Scribd
Upload
39 views3 pages

Alfreda Burke

The document discusses the Social Engineering Toolkit (SEToolkit), which is an open source Python framework for social engineering attacks. It describes how SEToolkit can be used to launch spear phishing, credential harvesting, tabnabbing, and other attacks. Modifications can be made to the SEToolkit configuration file to customize attacks. The main menu and social engineering attack options of SEToolkit are also outlined.

Uploaded by

eva agustina
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views3 pages

Alfreda Burke

The document discusses the Social Engineering Toolkit (SEToolkit), which is an open source Python framework for social engineering attacks. It describes how SEToolkit can be used to launch spear phishing, credential harvesting, tabnabbing, and other attacks. Modifications can be made to the SEToolkit configuration file to customize attacks. The main menu and social engineering attack options of SEToolkit are also outlined.

Uploaded by

eva agustina
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Physical Attacks and Social Engineering

In this chapter, we'll focus on Social Engineering Toolkit or SEToolkit. The


techniques used in employing these tools will serve as the model for using
social engineering to deploy attacks from other tools.

By the end of this chapter, you will learn how to use the SEToolkit to do
the following:

• Obtain a remote shell using spear phishing and Java applet attacks
• Harvest or collect usernames and passwords using the credential
harvester attack
• Launch the tabnabbing and webjacking attacks
• Employ the multi-attack web method
• Use PowerShell's alphanumeric shellcode injection attack

To support SET's social engineering attacks, the following general implementation


practices will be described:

• Hiding malicious executables and obfuscating the attacker's URL


• Escalating an attack using DNS redirection

You will also learn how to create and implement hostile physical devices based on
the Raspberry PI microcomputer.

Social Engineering Toolkit


Social-Engineer Toolkit (SEToolkit) was created and written by David
Kennedy (ReL1K), and it is maintained by an active group of collaborators
(www.social-engineer.org). It is an open source python-driven framework
that is specifically designed to facilitate social engineering attacks.

A significant advantage of SEToolkit is its interconnectivity with the Metasploit


Framework which provides the payloads needed for exploitation, the encryption
to bypass anti-virus, and the listener module that connects to the compromised
system when it sends a shell back to the attacker.

Before launching SEToolkit, you may wish to make some modifications to the
configuration file.

[ 172 ]
Chapter 7

The social engineering toolkit is preconfigured with common default settings;


however, these settings can be altered to adapt the kit to specific attack scenarios. In
Kali, the configuration file is /usr/share/set/config/set_config. Modifying this
file allows you to control the following:

• Metasploit variables, including the location, the database to use, how many
times a payload should be encoded, and commands to automatically run
once a meterpreter session has been established.
• Ettercap and dsniff switches to facilitate DNS redirection attacks and
capture of authentication credentials. By controlling the DNS, an attacker
can automatically direct groups of people to false sites created using the
setoolkit.
• Configuration of sendmail or other mail programs for use in attacks
requiring spoofed e-mail addresses; this allows the social engineer to enhance
the credibility of attacks by using an e-mail address that appears to come
from a trusted source, such as a senior manager in the same company.
• The e-mail provider to be used, including Gmail, Hotmail, and Yahoo.
• Creating self-signed Java applets with a spoofed publisher, activating SSL
certificates, and stealing digital signatures.
• Other variables such as the IP address, port assignments, and encoding
parameters.

To open Social Engineering Toolkit (SET) in Kali distribution, go to Applications |


Kali Linux | Exploitation Tools | Social Engineering Toolkit | setoolkit, or enter
setoolkit at a shell prompt. You will be presented with the main menu, as shown
in the following screenshot:

[ 173 ]
Physical Attacks and Social Engineering

If you select 1) Social-Engineering Attacks, you will be presented with the


following submenu:

The following is a brief explanation of the social engineering attacks :

• Spear-Phishing Attack Vector allows an attacker to create e-mail


messages and send them to targeted victims with attached exploits.
• Website Attack Vectors utilize multiple web-based attacks, including
the following:
°° Java Applet Attack Method spoofs a Java certificate and delivers a
Metasploit-based payload. This is one of the most successful attacks,
and it is effective against Windows, Linux, or OSX targets.
°° Metasploit Browser Exploit Method delivers a Metasploit
payload using an iFrame attack.
°° Credential Harvester Attack Method clones a website and
automatically rewrites the POST parameters to allow an attacker to
intercept and harvest user credentials; it then redirects the victim
back to the original site when harvesting is completed.
°° Tabnabbing Attack Method replaces information on an inactive
browser tab with a cloned page that links back to the attacker. When
the victim logs in, the credentials are sent to the attacker.
°° Web Jacking Attack Method utilizes iFrame replacements to make
the highlighted URL link appear legitimate; however, when it is
clicked, a window pops up, and is then replaced with a malicious link.

[ 174 ]

You might also like