Social Engineering Toolkit Credentials Phishing [5 Easy Steps]

Ethical hacking

Reviewer: Deepak Prasad

The social engineering toolkit also known as SET is an open source tool that is written by Dave Kennedy from TrustedSec. Social engineering toolkit has tools required for phishing in one tool. It is used by ethical hackers, blue and red teams in their day to day activities. Human weakness is targeted by the social engineering toolkit hence has techniques based on social engineering attacks.
Some of the features and advantages of using social engineering toolkit include;

  • It has support for integration of third party modules – you can add third party modules to help you carry out your attacks.
  • Has a big collection of social engineering attacks including; Mass Mailing option, penetration testing, QRCode attack vector, infectious media generator and power shell attack vectors.
  • Social engineering toolkit also has a Fast-Track penetration testing platform.
  • It is open source and has an active community hence immense support form other users worldwide.
  • You can clone existing website pages or use custom web pages for your social engineering attacks.


Attack modes found in social engineering toolkit

Infectious Media Generator – This option helps a user create an infected media storage device. Once the victim inserts the infected media file in his/her PC a payload already loaded on the storage device will automatically execute.

  • Mass Mailing attack – Mass mailing attack involves sending spam emails to your victims. The emails have phishing content compelling users to provide required information.
  • Web Application attack – you can clone the website you will use to harvest the credentials. It consists both of the server side and the client side attacks with an aim to epose vulnerabilities.
  • Phishing attacks – social engineering toolkit helps us simulate phishing attacks on our victims by spoofing emails and even attaching malicious payloads on the email. We can aslo clone the authentication pages we want to use to get credentials from the victims.



  • Python 2.7 and above installed on your operating system.
  • Knowledge of using the terminal depending on your operating system.
  • Have pip installed.
This guide has been made for education purposes only. Phishing is illegal in many countries around the world. It is recommended you use a penetration testing lab.


Installing social engineering toolkit on Linux

In some Kali Linux distributions, social engineering toolkit is already installed. To install SET, we will clone it from its official github repository as shown below.

git clone set/

After downloading, we will navigate into the social engineering toolkit folder in order to install the required dependencies for it to run.

cd set

pip install -r requirements.txt


Step 1: Running the social engineering toolkit

When we are done with installing the requirements, we can now run the social engineering toolkit with the command below.

sudo setoolkit

social engineering toolkit

We now have SET running as shown on the picture above. In this guide we will be phishing for our victim’s login credentials so we will select option 1 for a social engineering attack on the victim.


Step 2: Selecting the type of attack

social engineering toolkit

In the above image we can see a list of the attacks available on social engineering toolkit under the social engineering attacks. In our case, we need to get credentials from the victim hence we will choose the option for credential harvester attack method which is on option 3.


Step 3: Choosing the web template to use for the attack

social engineering toolkit

In the third step, we are supposed to select the website template we want to use for our attack on the social engineering toolkit. A SET user can choose from already prepared web templates, clone a web page on a live website or import a custom template from your computer. Choosing the type of template to use will depend on several factors; the target of the attack, the credentials we want to phish and other social engineering tactics we plan to use with the social engineering toolkit in our attack. In our case we will choose the already prepared template so we select option 1 and press enter.


Step 4: Add the IP address to use

social engineering toolkit

The fourth step will be to add an IP address to use with the social engineering toolkit. Since we are using the localhost, we can add ‘’ as the IP address. After adding it, we need to select the web page we want to use from the list of already available web templates as shown on the image below. For our case, we will be using the twitter login page to harvest our victim’s twitter login credentials.


social engineering toolkit

We can now be able to access our fake twitter login page created using social engineering toolkit by visiting on the same PC we are launching the attack from.


Step 5: Using Ngrok with social engineering toolkit

This is always an extra step and can be used to target anyone around the world provided they have an active internet connection when opening the phishing link. This step is to essentially make your social engineering toolkit instance accessible on the internet. To run Ngrok for use with the social engineering toolkit, we just have to tunnel the data via the port and protocol being used by SET using the below command.

./ngrok http 80

After we open the Ngrok link on a browser, a fake twitter login page is rendered as shown on the image below.

social engineering toolkit

Once the victim enters his/her login credentials on the fake login page, his or her credentials will be posted back to the terminal running social engineering toolkit as shown on the image below. On the second line we have the username or the email and on the third line the password.

social engineering toolkit

Now you have the required login credentials and you can access your victim’s account.



In the above guide we were able to launch a social engineering attack against our victim using the social engineering toolkit. SET houses many tools under one roof making it a must have tool for those aspiring to learn deep into cybersecurity and ethical hacking. SET also has more advanced functions for easy attacks such as the option to clone a website. It should be however noted that using social engineering toolkit against a victim without his/her consent is illegal and punishable by law.


Views: 535
Kennedy Muthii

Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to

Thank You for your support!!

Leave a Comment