i Penetration Testing – Social Engineering ToolKit – All things in moderation

Penetration Testing – Social Engineering ToolKit

After two previous posts, I think you guys familiar with ARP Posioning and how we make it works. But there was a small detail which I forgot to mention. When the victim visit this link: http://www.nature.com/naturejobs/science/login ( the below photo ), that was a fake website.

pentest ettercap

I have used a python framework for this task, its name is Social Engineering Toolkit. You guys could download it from here. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering that was created by TrustedSec. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. This is the standard tool for social-engineering penetration tests and supported heavily within the security community.

So in this post, I will show you guys how to do that.
– First, here is a quick look about this framework. On Kali, you just run this command:

setoolkit

pentest social engineering toolkit

And you will see its features.

  • We are going to use Social Enginnering Attacks. Chooses 1. Then we could see many options that we can use.

pentest social engineering toolkit

  • Chooses 2. They will give us some details about this attacks. And we chooses the number 3 – Credential Harvester Attack Method.

pentest social engineering toolkit

  • Chooses 2. We will clone the real website.

pentest social engineering toolkit

But you need to fill in your local ip address and the link to a website that you want to clone. And everything is done. You could check that HTML file in directory: /var/www/html/index.html.

It looks cool, right? 😀

pentest social engineering toolkit

When victims type their username and password, you can see it via Wireshark like our previous post.

If you guys haven’t forgot that this framework has many options yet, so you could give it a try today. But always remember, with education purpose. 😀

Leave a Reply