into convincible IP.

• Now the attacker can monitor the victim’s activity sitting remotely.

SET automates the entire attack workflow, making it easy for non-technical users to carry out social engineering attacks. However, it is important to use SET ethically and only for authorized penetration testing or other legitimate purposes and to comply with all relevant laws and regulations.

Note: The content provided is for education and information purposes only.

Please consider following and supporting us to stay updated with the latest information.

Просмотров: 349

Здравствуйте, дорогие друзья.

SET был создан и написан Дэвидом Кеннеди (@ReL1K), основателем trustsec, и он поддерживается активной группой сотрудников (www.social-engineer.org). Это фреймворк на основе Python, с открытым исходным кодом, специально разработанный для облегчения атак социальной инженерии.

Инструмент был разработан с целью достижения безопасности путем обучения. Значительное преимущество SET — это его взаимосвязь с платформой Metasploit, которая обеспечивает необходимые полезные нагрузки для эксплуатации, шифрования, для обхода антивирусного программного обеспечения и модуль прослушивания, который подключается к скомпрометированной системе, когда отправляет оболочку злоумышленнику.

Чтобы открыть SET в дистрибутиве Kali, перейдите в Приложения | Инструменты социальной инженерии | social engineering toolkit или введите sudo setoolkit в командной строке. Вам будут представлено главное меню, как показано на рисунке ниже:

Если Вы выберете 1) Social-Engineering Attacks, то Вам будет представлено следующее подменю, как показано на рисунке ниже:

Параметры меню атаки, следующие:

1. Векторы целевой фишинговой атаки: этот модуль позволяет злоумышленнику создавать сообщения электронной почты, и шаблоны, чтобы отправлять их целевым жертвам, с прикрепленными эксплойтами.

2. Векторы атак на веб-сайты: один из комплексных режимов, который позволяет злоумышленникам использовать несколько подмодулей для выполнения различных веб-атак — мы рассмотрим некоторые модули в ближайших разделах.

3. Инфекционный медиа-генератор: создает файл autorun.inf и полезную нагрузку Metasploit. После записи или копирования на USB-устройство или физический носитель (CD или DVD) и вставки в целевой системе, он вызовет автозапуск (если автозапуск включен) и скомпрометирует систему.

4. Создайте полезную нагрузку и прослушиватель: этот модуль представляет собой быстрый метод создания полезной нагрузки метасплойта. Злоумышленник должен использовать отдельную атаку социальной инженерии, чтобы убедить цель для его запуска.

5. Атака массовых рассылок: чтобы иметь возможность отправлять массовые электронные письма с помощью Sendmail и подделывать адрес отправителя, и личности.

6. Вектор атаки на базе Arduino: программирует устройства на базе Arduino, такие как Teensy (https://www.pjrc.com/teensy/). Поскольку эти устройства регистрируются как USB-клавиатура, когда подключенные к физической системе Windows, они могут обойти систему безопасности, отключив автозапуск или другую защиту конечной точки.

7. Вектор атаки точки беспроводного доступа: это создаст фальшивую точку беспроводного доступа и DHCP-сервера в системе злоумышленника и перенаправление всех DNS-запросов злоумышленнику. Злоумышленник затем может запускать различные атаки, такие как апплет Java или атаку сборщика учетных данных.

8. Вектор атаки генератора QRCode: создает QR-код с определенным URL-адресом, связанным с атакой.

9. Векторы атак PowerShell. Это позволяет злоумышленнику создавать атаки, основанные на PowerShell, оболочку командной строки и язык сценариев, доступную в версиях Windows, начиная с Vista.

10. Сторонние модули: это позволяет злоумышленнику использовать инструмент удаленного администрирования. Tommy Edition (RATTE) и атаку Google Analytics со стороны Zonksec. RATTE является частью Java атака апплета; это инструмент удаленного доступа с текстовым меню, который может работать как изолированная полезная нагрузка.

SET также предоставляет пункт меню для быстрого тестирования на проникновение, который дает быстрый доступ к некоторым специализированным инструментам, поддерживающим идентификацию брутфорса и взлом пароля SQL в базе данных, а также некоторые индивидуальные эксплойты, основанные на Python, векторах атак SCCM, эксплуатацию DRAC/chassis компьютера Dell, перечисление пользователей и внедрение PsExec PowerShell. Меню также предоставляет опции для обновления SET и обновления конфигурации. Однако, этих дополнительных опций следует избегать, так как они не полностью поддерживаются Kali и могут вызывать конфликты с зависимостями.

На этом все. Всем хорошего дня!

#1 Kali Linux для продвинутого тестирования на проникновение. Целевое тестирование.

#2 Kali Linux для продвинутого тестирования на проникновение. Методология тестирования.

#3 Kali Linux для продвинутого тестирования на проникновение. Введение в возможности Kali Linux.

#4 Kali Linux для продвинутого тестирования на проникновение. Установка на Raspberry Pi 4, VMware Workstation Player, VirtualBox, Docker.

#5 Kali Linux для продвинутого тестирования на проникновение. Kali в облаке Amazon Web Services (AWS).

#6 Kali Linux для продвинутого тестирования на проникновение. Kali на облачной платформе Google (GCP).

#7 Kali Linux для продвинутого тестирования на проникновение. Kali на Android (телефоны без рута).

#8 Kali Linux для продвинутого тестирования на проникновение. Настройка и кастомизация Kali Linux.

#9 Kali Linux для продвинутого тестирования на проникновение. Создание тестовой лаборатории. Active Directory и контроллер домена.

#10 Kali Linux для продвинутого тестирования на проникновение. Создание тестовой лаборатории. Установка Microsoft Exchange Server 2016.

#11 Kali Linux для продвинутого тестирования на проникновение. Создание тестовой лаборатории. Metasploitable3.

#12 Kali Linux для продвинутого тестирования на проникновение. Создание тестовой лаборатории. Mutillidae.

#13 Kali Linux для продвинутого тестирования на проникновение. Создание тестовой лаборатории. CloudGoat.

#14 Kali Linux для продвинутого тестирования на проникновение. OSINT и Пассивная разведка.

#15 Kali Linux для продвинутого тестирования на проникновение. Наступательный OSINT. Maltego.

#16 Kali Linux для продвинутого тестирования на проникновение. Наступательный OSINT. OSRFramework. theHarvester.

#17 Kali Linux для продвинутого тестирования на проникновение. Наступательный OSINT. TinEye. Shodan. SpiderFoot.

#18 Kali Linux для продвинутого тестирования на проникновение. Наступательный OSINT. Гугл Дорки.

#19 Kali Linux для продвинутого тестирования на проникновение. Защитный OSINT. Даркнет. Аналитика угроз.

#20 Kali Linux для продвинутого тестирования на проникновение. Защитный OSINT. CUPP. CeWL. Twofi.

#21 Kali Linux для продвинутого тестирования на проникновение. Активная разведка внешней и внутренней сети.

#22 Kali Linux для продвинутого тестирования на проникновение. Использование прокси с анонимными сетями. Tor. ProxyChains. 

#23 Kali Linux для продвинутого тестирования на проникновение. Разведка DNS и сопоставление маршрутов. Recon-ng framework.

#24 Kali Linux для продвинутого тестирования на проникновение. IPv4. IPv6. Инструменты IPv6.

#25 Kali Linux для продвинутого тестирования на проникновение. Идентификация внешней сетевой инфраструктуры.

#26 Kali Linux для продвинутого тестирования на проникновение. Сканирование портов. Nmap. Masscan.

#27 Kali Linux для продвинутого тестирования на проникновение. Информация DHCP. ARP-broadcasting.

#28 Kali Linux для продвинутого тестирования на проникновение. Использование SNMP. Разведка серверов домена Active Directory.

#29 Kali Linux для продвинутого тестирования на проникновение. Перечисление среды Microsoft Azure. Legion. Машинное обучение для разведки.

#30 Kali Linux для продвинутого тестирования на проникновение. Оценка уязвимости. Эксплойты.

#31 Kali Linux для продвинутого тестирования на проникновение. Сканирование уязвимостей с помощью Nmap. Кастомизация сценариев NSE.

#32 Kali Linux для продвинутого тестирования на проникновение. Сканеры уязвимостей веб-приложений. Nikto.

#33 Kali Linux для продвинутого тестирования на проникновение. OWASP ZAP.

#34 Kali Linux для продвинутого тестирования на проникновение. Сканеры уязвимостей для мобильных приложений.

#35 Kali Linux для продвинутого тестирования на проникновение. Сканер сетевых уязвимостей OpenVAS.

#36 Kali Linux для продвинутого тестирования на проникновение. Коммерческие сканеры уязвимостей. Nessus. Qualys.

#37 Kali Linux для продвинутого тестирования на проникновение. Специализированные сканеры.

#38 Kali Linux для продвинутого тестирования на проникновение. Продвинутая социальная инженерия и физическая безопасность.

#39 Kali Linux для продвинутого тестирования на проникновение. Социальная инженерия в компьютерных и мобильных атаках.

#40 Kali Linux для продвинутого тестирования на проникновение. Физические атаки на консоли. Samdump2 и chntpw.

#41 Kali Linux для продвинутого тестирования на проникновение. Создание мошеннического физического устройства. Raspberry Pi. MalDuino: BadUSB.

Humans are the best resource and end-point of security vulnerabilities ever. Social Engineering is a kind of attack targeting human behavior by manipulating and playing with their trust, with the aim to gain confidential information, such as banking account, social media, email, even access to target computer.  No system is safe, because the system is made by humans.The most common attack vector using social engineering attacks is spread phishing through email spamming. They target a victim who has a financial account such as banking or credit card information.

Social engineering attacks are not breaking into a system directly, instead it is using human social interaction and the attacker is dealing with the victim directly.

Do you remember Kevin Mitnick? The Social Engineering legend of the old era. In most of his attack methods, he used to trick victims into believing that he holds the system authority. You might have seen his Social Engineering Attack demo video on YouTube. Look at it!

In this post i am going to show you the simple scenario of how to implement Social Engineering Attack in daily life. It is so easy, just follow along the tutorial carefully. I will explain the scenario clearly.

Social Engineering Attack to gain email access

Goal: Gaining email credential account information

Attacker: Me

Target: My friend. (Really? yes)

Device: Computer or laptop running Kali Linux. And my mobile phone!

Environment: Office (at work)

Tool: Social Engineering Toolkit (SET)

So, based on the scenario above you can imagine that we don’t even need the victim’s device, i used my laptop and my phone. I only need his head and trust, and stupidity too! Because, you know, human stupidity can not be patched, seriously!

In this case we first are going to setup phishing Gmail Account login page in my Kali Linux, and use my phone to be a trigger device. Why i used my phone? I will explain below, later.

Fortunately we are not gonna install any tools, our Kali Linux machine has pre-installed SET (Social Engineering Toolkit), That’s all we need. Oh yeah, if you don’t know what is SET is, i will give you the background on this toolkit.

Social Engineering Toolkit, is design to perform human-side penetration test. SET (shortly) is developed by the founder of TrustedSec (https://www.trustedsec.com/social-engineer-toolkit-set/), which is written in Python, and it is open source.

Alright that was enough let’s do the practice. Before we conduct the social engineering attack, we need to set up our phising page first. Here, i am sitting down on my desk, my computer (running Kali Linux) is connected to the internet the same Wi-Fi network as my mobile phone (i am using android).

STEP 1. SETUP PHISING PAGE

Setoolkit is using Command Line interface, so don’t expect ‘clicky-clicky’ of things here. Open up terminal and type:

You will see the welcome page at the top and the attack options at the bottom, you should see something like this.

Yes, of course, we are going to perform Social Engineering Attacks, so choose number 1 and hit ENTER.

And then you will be displayed the next options, and choose number 2. Website Attack Vectors. Hit ENTER.

Next, we choose number 3. Credential Harvester Attack Method. Hit Enter.

Further options are narrower, SET has pre-formatted phising page of popular websites, such Google, Yahoo, Twitter and Facebook. Now choose number 1. Web Templates.

Because, my Kali Linux PC and my mobile phone were in the same Wi-Fi network, so just input the attacker (my PC) local IP address. And hit ENTER.

PS: To check your device IP address, type: ‘ifconfig’

Alright so far, we have set our method and the listener IP address. In this options listed pre-defined web phising templates as i mentioned above. Because we aimed Google account page, so we choose number 2. Google. Hit ENTER.

the

Now, SET starts my Kali Linux Webserver on port 80, with the fake Google account login page. Our setup is done. Now i am ready walking into my friends room to login into this phishing page using my mobile phone.

STEP 2. HUNTING VICTIMS

The reason why i am using mobile phone (android)? Let see how the page displayed in my built-in android browser. So, i am accessing my Kali Linux webserver on 192.168.43.99 in the browser. And here is the page:

See? It looks so real, there are no security issues displayed on it. The URL bar showing the title instead the URL itself. We know the stupid will recognize this as the original Google page.

So, i bring my mobile phone, and walk into my friend, and talk to him as if i failed to login to Google and act if I am wondering if Google crashed or errored. I give my phone and ask him to try to login using his account. He doesn’t believe my words and immediately begins typing in his account information as if nothing will happen badly here. Haha.

He already typed all the required forms, and let me to click the Sign in button. I click the button… Now It is loading… And then we got Google search engine main page like this.

PS: Once the victim clicks the Sign in button, it will send the authentication information to our listener machine, and it is logged.

Nothing is happening, i tell him, the Sign In button is still there, you failed to login though. And then i am opening again the phising page, while another friend of this stupid coming to us. Nah, we got another victim.

Until i cut the talk, then i go back to my desk and check the log of my SET. And here we got,

Goccha… I pwnd you!!!

In conclusion

 I am not good at story telling (thats the point), to sum up the attack so far the steps are:

• Open ‘setoolkit’
• Choose 1) Social Engineering Attacks
• Choose 2) Website Attack Vectors
• Choose 3) Credential Harvester Attack Method
• Choose 1) Web Templates
• Input the IP address
• Choose Google
• Happy hunting ^_^