SET is a powerful tool for conducting various social engineering attacks, including phishing, spear-phishing, and other social engineering attacks. Comment below which tutorial should comes next.The Social Engineering Toolkit (SET) is a Kali Linux operating system software program. You can use SET to create malicious CD/DVD and USB media (for creating malicious media and leaving them in corporate parking lots, etc), a slew of arduino based attacks, Microsoft SQL Brute Forcer, Wireless Access Point attack, a Mass Mailer, QR code Attack and a bunch of website social engineering attacks that we did not cover yet. Spend some time with SET and check out numerous options it offers for attacking a target system. The Social Engineering Toolkit is truly a robust and feature rich tool for any corporate security testing team. To do this on WAN (on Internet, not only in local network) Read this tutorial Easy Port Forwarding using SSH. If he click on "Run", our meterpreter session will started and we can do anything on victim's PC. Victim's browser want's to run our malicious Java applet in popup. Here we have hosted the site in our local host so the link will be the IP address of our Kali Linux system and victim should be in our same network. Now we need to trick victim that he clicks on our malicious link. The IP address is in the following screenshot: We can open another terminal window and type following command for the IP address: Usually selecting no will be sufficient if using an internal testing lab.Įnter the IP address of our SET machine. Next choose 1 for Web-Templates to have SET create a generic webpage to use, or use option 2 " Site Cloner " to allow SET to use an existing website as a template for the attack webpage.Ĭhoose yes/no in NAT/port forwarding. The Web-Jacking attacks uses iFrame replacements to make a malicious link look legit, and finally the Multi-Attack combines several of the above attacks. TabNabbing works great if the client has a lot of browser window open, it waits a certain time then switches one of the tabs to a page that SET creates. The Credentials Harvester Attack is pretty slick as it clones an existing website (like Facebook) and then stores any credentials that are entered into it. The Metasploit Browser Exploit attacks the client system with Metasploit browser exploits. This will create a Java app that has a backdoor shell. Now we choose number 1 for Java Applet Attack method. Then we choose 2 for Website Attack Vectors. We will be using a Windows 8 system as the target in the example.įrom the SET menu we choose number 1 for Social-Engineering Attacks. We will use SET to create a fictitious website that will offer up a booby-trapped Java app, and if user allows the app to run, we get a full remote session to the system. The Java PyInjector attack leverages the anti-virus bypassing capabilities of PowerShell based attacks with a Java application. But if we could make a fake site that offered up a booby script, and if the user allows the script to create shell with the user. So far we have just sent a fake e-mail that could redirect someone to a bogus site. The message in above screenshot is obviously a silly fake, but something like this (With a much more believable message ) could be used to test employee's ability to detect, resist and report phishing attempts. Then press " Enter" and SET will send out the e-mail to victim.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |