The Web-Jacking attacks uses iFrame replacements to make a malicious link look legit, and finally the Multi-Attack combines several of the above attacks. TabNabbing works great if the client has a lot of browser window open, it waits a certain time then switches one of the tabs to a page that SET creates. The Credentials Harvester Attack is pretty slick as it clones an existing website (like Facebook) and then stores any credentials that are entered into it.
The Metasploit Browser Exploit attacks the client system with Metasploit browser exploits. This will create a Java app that has a backdoor shell. Now we choose number 1 for Java Applet Attack method.
Then we choose 2 for Website Attack Vectors. We will be using a Windows 8 system as the target in the example.įrom the SET menu we choose number 1 for Social-Engineering Attacks.
#How to use social engineering toolkit kali usb full
We will use SET to create a fictitious website that will offer up a booby-trapped Java app, and if user allows the app to run, we get a full remote session to the system. The Java PyInjector attack leverages the anti-virus bypassing capabilities of PowerShell based attacks with a Java application. But if we could make a fake site that offered up a booby script, and if the user allows the script to create shell with the user. So far we have just sent a fake e-mail that could redirect someone to a bogus site. The message in above screenshot is obviously a silly fake, but something like this (With a much more believable message ) could be used to test employee's ability to detect, resist and report phishing attempts.
Then press " Enter" and SET will send out the e-mail to victim.