Tools: Social Engineering Toolkit (SET) (en)
Explanation of Social Engineering Toolkit (SET) in Kali Linux 24.03 for ethical hacking course purposes.
What is Social Engineering Toolkit (SET)?
SET is an open-source software specifically designed to perform penetration testing by utilizing social engineering techniques. Simply put, SET allows a pentester to simulate attacks that exploit human weaknesses in security systems.
Social Engineering Toolkit (SET) is an open-source tool in Kali Linux specifically designed to test system vulnerabilities through social engineering techniques. SET is often used in ethical hacking to simulate human-based attacks, such as phishing, spear phishing, or client-based attacks.
Why is SET Important for Ethical Hacking?
- Real World Reality: The most successful cyber attacks often exploit the human factor. With SET, you can understand how these attacks work and how to prevent them.
- Multiple Attack Vectors: SET provides various modules to simulate various types of attacks, from email phishing to SMS-based attacks.
- Easy to Use: Despite its powerful capabilities, SET is designed with a user-friendly interface, making it easy to use for both beginners and professionals.
SET Key Features:
- Phishing: Create fake login pages that look like real websites to steal user credentials.
- Spear Phishing: Create more personalized phishing attacks by targeting specific individuals.
- SMS Spoofing: Send fake SMS messages that appear to come from a known phone number.
- Credential Harvesting: Collect user credentials through various methods, such as keyloggers and fake login forms.
- Artifacts: Create fake artifacts to support attacks, such as Word documents or PDFs containing malware.
Example of Using SET in Kali Linux 24.03:
Installation:
- SET is already available by default in Kali Linux. However, if you need to install or update SET, use the following command in the terminal:
sudo apt update sudo apt install set
Starting SET:
- Once finished, run SET by typing:
sudo setoolkit ```
- You will see the main interface of SET.
Selecting a Module:
- Select the module you want to use, for example "Social Engineering Attacks".
- Next, select the appropriate submodule, such as "Website Attack Vectors".
Customize the Attack: Configure the attack according to your target. For example, specify the target URL, type of phishing, and the message to be displayed.
Launching the Attack: Run the attack. SET will create a phishing page or send a fake SMS message.
Phishing Attack with SET
One common scenario is a simulated phishing attack. We will create a fake login page to capture user credentials.
Example: Simulated Phishing Attack
- After opening SET, select the option 1) Social-Engineering Attacks.
- Select 2) Website Attack Vectors to create a website-based attack.
- Select 3) Credential Harvester Attack Method. This method allows you to capture credentials entered by users on a fake web page.
- Select 2) Site Cloner. This feature allows you to clone the website you want to use as bait.
- Enter the local or public IP address of your server (for example, for local testing on your network):
Enter the IP address for the POST back in Harvester/Tabnabbing: [IP Address]
- Enter the URL of the website you want to clone, for example the Facebook login page:
Enter the URL to clone: https://www.facebook.com
- SET will clone the site, create a fake login page, and start listening for activity on the IP address you entered. When the victim visits the URL and attempts to log in, their credentials will be recorded in the SET terminal.
- To view the credentials you have successfully obtained, simply return to the running SET terminal. Each login performed by the victim will be displayed with the username and password details.
Spear Phishing Attack
Another example is a spear phishing attack. With this method, you can send emails containing malicious links or files to specific targets.
Example: Spear Phishing Email Attack
- Select the option 1) Social-Engineering Attacks.
- Select 5) Mass Mailer Attack.
- Select 1) E-Mail Attack Single Email if you want to send to one target, or 2) E-Mail Attack Mass Email to send to multiple targets.
- SET will ask for SMTP configuration. If you have an SMTP server, enter its details. Alternatively, you can use a free SMTP service such as Gmail (be careful as some services may block this from being used to send malicious emails).
- Enter the sender's email address, subject, and message body containing the phishing link or malicious attachment you want to send.
- If using an attachment file, SET also provides the option to include a payload or exploit that can be executed when the victim opens the file.
Testing and Results
- After setting up a phishing or spear phishing attack, you can test it in a lab environment to see how the target reacts to the attack.
- Log analysis: Logs will be recorded in the terminal and a designated folder to record the details of the attack, including the credentials that were successfully obtained.
Practical Example:
For a classroom scenario, you can have students implement a simple fake login page to simulate a phishing attack. They can observe how the target's interactions can be simulated and how the credentials are collected in the logs.
The SET tool is very powerful in simulating social engineering attacks. In ethical hacking, this practice aims to understand attacker techniques and harden the system from human-based attacks.
Sample Attack Scenario:
You want to simulate a phishing attack on employees in your company. With SET, you can:
- Create a fake login page that looks like your company email login page.
- Send phishing emails to employees with a link to the fake login page.
- When employees enter their credentials, SET will capture the data.
Important Things to Remember:
- Use SET Wisely: SET is a powerful tool. Use it only for educational purposes and authorized penetration testing.
- Ethics: Always follow the law and ethics when conducting penetration testing. Never target systems or data that you do not have permission to access.
- Learn More: SET has many complex features and modules. Take the time to study the official SET documentation to maximize the potential of this tool.
Conclusion:
SET is an invaluable tool for cybersecurity practitioners. By understanding how SET works, you can improve your ability to identify and prevent social engineering attacks.
Interesting Links
- Ethical Hacking
- Continuous Practice: Practice using SET regularly to improve your skills.
- Keep Up with SET: SET is constantly being developed with new features. Always update your knowledge on the latest version of SET.
- Join the Community: Join the ethical hacking community to share your knowledge and experiences with others.