How Hackers Trick You: Understanding Social Engineering with SET

Social-Engineer Toolkit (SET)

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards"
- Gene Spafford

Optional Yet Beneficial Lab: Exploring the Social-Engineer Toolkit (SET) 🎩💼

What is the Social-Engineer Toolkit (SET)?

The Social-Engineer Toolkit (SET) is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to execute advanced attacks quickly and efficiently.

Social engineering attacks often involve manipulating people into breaking their usual security procedures. As cybersecurity professionals, understanding these types of attacks can help us better protect our systems and educate others about the risks.

In this lab, we will use SET to clone a website (a Google login page, as an example), a common tactic in phishing attacks. 🐟

🛑Disclaimer: This activity is intended for educational purposes only. Misuse of this information can be illegal and unethical. Always obtain proper authorization before conducting penetration testing.🛑

Walkthrough: Cloning a Google Login Page with SET

Installation

SET isn’t preinstalled on every Linux distribution. So, first, we will clone SET from its GitHub repository.

1. Open Terminal: Launch a Terminal window in Linux.
2. Clone SET from GitHub: Enter the following command to clone the SET repository from GitHub:

git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/

1. Navigate to the SET Directory: Enter the following command:

cd setoolkit

1. Install SET: Run the installation script with the following command:

sudo python3 setup.py

Using SET

1. Launch SET: Open a new Terminal window and type sudo setoolkit to launch the Social-Engineer Toolkit.
2. Accept the terms: You’ll be prompted to agree to the terms of service of the toolkit. This is an ethical reminder that the tools should be used responsibly. Type ‘y’ to agree.
3. Navigate the SET Menu: You’ll be taken to the main menu of SET. Type ‘1’ to select “Social-Engineering Attacks”. This is the overarching category of attacks that SET specializes in. In the next menu, type ‘2’ to select the “Website Attack Vectors”. These are specific methods for launching attacks via websites. Finally, type ‘3’ to select “Credential Harvester Attack Method”. This method captures user credentials when they interact with the cloned website. It’s as simple as 1,2,3 😉
4. Select Site Cloning Method: Once you’ve selected the Credential Harvester Attack Method, you’ll be asked to choose between site cloning and web templates. Site cloning involves duplicating a specific website, while web templates use a pre-made generic site. Type ‘1’ to select “Web Templates”.
5. Choose Template: You’ll see a list of available templates. Type ‘2’ for “Google” to select it. These templates are pre-built to resemble common websites, making them effective for phishing attacks.
6. Enter IP Address: You’ll be asked to enter the IP address for the post-back in Harvester/Tabnabbing. This is the IP where captured credentials will be sent. Since we are testing it on the same machine, enter 127.0.0.1.
7. Start the Server: SET will create the cloned site and start the server. The server hosts the cloned site to be visited via a web browser. Note the URL it provides (It should look something like http://127.0.0.1).

Testing Your Cloned Site

1. Open Firefox: On your Linux machine, open the Firefox browser.
2. Enter the SET URL: Type the URL provided by SET in the address bar of Firefox. This will take you to your cloned Google login page. The goal is to see if the page convincingly resembles the real site enough to trick an unsuspecting user.
3. Enter Test Credentials: Type any email and password combination into the fields on the cloned site. Since it’s a test, you can use fake information.

1. Check the Terminal: Return to the terminal where SET is running and look for the credentials you just entered. SET should have captured and displayed the inputted credentials if everything works correctly.

Remember, these tests aim to understand better how these attacks work to develop effective defense strategies, not to misuse them for unethical purposes. Always respect privacy and consent when conducting cybersecurity tests.

Using Your Own Domain

If you have your own domain and would like to use it with SET, you can do this by modifying the Apache server configuration files to redirect to your IP. This way, you can make your cloned site appear even more convincing. However, remember this should only be used in authorized testing situations.