The social engineering toolkit also known as SET is an open source tool that is written by Dave Kennedy from TrustedSec. Social engineering toolkit has tools required for phishing in one tool. It is used by ethical hackers, blue and red teams in their day to day activities. Human weakness is targeted by the social engineering toolkit hence has techniques based on social engineering attacks.
Some of the features and advantages of using social engineering toolkit include;
- It has support for integration of third party modules – you can add third party modules to help you carry out your attacks.
- Has a big collection of social engineering attacks including; Mass Mailing option, penetration testing, QRCode attack vector, infectious media generator and power shell attack vectors.
- Social engineering toolkit also has a Fast-Track penetration testing platform.
- It is open source and has an active community hence immense support form other users worldwide.
- You can clone existing website pages or use custom web pages for your social engineering attacks.
Infectious Media Generator – This option helps a user create an infected media storage device. Once the victim inserts the infected media file in his/her PC a payload already loaded on the storage device will automatically execute.
- Mass Mailing attack – Mass mailing attack involves sending spam emails to your victims. The emails have phishing content compelling users to provide required information.
- Web Application attack – you can clone the website you will use to harvest the credentials. It consists both of the server side and the client side attacks with an aim to epose vulnerabilities.
- Phishing attacks – social engineering toolkit helps us simulate phishing attacks on our victims by spoofing emails and even attaching malicious payloads on the email. We can aslo clone the authentication pages we want to use to get credentials from the victims.
Pre-requisites
- Python 2.7 and above installed on your operating system.
- Knowledge of using the terminal depending on your operating system.
- Have pip installed.
In some Kali Linux distributions, social engineering toolkit is already installed. To install SET, we will clone it from its official github repository as shown below.
git clone https://github.com/trustedsec/social-engineer-toolkit/ set/
After downloading, we will navigate into the social engineering toolkit folder in order to install the required dependencies for it to run.
cd set pip install -r requirements.txt
When we are done with installing the requirements, we can now run the social engineering toolkit with the command below.
sudo setoolkit
We now have SET running as shown on the picture above. In this guide we will be phishing for our victim’s login credentials so we will select option 1 for a social engineering attack on the victim.
Step 2: Selecting the type of attack
In the above image we can see a list of the attacks available on social engineering toolkit under the social engineering attacks. In our case, we need to get credentials from the victim hence we will choose the option for credential harvester attack method which is on option 3.
Step 3: Choosing the web template to use for the attack
In the third step, we are supposed to select the website template we want to use for our attack on the social engineering toolkit. A SET user can choose from already prepared web templates, clone a web page on a live website or import a custom template from your computer. Choosing the type of template to use will depend on several factors; the target of the attack, the credentials we want to phish and other social engineering tactics we plan to use with the social engineering toolkit in our attack. In our case we will choose the already prepared template so we select option 1 and press enter.
Step 4: Add the IP address to use
The fourth step will be to add an IP address to use with the social engineering toolkit. Since we are using the localhost, we can add ‘0.0.0.0’ as the IP address. After adding it, we need to select the web page we want to use from the list of already available web templates as shown on the image below. For our case, we will be using the twitter login page to harvest our victim’s twitter login credentials.
We can now be able to access our fake twitter login page created using social engineering toolkit by visiting 0.0.0.0:80 on the same PC we are launching the attack from.
This is always an extra step and can be used to target anyone around the world provided they have an active internet connection when opening the phishing link. This step is to essentially make your social engineering toolkit instance accessible on the internet. To run Ngrok for use with the social engineering toolkit, we just have to tunnel the data via the port and protocol being used by SET using the below command.
./ngrok http 80
After we open the Ngrok link on a browser, a fake twitter login page is rendered as shown on the image below.
Once the victim enters his/her login credentials on the fake login page, his or her credentials will be posted back to the terminal running social engineering toolkit as shown on the image below. On the second line we have the username or the email and on the third line the password.
Now you have the required login credentials and you can access your victim’s account.
Conclusion
In the above guide we were able to launch a social engineering attack against our victim using the social engineering toolkit. SET houses many tools under one roof making it a must have tool for those aspiring to learn deep into cybersecurity and ethical hacking. SET also has more advanced functions for easy attacks such as the option to clone a website. It should be however noted that using social engineering toolkit against a victim without his/her consent is illegal and punishable by law.