ing
: getting a user inside your target network to click a link they shouldn’t click, or
maybe open an infected attachment. We can use the social engineer’s toolkit (
setool‐
kit
) to help us automate these social engineering attacks.
setoolkit
takes most of the
work out of this. It will create emails with attachments or clone a known website,
adding in infected content that will provide you access to the system of a targeted
user.
setoolkit
is menu driven, rather than having to type commands and load modules as
you have to in
msfconsole
. It also has a lot of attack functionality built into it. We’re
going to focus on just the social engineering menu.
Example 5-19
is the social engi‐
neering menu, and from this, we can select phishing attacks, website generation
attacks, and even creation of a rogue access point.
Example 5-19. Social engineer toolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
It
'
s easy to update using the PenTesters Framework!
(
PTF
)
Visit https://github.com/trustedsec/ptf to update all your tools!
Select from the menu:
1
)
Spear-Phishing Attack Vectors
2
)
Website Attack Vectors
3
)
Infectious Media Generator
4
)
Create a Payload and Listener
5
)
Mass Mailer Attack
6
)
Arduino-Based Attack Vector
7
)
Wireless Access Point Attack Vector
8
)
QRCode Generator Attack Vector
9
)
Powershell Attack Vectors
10
)
SMS Spoofing Attack Vector
11
)
Third Party Modules
99
)
Return back to the main menu.
set
>
setoolkit
walks you through the entire process, asking questions along the way to help
you craft a successful attack. Because of the number of modules that are available
from Metasploit, creating attacks can be overwhelming because you will have many
options.
Example 5-20
shows the list of file formats that are possible from selecting a
spear-phishing attack and then selecting a mass mailing.