Social Engineering is basically what I believe is the future of hacking. The biggest weakness is people themselves. Why? Imagine that you’ve put in the best security possible cyber wise, but haven’t trained your employees to well, not give out sensitive information even when the request is genuine. Hackers can exploit this weakness very easily if the hacker does it right. Social Engineering I’ve learned is a lot of taking advantage of the trust aspect of the human nature and human idiocity, but people aren’t completely idiots. From my experience, you only ask what you know you would get and make it as innocent as possible or as genuine as possible. In this tutorial, I am gonna explain how to use both SE and Phishing using Setoolkit.
##Phishing and Social Engineering
What is Phishing? Simply put it, Phishing is most of the time where one sends a fake login page of a legitimate website to gain credentials of the victim. Phishing can be other things, but sadly it is mainly this definition. Social Engineering is needed most of the time to be successful with Phishing. Setoolkit or just simply SET, is a tool that makes certain SE attacks “easier”. There’s many different attacks but for this tutorial we are only gonna focus on Credential Harvesting using a fake login page that we will clone. The Setoolkit can be founded here and read the README file in order to know how to install SET onto your system because it is pretty straight forward. Once installed or already installed, in a terminal type in:
Agree to the message that first shows up when first launching SET and than a menu is suppose to show up. Your terminal should look a lot like my screenshot,
Type 1, for Social Engineering Attacks. Than another menu should show up,
for that menu type in 2, for Website attack Vectors. Than type in 3, for the Credential Harvester.
The final menu should show up and type in 2, for Site Cloner.
Now, type in your external IP which you can find here, but make sure you port forward at port 80 for the internal IP that you will use during the attack (your system). To figure out your internal IP, type in ifconfig in a terminal and take note of either wlan0 or whatever your wireless interface maybe. The last and final part before the magic, is the site itself. Type full url of the site that you wish to clone, e.g. facebook. @pry0cc has mentioned that some sites will not work with this method or with anyother method. Once you hit enter the harvester will begin, but if it ask to stop apache2, type in ‘y’ for the harvester to work.
Now the real magic with this is Social Engineering for your victim to click on the link and type in their credentials. This is simpler said than actually done. I usually either use Email or a Text, if I can manage to get their phone number, but you would have to be logical. If you create a Facebook Phishing page, but they don’t have Facebook your Phishing attack will fail. This is where doxing comes in handy, but more on that later.
So that’s that… I gotta say that this is my first time experimenting with screenshots, but please comment down below and offer any suggestions.