TrustedSec’s Social-Engineer Toolkit (SET), an open source Python-driven tool, is designed to help you perform social-engineering attacks during pentests. SET will help you create a variety of attacks such as email phishing campaigns (designed to steal credentials, financial information, and so on using specially targeted email) and web-based attacks (such as cloning a client website and tricking users into entering their login credentials).
SET comes preinstalled in Kali Linux. To start SET in Kali Linux, enter setoolkit at a prompt, as shown in Listing 11-1. We’ll use SET to run social-engineering attacks, so enter a 1 at the prompt to move to the SocialEngineering Attacks menu. You will be prompted to accept the terms of service.
The Social Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at Penetration Testing using social engineering. SET is an extremely popular tool used by security professionals to test an organization's security posture. Real-life attackers use SET to craft active and malicious attacks. It is the tool of choice for the most common social engineering attacks. To launch SET, go to the following link of the menu bar Exploitation Tools | Social Engineering Tools, and select se-toolkit. The first time you launch SET on Kali, SET will display the SET distribution updates directly from GitHub. You will be presented with the option of receiving updates automatically. Select yes to receive automatic updates.
- SET will ask you to verify that git is installed. Kali comes with git preloaded; however, best practice is following the steps in Chapter 1, Penetration Testing and Setup, to update Kali. Updates will include a version of git required for SET to work. Kali 1.0 doesn't include the .git directory. To update, you should follow the following steps:
- Open a terminal and navigate to cd /usr/share.
- Backup the old set directory by typing mv set backup.set.
- Re-download SET from GitHub using the following command: git clone https://github.com/trustedsec/social-engineer-toolkit/ set/
- Salvage the old config file to avoid having to set the MSF's path using: cp backup.set/config/set_config set/config/set_config
- Verify that SET works using the command se-toolkit.
Using SET to clone and attack
Now that you understand some of the basic dynamics of how SET works, let's compromise a client machine using a website they might trust. Although we can use any website, we recommend something that is simple. Here is an example of cloning a corporate SharePoint site with the intention of exploiting the victim by loading a meterpreter. In reality, it can be any website you want to compromise. We chose a SharePoint site because as a Penetration Tester you will most likely want to use a target that will achieve your goal. Many attackers for nefarious purposes may use a public website to clone.
The next step is launching SET by going to Exploitation Tools | Social Engineering Toolkit | se-toolkit. Once you accept all the licenses and terms of services, you will see the main screen for SET.
It is recommended to select the 5) Update the Social-Engineer Toolkit option prior to using SET. Once updated, select option 1) Social-Engineering Attacks. The next screenshot shows the different website attack vectors available under SocialEngineering Attacks in SET. The spear-phishing option is a popular attack offering the ability to embed attacks into e-mails and PDFs. The spear-phishing attack sends the attack files through a spoofed e-mail originated by the victim directly from SET.
For this example, we will select Website Attack Vectors, because we previously cloned a website for a website-based attack. Next, we need to determine how to deliver the payload. There are several options available. Choose the Java Applet Attack, which is normally option 1.
SET will ask if you would like to use an existing template that comes with SET, or if you would like to clone a website. The default templates are not good, and it is recommended to clone a website such as the SharePoint example previously provided. On the next screen, SET will present several options on how the user can copy the website. In this example, we will use the site-cloner option. Select site-cloner, and SET will provide a series of questions. These questions will walk you through cloning a website and having it run from Kali. Site-Cloner will request the following: • NAT/Port forwarding: This option tends to confuse people. SET is asking if the victims will connect to your machine using the IP address configured on your Kali server or if the victims will connect to a different IP address (such as a NAT address). This really comes into play when you are attacking people outside your network or on the Internet. Select yes if you are attacking victims outside your network. Type no if you are attacking victims on the same network, such as an internal lab.
IP address/hostname for reverse connection: When SET delivers its payload to the victim, SET needs to tell the victim how to connect back to Kali. In a lab environment, you can type in the IP address of your Kali server. •
URL you want to clone: This is the website you are copying. •
Exploit to deliver: SET will use the Metasploit framework to deliver the exploit. The most popular option is the Windows Reverse_TCP Meterpreter. The Windows Reverse_TCP Meterpreter works by having a victim run an executable that establishes an open port for an attacker to connect back through to gain full shell access to the victim's PC. The following screenshot shows the payloads available. The Windows Reverse_TCP Meterpreter is the second option listed
SET will ask to select what type of anti-virus obfuscation technique you would like to use. SET will display a rating next to each technique. Select a highly -rated option, unless you desire a specific option. The following screenshot shows the available options. We will go with option 16, because it has the best ranking.
SET will ask which listener port should be used. In most cases, stick with the default ports. After the last question is answered, SET will bring up the cloned website. The new cloned website can be used as a means to compromise targets. You need to trick users into accessing the cloned website using an Internet browser. The user accessing the cloned website will get a Java pop-up, which if run, will provide a Reserve_TCP Meterpreter to your Kali server. The attacker can start a meterpreter session and have full admin privileges on the device accessing the cloned website.
EmoticonEmoticon