Social Engineering Toolkit (SET)

According to Offensive Security, SET is:

“The Social-Engineer Toolkit is an open-source penetration testing framework designed for Social-Engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of the time.”

Taken from this site.

These are the steps I took after some Google-fu:

set> 2 Fast-Track Penetration Testing

set> 3 Credential Harvester Attack Methodset>

2 Site Cloner

From there I input my IP and then input the target to be cloned.  Which is what led to what I’ve been talking about below.

I decided that this would be the first thing that I test within the Kali OS, since I’ve gone “native” and installed it as my production OS.  I got it running, and got it setup to clone Facebook – which was awesome.  I decided to test it using the two accounts that I have access to, and sure enough it did return everything that I thought it would – which is email and password.  Now if I could get it up and running on a server, so that I could harvest login information for a few sites – that would be spectacular.  However, I’ve come to learn that there can’t be any outside access to the cloned website – if I was to give the short link to somebody, they’re unable to use it.  I gave it to two friends of mine and said that it was some code that I was testing.  Both of them returned to me with errors, which I think were 404’s on both of them.

I guess this means that doesn’t allow outside connections; which unless I’m having a brain fart of epic proportions, SHOULD allow outside connections – I mean it’s the front door to your physical box.  So why wouldn’t a tool like SET allow you to give that IP to a target, so that you can get their information.  To be honest, I’m probably going to just Google the hell out of this and see what happens, because worst case scenario you DO need a dedicated server.  Best case scenario, I’m just an idiot trying to do things that are above my head – which is the best way to learn right?

I just read another link that said it doesn’t matter where in the world the victim is located, as long as they can access the web, they’re able to be attacked by your malicious link – as long as you leave the terminal with SET running inside it – that’s how you harvest the information that you’re even going after.  So what could I be doing wrong if I’m not able to have someone from the outside go through the link?

Everything in the block quote is what I did to get SET running.  Now I play the waiting game and see what happens.

Select from the menu:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules

99) Return back to the main menu.

set> 2

The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.

The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.

The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.

The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.

The Web-Jacking Attack method was introduced by white_sheep, emgent. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.

The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing all at once to see which is successful.

The HTA Attack method will allow you to clone a site and perform powershell injection through HTA files which can be used for Windows-based powershell exploitation through the browser.

1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method

99) Return to Main Menu


The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.

The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.

The third method allows you to import your own website, note that you
should only have an index.html when using the import website

1) Web Templates
2) Site Cloner
3) Custom Import

99) Return to Webattack Menu

[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you’re using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing []:
[-] SET supports both HTTP and HTTPS
[-] Example:
set:webattack> Enter the url to

[*] Cloning the website:
[*] This could take a little bit…

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s