What is Social Engineering Toolkit?
The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be relsed with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an ation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
Step (1)Change yourwork directory into/pentest/s/set/
Or Goto:
Step (2)Open Social Engineering Toolkit(SET)./setand then choose "Website Attack Vectors" because we will attack victim viainternet browser. Also in this attack we will attack via website erated by Social Engineering Toolkit to open by victim, so choose "Website Attack Vectors" for this options.
Step (3)Usually when user open a website, sometimes they don't think that they are opening suspicious website that including malicious script to harm their computer. In this option we will choose "The Metasploit BrowserMethod" because we will attack via victim browser.
Step (4)The next step just choose "Web Templates", because we will use the most famous website around the world that alrdy provided by this Social Engineering Toolkit tools.
Step (5)There are 4 website templates Rdy To Use for this attack methods, such as GMail, Google, Facebook, and Twitter. In this tutorial I will use Google, but if you think Facebook or Twitter more better because it's the most accessed website, just change into what do you want.
Step (6)For the next step…because we didn't know what kind of vulnerability that successfully attack the victim and what type of browser, etc, in this option we just choose "Metasploit Browser Autopwn" to load all vulnerability Social Engineering Toolkit known. This tools will launch all in Social Engineering Toolkit database.
Step (7)For payload options selection I prefer the most use Shell Reverse_TCP Meterpreter, but you also can choose the other payload that most comfortable for you.
Step (8)The next step is set up the Connect back port to attacker computer. In this example I use port 4444, but you can change to 1234, 4321, etc
Step (9)The next step just wait until all process completed and also wait until the server running.
Step (10)When the link given to user, the victim will see looks-a-like Google(fake website). When the page loads it also load all malicious script to attack victim computer.
Step (11)In attacker computer if there's any vulnerability in victim computer browser it will return sessions value that mn the successfully attacking victim computer. In this case the crte new fake process named"Notepad.exe".
Step (12)To view active sessions that alrdy opened by the type"sessions -l"for listing an active sessions. Take a look to the ID…we will use that ID to connect to victim computer.
Step (13)To interract and connect to victim computer use command"sessions -i ID". ID is numerical value that given when you dosessions -l. For example you can see example in picture below.
Step (14)Victim computerowned (). :)
Step (15)Now you can do lots of stuffs with victim machine if u know the power of meterpreter.
No comments:
Post a Comment