как установить setoolkit на kali linux
Hacking Facebook
Social Engineering Toolkit
Humans are the weakest link in any security system
Shashwat (That’ll be me)
If you have read the previous post, then you know what I’m talking about. Social engineering toolkit does not exploit vulnerability in the mechanism of any service. It exploits the weakness in the human element of security. Some official words from the official guys before we move on to the actual hacking
Kali Linux
Se-toolkit
# se-toolkit
[-] New set_config.py file generated on: 2014-05-26 08:26:33.526119
[-] Verifying configuration update.
[*] Update verified, config timestamp is: 2014-05-26 08:26:33.526119
[*] SET is using the new config, no need to restart
_______________________________
/ _____/\_ _____/\__ ___/
\_____ \ | __)_ | |
/ \ | \ | |
/_______ //_______ / |____|
\/ \/
[—] The Social-Engineer Toolkit (SET) [—]
[—] Created by: David Kennedy (ReL1K) [—]
[—] Version: 4.3.9 [—]
[—] Codename: ‘Turbulence’ [—]
[—] Follow us on Twitter: @trustedsec [—]
[—] Follow me on Twitter: @dave_rel1k [—]
[—] Homepage: https://www.trustedsec.com [—]
Welcome to the Social-Engineer Toolkit (SET). The one
stop shop for all of your social-engineering needs.
Join us on irc.freenode.net in channel #setoolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set>
Explanation
Now you’ll be seeing something like this-
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
Find your IP
Back to se-toolkit
Now it’ll ask you to specify the IP to which the data is supposed to be sent to. That’ll be your IP address. Since this is your internal IP address (i.e. local IP), the fake facebook page will work only for computers connected with your LAN.
Now it’ll ask for the page to be cloned. Enter https://www.facebook.com/.
set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/
Now in your browser on Kali Linux, enter your IP. It will display facebook login page. Enter any info and press login. You will get the information in se-toolkit. If you are using VMWare or virtualbox, then you can try and enter the IP on the browsers there. It will work.
Live demonstration
On the Kali Linux Machine itself
POSSIBLE USERNAME FIELD FOUND: email=hackingwithkalilinux
POSSIBLE PASSWORD FIELD FOUND: pass=password
On Windows 8 machine (host)
POSSIBLE USERNAME FIELD FOUND: email=windows8host
POSSIBLE PASSWORD FIELD FOUND: pass=password2
How to Install Social Engineering Toolkit in Kali Linux?
Social engineering toolkit is a free and open-source tool that is used for social engineering attacks such as phishing, faking phone numbers, sending SMS, etc. it’s a free tool available in Kali Linux or you can directly download and install it from Github. The Social Engineering Toolkit is designed and developed by a programmer named Dave Kennedy. This tool is used by security researchers, penetration testers all around the globe for checking cybersecurity flaws in systems. Social engineering toolkit targets to perform attacking techniques on their machines. This tool kit also offers website vector attacks or custom vector attacks by which you can clone any website and can perform phishing attacks. There are various features of the social engineering toolkit some of them are given below.
Features of Social Engineering toolkit:
Uses of Social Engineering Toolkit:
Installation of Social engineering toolkit :
Step 1: Open your Kali Linux Terminal and move to Desktop
Step 2: As of now you are on a desktop so here you have to create a new directory named SEToolkit using the following command.
Step 3: Now as you are in the Desktop directory however you have created a SEToolkit directory so move to SEToolkit directory using the following command.
Step 4: Now you are in SEToolkit directory here you have to clone SEToolkit from GitHub so you can use it.
Step 5: Social Engineering Toolkit has been downloaded in your directory now you have to move to the internal directory of the social engineering toolkit using the following command.
Step 6: Congratulations you have finally downloaded the social engineering toolkit in your directory SEToolkit. Now it’s time to install requirements using the following command.
Step 7: All the requirements have been downloaded in your setoolkit. Now it’s time to install the requirements that you have downloaded
Step 9: At this step, setoolkit will ask you (y) or (n). Type y and your social engineering toolkit will start running.
Website Attack Vectors:
Step 11: Now we are about to set up a phishing page so here we will choose option 3 that is the credential harvester attack method.
Step 12: Now since we are creating a Phishing page so here we will choose option 1 that is web templates.
Step 13: At this time the social engineering tool will generate a phishing page at our localhost.
Step 14: Create a google phishing page so choose option 2 for that then a phishing page will be generated on your localhost.
Step 15: Social engineering toolkit is creating a phishing page of google.
As you can see on our localhost means on our IP address setoolkit created a phishing page of google. This is how the social engineering toolkit works. Your phishing page will be created by social engineering toolkit. Once the victim types the id password in the fields the id password will be shown on your terminal where SET is running.
Social engineering attacks are one of the top techniques used against networks today. Why spend days, weeks, or even months trying to penetrate layers of network security when we can just trick a user into running a file that allows us full access to their machine and bypass antivirus, firewalls, and many intrusion detection systems?
Kali Linux includes one of the popular social engineering attack toolkit available, Devid kennedy’s Social Engineering Toolkit (SET). Devid’s team is very active on SET, there are always new features and attacks being added, More recently several non-social engineering tools have been also added to SET making it a very robust attack tool.
In this post we will take a look at some of the tools included with SET and two of the attacks options, both powershell based attacks.
We can start SET from the Kali Linux main menu :
Mass Mailer
One way a Social Engineer will attack a network is to send out a flood of e-,ails to company address and see who will respond or run the malicious attachment we sent with it.
For this example let’s just send one. We press 1 and hit «Enter».
Then we enter a target e-mail address. See the following screenshot :
For this example, let’s just send one. We press 1 and hit «Enter«.
Now we select option 1 to use a Gmail account or another server. For this tutorial we will use a fake Gmail account. The Gmail address and password must be correct.
Then we choose a spoofed name to use for the ‘from’ line of the message. Let’s use «supporrt@google.com» so it look that it’s from Google. Pay special attention to this field, as this where the real social engineering takes place.
Now SET asks for the password of the Gmail account.
Next enter an e-mail subject line. What about «Important update»
Now type-in a fake message, preferably one that will entice our victim to click on a malicious link included or entice them surf to a malicious web page. In actual defense practice this could just be a test webpage that records the IP address of those who were tricked to surf to the page. That way as a security expert we know who in our organization needs to be better educated on the risks of malicious e-mails.
When finished we type «END» in the last line. Just like following screenshot.
Then press «Enter» and SET will send out the e-mail to victim.
The message in above screenshot is obviously a silly fake, but something like this (With a much more believable message ) could be used to test employee’s ability to detect, resist and report phishing attempts.
Java PYInjector Attack
So far we have just sent a fake e-mail that could redirect someone to a bogus site. But if we could make a fake site that offered up a booby script, and if the user allows the script to create shell with the user.
The Java PyInjector attack leverages the anti-virus bypassing capabilities of PowerShell based attacks with a Java application. We will use SET to create a fictitious website that will offer up a booby-trapped Java app, and if user allows the app to run, we get a full remote session to the system.
We will be using a Windows 8 system as the target in the example.
From the SET menu we choose number 1 for Social-Engineering Attacks. Then we choose 2 for Website Attack Vectors. Now we choose number 1 for Java Applet Attack method.
This will create a Java app that has a backdoor shell.
The Metasploit Browser Exploit attacks the client system with Metasploit browser exploits. The Credentials Harvester Attack is pretty slick as it clones an existing website (like Facebook) and then stores any credentials that are entered into it.
TabNabbing works great if the client has a lot of browser window open, it waits a certain time then switches one of the tabs to a page that SET creates. The Web-Jacking attacks uses iFrame replacements to make a malicious link look legit, and finally the Multi-Attack combines several of the above attacks.
Next choose 1 for Web-Templates to have SET create a generic webpage to use, or use option 2 » Site Cloner » to allow SET to use an existing website as a template for the attack webpage.
Choose yes/no in NAT/port forwarding. Usually selecting no will be sufficient if using an internal testing lab.
Enter the IP address of our SET machine. We can open another terminal window and type following command for the IP address:
The IP address is in the following screenshot:
Now select a template choose 1 «Java Reuqired«.
Then we pick a payload we want delivered, we usually choose 14 «ShellCodeExes Alphanum Shellcode» (This is an interesting as it runs from memory, never touching the hard drive, this effectively by-passing some anti-virus programs ) or 15 «PYInjector Shellcode«. For now let’s go ahead and use option 15, «PYInjector Shellcode Injection«default port 443.
Next choose a payload to inject. let’s pick the first option «Windows Meterpreter Reverse TCP«.
Now SET is all ready to go and does several things. It creates and encrypts the Powershell injection code, creates website, loads metasploit and starts a service looking for people to connect. When done our screen will look like following screenshot:
Now we need to trick victim that he clicks on our malicious link. Here we have hosted the site in our local host so the link will be the IP address of our Kali Linux system and victim should be in our same network. Victim’s browser want’s to run our malicious Java applet in popup. If he click on «Run», our meterpreter session will started and we can do anything on victim’s PC.
The Social Engineering Toolkit is truly a robust and feature rich tool for any corporate security testing team.
Spend some time with SET and check out numerous options it offers for attacking a target system. You can use SET to create malicious CD/DVD and USB media (for creating malicious media and leaving them in corporate parking lots, etc), a slew of arduino based attacks, Microsoft SQL Brute Forcer, Wireless Access Point attack, a Mass Mailer, QR code Attack and a bunch of website social engineering attacks that we did not cover yet. Comment below which tutorial should comes next.
Kali Linux: Social Engineering Toolkit
Humans are the best resource and end-point of security vulnerabilities ever. Social Engineering is a kind of attack targeting human behavior by manipulating and playing with their trust, with the aim to gain confidential information, such as banking account, social media, email, even access to target computer. No system is safe, because the system is made by humans.The most common attack vector using social engineering attacks is spread phishing through email spamming. They target a victim who has a financial account such as banking or credit card information.
Social engineering attacks are not breaking into a system directly, instead it is using human social interaction and the attacker is dealing with the victim directly.
Do you remember Kevin Mitnick? The Social Engineering legend of the old era. In most of his attack methods, he used to trick victims into believing that he holds the system authority. You might have seen his Social Engineering Attack demo video on YouTube. Look at it!
In this post i am going to show you the simple scenario of how to implement Social Engineering Attack in daily life. It is so easy, just follow along the tutorial carefully. I will explain the scenario clearly.
Social Engineering Attack to gain email access
Goal: Gaining email credential account information
Attacker: Me
Target: My friend. (Really? yes)
Device: Computer or laptop running Kali Linux. And my mobile phone!
Environment: Office (at work)
Tool: Social Engineering Toolkit (SET)
So, based on the scenario above you can imagine that we don’t even need the victim’s device, i used my laptop and my phone. I only need his head and trust, and stupidity too! Because, you know, human stupidity can not be patched, seriously!
In this case we first are going to setup phishing Gmail Account login page in my Kali Linux, and use my phone to be a trigger device. Why i used my phone? I will explain below, later.
Fortunately we are not gonna install any tools, our Kali Linux machine has pre-installed SET (Social Engineering Toolkit), That’s all we need. Oh yeah, if you don’t know what is SET is, i will give you the background on this toolkit.
Social Engineering Toolkit, is design to perform human-side penetration test. SET (shortly) is developed by the founder of TrustedSec (https://www.trustedsec.com/social-engineer-toolkit-set/), which is written in Python, and it is open source.
Alright that was enough let’s do the practice. Before we conduct the social engineering attack, we need to set up our phising page first. Here, i am sitting down on my desk, my computer (running Kali Linux) is connected to the internet the same Wi-Fi network as my mobile phone (i am using android).
STEP 1. SETUP PHISING PAGE
Setoolkit is using Command Line interface, so don’t expect ‘clicky-clicky’ of things here. Open up terminal and type:
You will see the welcome page at the top and the attack options at the bottom, you should see something like this.
Yes, of course, we are going to perform Social Engineering Attacks, so choose number 1 and hit ENTER.
And then you will be displayed the next options, and choose number 2. Website Attack Vectors. Hit ENTER.
Next, we choose number 3. Credential Harvester Attack Method. Hit Enter.
Further options are narrower, SET has pre-formatted phising page of popular websites, such Google, Yahoo, Twitter and Facebook. Now choose number 1. Web Templates.
Because, my Kali Linux PC and my mobile phone were in the same Wi-Fi network, so just input the attacker (my PC) local IP address. And hit ENTER.
PS: To check your device IP address, type: ‘ifconfig’
Alright so far, we have set our method and the listener IP address. In this options listed pre-defined web phising templates as i mentioned above. Because we aimed Google account page, so we choose number 2. Google. Hit ENTER.
Now, SET starts my Kali Linux Webserver on port 80, with the fake Google account login page. Our setup is done. Now i am ready walking into my friends room to login into this phishing page using my mobile phone.
STEP 2. HUNTING VICTIMS
The reason why i am using mobile phone (android)? Let see how the page displayed in my built-in android browser. So, i am accessing my Kali Linux webserver on 192.168.43.99 in the browser. And here is the page:
See? It looks so real, there are no security issues displayed on it. The URL bar showing the title instead the URL itself. We know the stupid will recognize this as the original Google page.
So, i bring my mobile phone, and walk into my friend, and talk to him as if i failed to login to Google and act if I am wondering if Google crashed or errored. I give my phone and ask him to try to login using his account. He doesn’t believe my words and immediately begins typing in his account information as if nothing will happen badly here. Haha.
He already typed all the required forms, and let me to click the Sign in button. I click the button… Now It is loading… And then we got Google search engine main page like this.
PS: Once the victim clicks the Sign in button, it will send the authentication information to our listener machine, and it is logged.
Nothing is happening, i tell him, the Sign In button is still there, you failed to login though. And then i am opening again the phising page, while another friend of this stupid coming to us. Nah, we got another victim.
Until i cut the talk, then i go back to my desk and check the log of my SET. And here we got,
In conclusion
I am not good at story telling (thats the point), to sum up the attack so far the steps are:
Using the Social Engineering Toolkit In Kali Linux
Here’s a little known fact: It’s a lot easier to trick a credulous user into dishing over his password than it is to crack it. People are getting smarter with passwords. It seems like hacked accounts are always in the news so people are wising up by adding numbers, symbols and mixed case. Sure you could still try a dictionary attack or even brute force; however, sometimes it can be as easy as sending one cunning email to the perfect target.
If you could launch an email and craft it so that it appears to originate from a trusted source such as Microsoft or a co-worker that would instantly boost the credibility and consequently the effectiveness of your attack. A better option is to compromise a trusted computer and then send your target an email from his inbox. When the email shows up in his inbox it’ll look legitimate because it’s actually coming from a valid source: there’s no forgery with this technique and it can be very very effective.
Tricking someone into giving up sensitive information is called phishing. Think about tricking a fish with the bait. In the same way, a phisherman treats his victims like gullible fish. And if they take the bait he takes off with valuable information such as passwords and credit card numbers.
But how hard would it be to pull something like this off?
With Kali Linux it’s a little too easy. In fact, with the Social Engineering Toolkit (SET) it’s just a matter of pointing and clicking.
Kali Linux makes executing a social engineering attack as easy as order take-out Chinese.
But phishing isn’t the only tool we have in our arsenal.
The Social Engineering Toolkit also includes a website tool that turns your Kali box into a webserver with a bunch of exploits that can compromise almost any browser. The idea is that we would send our target a link which routes them through to our website which automatically downloads and executes the exploit on the target system. You can even clone a valid website so the target is less suspicious. This becomes even more effective if you study your victims browser habits and clone one of their most frequently accessed sites.
The SET let’s you do all this and more. Let’s take a look at this powerful toolkit.
Click Applications in the upper left corner of Kali Linux, browse down to Exploitation Tools choose Social Engineering Toolkit and hit setoolkit.
Now this next part is pretty important and it’s something I need to underscore here. I have a moral question for you:
The knife itself is morally neutral. It has no ability to choose. It’s an inanimate object. Knifes are neither good nor bad but people are different. In the hands of a serial killer a knife is bad; conversely, in the hands of a expert surgeon a knife is good.
The knife is merely the tool. It can be used for good or evil. And in the same way the Social Engineer Toolkit is just a tool. In fact, it was designed for the purposes of penetration testing. This is when a company hires an objective security firm to test the security posture of an organization. It’s a way to validate the security controls in place. Usually the Pentesting firm gets approval from managmenet to launch attacks in a very particular way. The scope of work is narrow, precise and deliberate. In other words, Penetration tests are trusted security professionals who help computers stay secure by trying to break into various systems.
SET is designed for penetration testing or for learning how it works in a lab environment. I strongly dissuade you from trying to use this for evil. It’s not worth it.
So go ahead and read the terms and make your decision. I pray it’s the right one.
And now we are at the gateway to exploitation.
Let’s get things started by pressing 1 and enter.
There are a lot of options such as Powershell Attack Vectors, creating infected USB drives (Infectious Media Creator) but let’s go with the Website Attack Vectors so you can get a feel for how this works.
Let’s use the Metasploit Browser Exploit; option 2. Do you see how this works so far? It’s as easy as picking numbers in a phone tree.
We’ll use a generic web template but as you can see you could also clone a website if you wanted to.
Pick option 1, Web Templates, and keep going.
The next prompt asks you if you want to use NAT/Port Forwarding. In this attack example, I’m going to assume both the attacker and the victim are sitting on the same subnet; thus, there’s no need to use NAT here.
The next question will ask you for the IP address of your Kali box.
Mine is at 10.255.70.41.
A quick way to figure that out is to type:
Once we have this we can start the fun.
The next part asks us about the web template. This is the thing that loads to distract the user while the exploit runs in the background. I’m going to pick Java so that it looks like a Java applet is loading. But in reality Java isn’t doing anything. It’s just a facade to keep the user from getting suspicious while the exploit opens a remote connection to his computer.
Now we need to pick our exploit.
Let’s go with Metasploit Browser Autopwn.
Okay, then pick the exploit details. I’m going to pick the Windows Reverse_TCP Meterpreter.
Choose the default port of 443
and then sit back and watch as your new attack site is created.
After a few minutes the server will start and you hit enter to begin.
Alright, so we have 21 exploits in the bag. The last step is to trick the user into clicking the Local IP http//10.255.70.41:8080 listed in the above screenshot.
This actually isn’t as difficult as it sounds.
In basic HTML, theres a tag called band it stands for anchor text. Furthermore, there’s an attribute called href=””. If you opened an email client in HTML mode you could easily paste in the Local IP address and then between the and tags insert some benign text such as “Click here to Update” or “Your email password has expired, click here to reset”.
Here’s what happened when I clicked the link on my Windows 8.1 box running IE11.
How many users are going to think something is wrong with this error? It looks perfectly innocuous. But we know it isn’t.
Every time the user clicks OK the Java popup reappears but behind the scenes Kali Linux is covertly opening additional TCP sessions to the victim.
Check out the output on my Kali box.
My poor Windows 8.1 machine is responding with 15 exploits.
It’s even worse on a Windows XP machine. This is proof why no one should ever run Windows XP. Microsoft cut the cord on Windows XP a while ago for good reason. Anyone still running Windows XP is setting themselves up for disaster.
If you typed sessions you would see the active connections to the victim then you could use any of the dozens of tools in the Metasploit toolkit to compromise the PC. For example, now that the session is active, with a few commands you can log every keystroke of the user and covertly steal files without the user having a clue.
Bottom Line
The Social Engineering Toolkit by Kali Linux makes taking over a PC as easy as selecting a few options through a menu. It takes zero skill to implement and this is why it’s critical for managers to arm their staff with the knowledge they need to sidestep these threats. Security Awareness Training could help but the bottom line is that managers need to talk to their employees so they can quickly identify phishing attempts.