Professional Documents
Culture Documents
When social and engineering is combined, we get social engineering, which involves
intrusion based on human interaction. It is a non-technical intrusion in which a
person is often tricked into breaking the general security guidelines already set in an
institution.
42.5M
933
Features of Java - Javatpoint
1. Web Attack
2. Mass Mailer Attack
3. Phishing Attacks
4. Create a Payload and Listener
1. Web Attack
In SET, a web attack is a module. This module combines various options to attack the
victim remotely. Using this module, we can create a payload and distribute the
payload to our victim browser using the Metasploit browser exploit. Web attack
has Credential Harvester method that allows us to clone any website for a phishing
attack and send the link of that webpage to the victim to get information from user
and password fields.
2. Phishing Attacks
We can use the Social Engineering Toolkit to perform phishing attacks on our
victims. Using SET, we can create phishing pages for a variety of websites,
including Google, Facebook, Instagram, etc. SET will generate a link of the option
which we have selected, and then we can send that URL to the victim once the victim
clicks on that URL and he/she will see a legitimate webpage of a real website that is
essentially a phishing page. Once he/she has entered his/her ID password, we will get
that ID password on our terminal screen, this is how a phishing attack using SET
works.
These are some of the attack vectors which we can use using the Social Engineering
Toolkit. When we will run the SET, we will enjoy it because it is quite simple to use.
1. Research Phase
2. Hook Phase
3. Play Phase
4. Exit Phase
1. Research Phase
In the research phase, the information related to the goal is collected. Whether the
objective is a firm or an individual, the first phase is the same. There are so many
ways by which attackers can get the information related to their targets. These
include obtaining documents from the public domain, visiting the website for the
institution concerned, and in some cases, constructive face-to-face interactions.
Besides, dumpster diving is also necessary at this stage of the attack.
2. Hook Phase
The Hook phase is the second phase of the attack. In this phase, the attacker initiates
a discussion with their victim target.
After the hook, the phase is the phase of play that strengthens the connection
between the attacker and the target. The attacker takes advantage of this
opportunity to investigate getting the information they desire.
3. Exit Phase
This is the final phase, and the attacker must be careful not to set up a situation that
would make the target suspect in any manner. The idea is to exit the target without
giving any indication of action.
We can start these steps through various social engineering tools which are pre-
installed in Kali Linux, while other tools need to be installed manually.
Step 1: First, we have to open the Kali Linux Terminal and move to Desktop.
1. cd Desktop
Step 2: Now, we are on a desktop so use the following command in order to create a
new directory called SEToolkit.
1. mkdir SEToolkit
Step 3: Now, we are in the Desktop directory though we have created a SEToolkit
directory so go to SEToolkit directory using the following command.
1. cd SEToolkit
Step 4: Now we're in the SEToolkit directory, we will need to clone SEToolkit from
GitHub in order to utilize it.
1. git clone https://github.com/trustedsec/social-engineer-toolkit setoolkit/
Step 5: Now, the Social Engineering Toolkit has been downloaded to our directory,
we have to use the following command in order to navigate to the social engineering
toolkit's internal directory.
1. cd setoolkit
Step 6: Now we have successfully downloaded the social engineering toolkit in our
directory SEToolkit. Now we can use the following command to install the
requirements.
1. pip3 install -r requirements.text
Step 7: All the requirements have been downloaded to our setoolkit. Now it's time to
install the requirements we have downloaded.
1. python setup.py
Step 8: Finally all the installation process is complete now it's time to run the Social
Engineering Toolkit. We have to type the following command in order to run the
SEToolkit.
1. Setoolkit
Step 9: At this point, setoolkit will ask us (y) or (n). When we type y, our social
engineering toolkit will start running.
1. Y
Step 10: Now our SEToolkit has been downloaded on our system, it's, time to use it.
Now, we have to select the option from the following options. Option 2 is the one
we've chosen.
Website Attack Vectors:
1. Option 2
1. option 3
Step 12: Since we are making a phishing page; we'll go with option 1, which is
a web template.
1. option 1
Step 13: The social engineering tool will now create a phishing page on our
localhost.
Step 14: Choose option 2 in order to create a Google phishing page, and a phishing
page will be generated on our localhost.
Step 15: A phishing page for Google is being created using the social engineering
toolkit. As we can see, SEToolkit generate a phishing page of Google on our
localhost (i.e., on our IP address). The social engineering toolset works in this manner.
The social engineering toolkit will design our phishing page. Once the victim types
the id password in the fields the id password will be shown on our terminal where
SET is running.
Social Engineering Toolkit Usage
The Social-Engineer Toolkit (SET) is an open-source penetration testing framework
which is designed for social engineering. SET includes several custom attack vectors
that enable us to launch a believable attack in a short amount of time. Human
behaviors are used in these types of tools in order to trick them into the attack
vectors.
The first way is to let SET handle the whole thing (option 1), while the second is to
write our own FileFormat payload and utilize it in our own attack.
We have to Type "99" in order to go back to the main menu and then type "2" to go
to "The web attack vectors".
The web attack module is a one-of-a-kind method of compromising the intended
victim by combing numerous web-based attacks. This module is utilized to carry out
phishing attacks against the victim if they click on the link. Clicking on a link can
trigger a variety of attacks.
We have to type "99" in order to rerun the main menu and then we have to
type "3".
On a USB drive, the payload and autorun file is burned or copied. When a DVD,
USB, or CD is loaded into the victim's machine, it will trigger an autorun feature (if
autorun is enabled) and ideally, compromise the system. We can choose the attack
vector we want to use: bug file format or directly executable.
o File-format Exploits
o Standard Metasploit Executable
We can use the mass mailer attack in order to send many emails to victims and
customize the messages. The mass e-mailer has two options; the first is to send an
email to a single email address. The second options permit us to import a list of all
recipient's email, and it will send our message to as many individuals on that list as
we desire.
o E-Mail Attack Single Email Address
o E-Mail Attack Mass Mailer
Type "99" to go back to the main menu and then we have to type "9" to go
to "Powershell Attack Vector".
1. Maltego
2. Social Engineering Toolkit (SET)
3. Wifiphisher
4. Metasploit MSF
5. MSFvenom Payload Creator (MSFPC)
1. Maltego
Maltego is an open-source intelligence (OSINT) investigation tool that displays how
various bits of information are connected. We can use Maltego in order to find
connections between people and several information assets, including email
addresses, screen names, and social profiles, and other information which connect
a person to a service or organization.
With all of this information, we can simulate a social engineering attack in order to
help us evaluate our employees' security awareness. Maltego may be started via the
Kali whisker menu or by going to Applications> Kali Linux > Top 10 Security
Tools > and selecting Maltego five.
Maltego has a graphical user interface that makes it simple to see relationships.
Advantages of Maltego
SET comes with a website tool that converts our Kali Linux into a web server with a
variety of exploits which can compromise most browsers. The aim is to provide our
target a link that routes them via our site that automatically downloads and executes
the exploit on their system.
To make the exploit looks more authentic, we can use the pre-templates in SET to
clone a legitimate website. SET contains pre-formatted phishing pages for prominent
websites such as Google, Yahoo, Facebook, and Twitter.
If we want to open SET in Kali Linux then we have to go to Applications > KaliLinux
> Exploitation Tools > Social Engineering Toolkit | toolkit or type setoolkit as a
shell prompt.
3. Wifiphisher
Wifiphisher is a one-of-a-kind social engineering tool that automates phishing
attacks on Wi-Fi networks in order to obtain the WPA/WPA2 passwords of a target
user base. The tool can select any nearby Wi-Fi access point, jam it (de-authenticate
all users), and create a cloned access point that does not need a password to join.
Anyone who connects to the evil twin-like open network is presented with a
seemingly legitimate phishing page asking for the Wi-Fi passwords to download a
firmware update that is cited as the reason the Wi-Fi is not working.
Once the target has entered the password, Wifiphisher sends an alert, pausing for a
while. After transmitting the captured password, it will display a fake reboot timer
and a fake update screen to give us time in order to test the captured password. It is
a useful tool for evaluating our security defenses against Wi-Fi-based social
engineering.
Features of Wifiphisher
4. Metasploit MSF
Metasploit Framework is a penetration testing tool that may be used to find, exploit,
and evaluate security flaws. It delivers the content, tools, and infrastructure to
perform penetration testing as well as comprehensive security auditing. One of the
powerful features packed into Metasploit is the option to set up a fake SMB
server. This implies that when someone on the network tries to access the server,
their system must show their credentials in terms of their "domain password hash".
If we wait long enough, we might be able to capture domain credentials when users
try to connect to the SMB server. Sending an embedded UNC path to the target can
help us collect their domain credentials when they click on it.
MSF is updated often, and new exploits are added as soon as their creators publish
them. Metasploit can be started via the Kali Linux menu or by typing the following
command in the terminal.
1. $ msfconsole -h