Phishing With Social Engineering Toolkit (SET)
Disclaimer!!!
This demonstration utilizes the Social Engineering Toolkit (SET) tool for educational purposes only. The intention is to raise awareness about the techniques employed by malicious actors to perpetrate phishing attacks and to educate participants on how to recognize and mitigate such threats.
Participants are advised that any attempts to replicate the techniques demonstrated outside of controlled environments, without explicit authorization, may violate ethical guidelines and legal statutes. The information provided is intended solely for ethical hacking and cybersecurity education and must not be used for any malicious or unlawful activities.
First What is Social Engineering?
Social engineering involves the manipulation of individuals to extract confidential information. The targeted data sought by these malevolent actors can vary, but typically includes passwords, bank details, or unauthorized access to computers for the covert installation of malicious software. This enables them to acquire sensitive information and gain control over the victim’s system.
Criminals resort to social engineering tactics because exploiting human trust is often more straightforward than attempting to breach software defenses. For instance, deceiving someone into disclosing their password is often simpler than attempting to hack it directly (unless the password is exceptionally weak).
What is Phishing?
Phishing is a form of social engineering attack that malicious actors use to sneakily trick users in order to steal their login credentials and credit card numbers. It happens when someone tricks you into clicking on a fake email, message, or website.
For example, you might get an email pretending to be from your bank, saying your account is in trouble. It then sends you to a fake website to reset your login info.
But that website is fake too! It’s made to look real, but it just wants to steal your login details.
A phishing attack often looks like a message trying to make you:
- Click a link.
- Open a file.
- Install software.
- Enter your username and password on a fake website.
- Warn you about a problem with your account or payment info.
Social Engineering Toolkit (SET)
What is the Social Engineering Toolkit?
The Social Engineering Toolkit (SET) is a powerful open-source tool that comes preinstalled in Kali Linux and comprises tools for gathering credentials such as usernames and passwords from targets. Designed for penetration testing and ethical hacking. It automates various social engineering attacks, making it easier for security professionals to simulate real-world attacks and assess the security posture of organizations.
Some of the key features include:
1. Phishing Attack Automation: SET automates the process of creating and launching phishing campaigns, allowing users to craft convincing emails and websites to trick targets into divulging sensitive information.
2. Credential Harvesting: The toolkit can capture usernames, passwords, and other credentials entered by victims on phishing websites, helping assess the susceptibility of target systems to credential theft.
3. Payload Generation: SET facilitates the creation of malicious payloads, such as Backdoors and Trojans, which can be used to exploit vulnerabilities and gain unauthorized access to target systems.
4. Social Engineering Modules: It offers a variety of modules for conducting social engineering attacks, including email spoofing, SMS spoofing, and USB drive attacks.
For this article we’ll be focusing only on the Phishing Attack Automation.
Running the setoolkit
Let’s open our kali terminal
Type the command “setoolkit”
It must be run as root, so we used “sudo setoolkit”
………………………………………………snip…………………………………………………
Type “y” and hit enter.
We will be phishing for the victim’s login credentials, so we select option 1 for a social engineering attack.
Selecting the attack type
To phish for the victim’s login credentials, we select option 1 for a social engineering attacks.
We select the option 2 ‘Website Attack Vectors’
We choose the option 3 for ‘Credential Harvester Attack Method’
Which will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.
At this point we can either craft a malicious web login page or clone an existing one. We cloned a Legitimate website to make our attack look very realistic. So we select option 2
We press [Enter] to use our default local IP address, since we are hosting everything locally on our machine.
Now we enter the URL of the site which we want to clone. We are cloning “https://eportal.school.edu.xx/accpt/”
The setup for our phishing attack is complete, we cloned the school student portal login page, which now looks exactly like the real one.
To access the cloned website we have to get our local IP address since the site is hosted locally on our machine.
NOTE: To make this publicly available we’ll use a tool called ngrok to make it publicly available.
Finally we can open our browser and input the IP address http://192.168.252.134
Looks Real!
Shortening the URL
At this point, all we need to do is trick the victim to access our IP address. In my case it is 192.168.252.134. In a real sense the address will look suspicious to the victim, we can mask the IP address using a URL link shortener or embed the IP address into a login button.
We copy the newly generated URL to validate if its working
We are certain that the URL is working.
Now we can get creative and send the link to our victim via email or any other covert methods we stated earlier.
Phishing our Victim
Malicious Actor
We crafted a malicious email and sent it to our victim.
Victim
Here the victim received our malicious email
Once the target user fills in their details and clicks on ‘Login’, Their the login information will be captured on the Credential Harvester.
NOTE: For this attack to work, the attacker and the victim has to be connected to the same network, since our malicious website is hosted locally on our machine.
Captured credentials
MyVerySecurePa$$
We successfully captured the login credentials from the Victim and it’s a wrap.
You can reach out to me here on LinkedIn