Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Using the Social Engineering Toolkit In Kali Linux - fixedByVonnie

Using the Social Engineering Toolkit In Kali Linux

Here’s a little known fact:  It’s a lot easier to trick a credulous user into dishing over his password than it is to crack it.  People are getting smarter with passwords.  It seems like hacked accounts are always in the news so people are wising up by adding numbers, symbols and mixed case.  Sure you could still try a dictionary attack or even brute force; however, sometimes it can be as easy as sending one cunning email to the perfect target.

If you could launch an email and craft it so that it appears to originate from a trusted source such as Microsoft or a co-worker that would instantly boost the credibility and consequently the effectiveness of your attack.  A better option is to compromise a trusted computer and then send your target an email from his inbox.  When the email shows up in his inbox it’ll look legitimate because it’s actually coming from a valid source: there’s no forgery with this technique and it can be very very effective.

Tricking someone into giving up sensitive information is called phishing.  Think about tricking a fish with the bait.  In the same way, a phisherman treats his victims like gullible fish.  And if they take the bait he takes off with valuable information such as passwords and credit card numbers.

Insidious I know.

But how hard would it be to pull something like this off?

With Kali Linux it’s a little too easy.  In fact, with the Social Engineering Toolkit (SET) it’s just a matter of pointing and clicking.

Kali Linux makes executing a social engineering attack as easy as order take-out Chinese.

But phishing isn’t the only tool we have in our arsenal.

The Social Engineering Toolkit also includes a website tool that turns your Kali box into a webserver with a bunch of exploits that can compromise almost any browser.  The idea is that we would send our target a link which routes them through to our website which automatically downloads and executes the exploit on the target system.  You can even clone a valid website so the target is less suspicious.  This becomes even more effective if you study your victims browser habits and clone one of their most frequently accessed sites.

The SET let’s you do all this and more.  Let’s take a look at this powerful toolkit.

Click Applications in the upper left corner of Kali Linux, browse down to Exploitation Tools choose Social Engineering Toolkit and hit setoolkit.

Kali Linux Social Engineering Toolkit

Now this next part is pretty important and it’s something I need to underscore here.  I have a moral question for you:

Is a knife good or bad?

Think about that.

The knife itself is morally neutral.  It has no ability to choose.  It’s an inanimate object.  Knifes are neither good nor bad but people are different.  In the hands of a serial killer a knife is bad; conversely, in the hands of a expert surgeon a knife is good.

The knife is merely the tool.  It can be used for good or evil.  And in the same way the Social Engineer Toolkit is just a tool.  In fact, it was designed for the purposes of penetration testing.  This is when a company hires an objective security firm to test the security posture of an organization.  It’s a way to validate the security controls in place.  Usually the Pentesting firm gets approval from managmenet to launch attacks in a very particular way.  The scope of work is narrow, precise and deliberate.  In other words, Penetration tests are trusted security professionals who help computers stay secure by trying to break into various systems.

SET is designed for penetration testing or for learning how it works in a lab environment.  I strongly dissuade you from trying to use this for evil.  It’s not worth it.

So go ahead and read the terms and make your decision.  I pray it’s the right one.

Run Kali Linux Social Engineering Toolkit

And now we are at the gateway to exploitation.

Kali Set Menu

Let’s get things started by pressing 1 and enter.

Kali Attack Menu

There are a lot of options such as Powershell Attack Vectors, creating infected USB drives (Infectious Media Creator) but let’s go with the Website Attack Vectors so you can get a feel for how this works.

Kali social engineer web attacks

Let’s use the Metasploit Browser Exploit; option 2.  Do you see how this works so far?  It’s as easy as picking numbers in a phone tree.

We’ll use a generic web template but as you can see you could also clone a website if you wanted to.

SET web attack

Pick option 1, Web Templates, and keep going.

The next prompt asks you if you want to use NAT/Port Forwarding.  In this attack example, I’m going to assume both the attacker and the victim are sitting on the same subnet; thus, there’s no need to use NAT here.

NAT forwarding

The next question will ask you for the IP address of your Kali box.

Set reverse IP

Mine is at 10.255.70.41.

A quick way to figure that out is to type:

ifconfig eth0

fixedbyvonnie-kali-ip-address

Once we have this we can start the fun.

The next part asks us about the web template.  This is the thing that loads to distract the user while the exploit runs in the background.  I’m going to pick Java so that it looks like a Java applet is loading.  But in reality Java isn’t doing anything.  It’s just a facade to keep the user from getting suspicious while the exploit opens a remote connection to his computer.

Kali Linux Web Templates

Now we need to pick our exploit.

Let’s go with Metasploit Browser Autopwn.

Kali Linux Set Exploits

Okay, then pick the exploit details.  I’m going to pick the Windows Reverse_TCP Meterpreter.

Kali Set Exploit Details

Choose the default port of 443

Set Kali default port

and then sit back and watch as your new attack site is created.

Create Kali server

After a few minutes the server will start and you hit enter to begin.

Kali and Metasploit

Alright, so we have 21 exploits in the bag.  The last step is to trick the user into clicking the Local IP http//10.255.70.41:8080 listed in the above screenshot.

This actually isn’t as difficult as it sounds.

In basic HTML, theres a tag called band it stands for anchor text.  Furthermore, there’s an attribute called href=””.  If you opened an email client in HTML mode you could easily paste in the Local IP address and then between the <a> and </a> tags insert some benign text such as “Click here to Update” or “Your email password has expired, click here to reset”.

Here’s what happened when I clicked the link on my Windows 8.1 box running IE11.

Kali Exploit

How many users are going to think something is wrong with this error?  It looks perfectly innocuous.  But we know it isn’t.

Every time the user clicks OK the Java popup reappears but behind the scenes Kali Linux is covertly opening additional TCP sessions to the victim.

Check out the output on my Kali box.

Kali pwnd my Windows box

My poor Windows 8.1 machine is responding with 15 exploits.

I’m owned.

It’s even worse on a Windows XP machine.  This is proof why no one should ever run Windows XP.  Microsoft cut the cord on Windows XP a while ago for good reason.  Anyone still running Windows XP is setting themselves up for disaster.

If you typed sessions you would see the active connections to the victim then you could use any of the dozens of tools in the Metasploit toolkit to compromise the PC.   For example, now that the session is active, with a few commands you can log every keystroke of the user and covertly steal files without the user having a clue.

Crazy stuff.

Bottom Line

The Social Engineering Toolkit by Kali Linux makes taking over a PC as easy as selecting a few options through a menu.  It takes zero skill to implement and this is why it’s critical for managers to arm their staff with the knowledge they need to sidestep these threats.  Security Awareness Training could help but the bottom line is that managers need to talk to their employees so they can quickly identify phishing attempts.

About

Connect with Vonnie on Twitter

Posted in Linux Tagged with: , , ,
  • weltone

    Can you please provide a link to download the Kali linux operating system?

  • Tech Recruit

    I get No exploits, check your MATCH and EXCLUDE settings

  • BlackJack

    Hi,
    Can you please give me a little help.
    Mine is stuck in this screen, what should i do?
    When I ping from my host to the fake page I have the virtual machine IP, so I assume that part is OK. But when I type something on the username and password nothing comes out on the SEtoolkit neither on the harvest*.txt file at /var/www.

    Can you give me a hand?

  • Sufyan Arif

    How can I clone apple website, When I clone this site: https://appleid.apple.com/
    It says: Error. Unable to clone this specfic site. How can I clone apple site. Please do tell if you can.

  • mayur lohar

    how to fix

    while opening social engineering toolkit Traceback (most recent call last):
    File “./setoolkit”, line 34, in
    os.makedirs(“/etc/setoolkit/”)
    File “/usr/lib/python2.7/os.py”, line 157, in makedirs
    mkdir(name, mode)
    OSError: [Errno 13] Permission denied: ‘/etc/setoolkit/’