[Pentesting] SET: scams, spoofing, fake login, and much more ...

Read also: 7 Tool for pentesting on Ubuntu

We arrived at the third appointment with the heading "Pentesting", today we will see a topic that is very common today, phishing. What is phishing? In computer science, phishing is a scam, let's take an example to understand better: open your e-mail inbox and you will receive an e-mail from your "bank" stating that your account has been blocked, so they invite you to click on a link , and log in via a here on the web page where you were redirected, that web page was not from the bank, but from a hacker who has seen fit to clone the page and have you enter the data in the form and then receive it on your PC.

Today we talk about Social engineering toolkit (SET) developed by TrustedSec in language Python, an open source license, as the title suggests, this program is accessible to all and allows users to log in to various social networks [Facebook, twitter, etc.] (but also to banking sites), thus allowing first and foremost to steal access credentials important; allows you to send anonymous text messages, mount infected files, and in some cases interact with Metasploit Framework the most powerful program / framework containing exploits, payloads, auxiliary, encoders etc ..., we will explain this more in the. Today we see how to do fake logins correctly thanks to SET and social engineering, so in general we see how to steal login credentials, the main function of SET, in subsequent articles we also see integration with Metasploit, but I repeat this, the we will see soon.

1: Open SET from the file setoolkit.py in the folder set / (~ / set / setoolkit.py) [root]

Open the terminal and type:

cd set / sudo -s chmod + x setoolkit (*) ./setoolkit

*the chmod command must be executed if the file does not have execution permissions (check: ls -> se setoolkit = red -> run chmod; self setoolkit = green then continue)


SET: Main selection menu

2) Attack based on Social Engineering

The next step to create a fake login is to select social engineering attacks, then select 2 in the next menu ie "Website Attack Vectors", as in image


SET: Social-Engineering Attacks subMenu> Website Attack Vectors

Then we find ourselves in a menu where the various types of attack are illustrated, we will analyze it together:


SET: WEB based attack methods

We can see that in the web-based attack menu we find various choices, the first one is a Java applet, that is a small application written in Java (called applet) that runs from the browser, it is very convenient, it is one of the best choices for owning the Someone's computer, but be careful of the encoder as Java has medium security by default, so the source code will be scanned and at 97% the applet will be rejected by the system. It contains a payload generated by Metasploit that connects to the Metasploit framework listener, all this happens through a simple web page, then it is required to run the Java plugin [Metasploit required]

The second choice proposes an exploit that exploits vulnerabilities of the various browsers, (recommended Internet Explorer as choice 😀), the exploit is automatically generated by Metasploit framework through a web page (HTML if I'm not mistaken), an HTML tag Will "deliver" the package (payload) to the recipient [Metasploit required]

The third is the one that will interest us that is Credential Harvester Attack Method which consists in cloning a web page of your choice that has forms, this function requires Apache, but we'll see how to disable this function as it does not allow us to see what happens in the server in real time ... the operation will be described shortly ... (PS . It is not visible to any antivirus)

The others are less important, we skip them for the moment.

So we choose the third option


SET: choice for harvest attack

After choosing the attack method harvest we must choose how to include the pages to be cloned, the choices are 3:

  • Predefined SET templates
  • "Cloner" of websites (via URL)
  • Import via html file (index.html) from local

We choose the option 2:


SET: IP choice (server address)

In this phase we have two choices:

  • run the server locally
  • run the server in a network

if we want to run the server locally we open the terminal and type ifconfig, on the left we choose the network card on which the computer rests at the time of the attack and we write the IPv4 address that we see in that terminal; to run remotely you have to open the 80 / TCP port of your router for your IP address (you are vulnerable to DoS attacks even if you don't have a site, however we have an open port) and in the choice menu type your IP address public.

Then he asks us which site we need to clone (remember: two login forms, not one more), type the target site and send

[I will use: http://www.facebook.com/login.php]


SET: fail

Most likely, if you do not have an active apache server the output will be like the one in the picture, it automatically returns to the selection menu so we open another terminal and you will probably already be in the set / directory, so we type the following commands:

cd config / gedit set_config.py

There you will find a configuration file, with CTRL + F we look for Apache, so GEdit will highlight the two words APACHE, the first one says if you enable the APACHE server through True or False (True = yes, False = no) [True = 1, False = 0], the second indicates the apache server root directory (relative to APACHE_SERVER)

Once the file is open we will find the values ​​set in this way, we modify the value APACHE_SERVER from "True" to "False"


apache_0We also modify the setoolkit file, look for apache and modify the value * _SERVER = From ON to OFF


apache_0_configapache_0_config1then restart SEToolkit and repeat the procedure above

Now ... surprise!


the server is waiting for the user to open the link, fill in the login form and press the "Login" button

To make the fake login work just send your IP address and insert it in the URL bar to a person, he will insert his data and will not notice anything as it is redirected to his facebook profile, even if he enters incorrect data ( cached page offilne) [I'm not showing you the login]

Here is the output, let's analyze it:


Start with the IP address of the person who opened the link, date of opening, method (GET), reply code [200 is positive]

Consider the second block of the output:

there are all the parameters of the page, then there are the results of the forms highlighted in red:

the first form is called email and corresponds to hello

the second is called pass and corresponds to inthebit.

The server will listen until it is stopped via CTRL + C or by closing the terminal, for those using via Public IP: hide the IP address with TinyURL (TinyURL)


Thank you for following the guide!

💣 Don't get away Xiaomi Mi Electric Scooter Pro 2 Global on offer for only 375 € with Mi Band 5 as a gift and free shipping from Europe!

Receive the latest posts by email

Enter the email and choose the inscriptions on the new page

Added devices
  • Compare Smartphone (0)