Skip to content

Changes

Page history
Update Social Engineering Toolkit Introduction authored by Whitlatch, Kyle M. (S&T-Student)'s avatar Whitlatch, Kyle M. (S&T-Student)
Show whitespace changes
Inline Side-by-side
Social-Engineering-Toolkit-Introduction.md
View page @ 58a92eb2
......@@ -39,4 +39,47 @@ There are 6 options to choose from:
## Example
Now time for the fun part! Using SET to generate an attack.
\ No newline at end of file
Now time for the fun part! Using SET to generate an attack. Specifically, let's use SET to steal some credentials for a website.
From the main menu, let's choose option 1.
![image](uploads/408783496a81d4bf8a9cdc31954b913e/image.png)
From this new list, Choose Option 2: Website Attack Vectors
![image](uploads/9f13f299c53f70ed5a92cf86a96b16cd/image.png)
Now Choose Option 3
![image](uploads/bb6bb144bcfd4723b36fa3cee249384c/image.png)
Now Choose Option 2
![image](uploads/6e084c3c0898a07f73acaed95b9abf74/image.png)
Now the fun begins!
First, we provide an IP to broadcast our cloned website onto, since this is all done locally for demonstration, I won't be using a forward facing IP.
![image](uploads/06da865719e0daf8b357d17bd7429627/image.png)
Now we give SET a website to copy, for this case, we will use Facebook's login page. Press enter and now the fake site should be live.
![image](uploads/15de7bdaff2497904c0d2d5e3a65a7ae/image.png)
If this were forward facing and used in a real attack, now we would craft a phishing email to send out to get victims to click a link that redirects to this IP address. For now, I shall navigate to it locally.
![image](uploads/6881ca4234daf7f893915a834e563230/image.png)
We have now successfully cloned Facebook's login page and have it displayed on the IP we gave to SET. In a real attack, all we do now is wait for some unsuspecting person to come and fall victim to our trap. Once someone does, SET will alert us like so:
![image](uploads/ce944f2c462e34cfacab458d22d0f24f/image.png)
When we are satisfied, we can hit CTRL+C to generate a report of all that happened. Viewing the generated HTML and scrolling through gives us exactly what we were looking for:
![image](uploads/6f1909b9be7f22a3d827ece06665505c/image.png)
The PARAMS email=victim@imamoron.biz and pass=wifeandkidsnames were given to the system through filling out the login form, and we can now hijack the victim's account.
## Conclusions
SET is a very powerful Swiss Army Knife of social engineering tools that are well documented and verbosely communicate their instructions to the user. For more information, visit their GitHub linked earlier. For more tutorials on how to use SET, simply YouTube search "social engineering toolkit tutorials" and follow any of the guides depending on the use case.
\ No newline at end of file