Simulate Phishing in SET

Introduction

In this lab, you will learn how to simulate a phishing attack using the Social Engineer Toolkit (SET) to understand credential harvesting techniques. You'll practice installing SET, creating fake login pages, and capturing credentials to analyze how attackers exploit human vulnerabilities.

The exercise demonstrates real-world social engineering methods through hands-on experience with phishing page cloning and credential monitoring. You'll observe how easily users can be deceived into revealing sensitive information on spoofed websites.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/export_packets("Exporting Packets") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") subgraph Lab Skills wireshark/export_packets -.-> lab-549949{{"Simulate Phishing in SET"}} wireshark/packet_analysis -.-> lab-549949{{"Simulate Phishing in SET"}} end

Install SocialEngineer Toolkit

In this step, you will install the SocialEngineer Toolkit (SET), a powerful open-source penetration testing framework designed for social engineering attacks. SET provides various attack vectors like credential harvesting, phishing campaigns, and more. For beginners, it's important to understand that SET is a legitimate security tool used by professionals to test system vulnerabilities, not for malicious purposes.

First, ensure you're in the default working directory. This is where we'll download and install SET to keep your files organized:
```
cd ~/project
```
Clone the SET repository from GitHub. This command downloads the latest version of SET from its official source:
```
git clone https://github.com/trustedsec/social-engineer-toolkit.git
```
Navigate into the SET directory. After downloading, we need to enter the folder where SET was installed:
```
cd social-engineer-toolkit
```
Install SET using the Python installer. The 'sudo' command gives us administrative privileges needed for installation, while 'python3' ensures we're using the correct Python version:
```
sudo python3 setup.py install
```
Wait for the installation to complete. This process may take a few minutes as it installs all necessary components. You should see output similar to:
```
[*] Social Engineer Toolkit (SET) has been installed.
[*] You can now launch setoolkit by typing 'setoolkit' in your terminal.
```
Verify the installation by checking the SET version. This confirms that SET was installed correctly and shows which version you're running:
```
setoolkit --version
```
You should see output showing the installed version number, which means SET is ready to use.

Configure a Phishing Page

In this step, you will configure a phishing page using the Social Engineer Toolkit (SET) to simulate a credential harvesting attack. Phishing is a common cyber attack where attackers create fake login pages to steal user credentials. SET makes it easy to demonstrate how this works in a controlled environment.

We'll create a fake login page that mimics a popular service. This cloned page will look identical to the real website, but any credentials entered will be captured by our system instead of going to the legitimate service.

First, ensure you're in the SET directory. This is where the toolkit is installed on your system:
```
cd ~/project/social-engineer-toolkit
```
Launch the SET toolkit with root privileges. SET requires administrative access to configure network settings and web services:
```
sudo setoolkit
```
In the SET menu, we'll navigate through the attack options:
- Select 1) Social-Engineering Attacks - This is the main category for phishing attacks
- Then choose 2) Website Attack Vectors - We're creating a fake website
- Select 3) Credential Harvester Attack Method - Specifically targeting login credentials
- Choose 2) Site Cloner - We'll copy an existing website's design
When prompted for the IP address for POST back, press Enter to use the default (your VM's IP). This is where the stolen credentials will be sent.
Enter the URL to clone (we'll use a demo site). In a real engagement, this would be the target website you're mimicking:
```
https://example.com
```
SET will clone the page and configure the phishing attack. The cloning process copies the website's HTML, CSS, and images to make it look authentic. You should see output similar to:
```
[*] Cloning the website: https://example.com
[*] This could take a little bit...
[*] Files have been imported to the Apache web root.
```
The phishing page is now configured and ready to be hosted (which we'll do in the next step). At this point, SET has created a perfect replica of the target site that will capture any credentials entered into its login form.

Host the Fake Page

In this step, we'll make your phishing page available on the network by hosting it with Apache web server. Apache is a popular web server that will deliver your fake login page to anyone who visits your VM's IP address. This is how real phishing attacks work - by mimicking legitimate websites on attacker-controlled servers.

First, we need to install Apache if it's not already present on your system. Run this command to update your package list and install Apache:
```
sudo apt-get update && sudo apt-get install -y apache2
```
The -y flag automatically confirms the installation so you don't need to manually approve it.
After installation, check if Apache is running with:
```
sudo service apache2 status
```
If the service isn't running (which is common after fresh installation), start it with:
```
sudo service apache2 start
```
The Social Engineer Toolkit (SET) automatically saves your phishing page files in Apache's default web directory. Let's verify these files exist:
```
ls /var/www/html
```
You should see index.html (the main phishing page) along with other files that make the page look authentic, like images and stylesheets from the cloned website.
To let others access your phishing page, you need to know your VM's IP address. Find it with:
```
hostname -I
```
Write down this IP address (we'll refer to it as YOUR_VM_IP) as you'll need it to test and share the phishing link.
Before sharing the page, test it locally to ensure it loads correctly:
```
curl http://localhost
```
This command fetches the page content. You should see HTML output matching your cloned site. If you get an error, Apache might not be running properly.
Your phishing page is now live and accessible at:
```
http://YOUR_VM_IP
```
Anyone on your network who visits this address will see your fake login page.
Keep Apache running - don't close the terminal or stop the service. In the next steps, we'll use this hosted page to capture credentials when victims enter their information.

Capture Credentials

In this step, you'll learn how phishing attacks capture login credentials by simulating both the attacker's and victim's perspectives. When victims unknowingly enter their details on fake login pages (like the one we created earlier), SET saves that sensitive information for the attacker.

First, let's verify SET is still running from our previous setup. If you've closed it or the session expired, we need to restart the tool. This ensures our phishing server is active and waiting for victim connections:
```
cd ~/project/social-engineer-toolkit
sudo setoolkit
```
Now we'll configure SET to capture credentials. In the SET main menu, carefully select these options in order:
- 4) Create a Payload and Listener - This prepares SET to receive data
- 2) Website Attack Vectors - We're focusing on web-based attacks
- 3) Credential Harvester Attack Method - Specifically targets login credentials
- 1) Web Templates - Uses pre-made phishing page templates
Keep this terminal window open - SET is now actively monitoring network traffic and waiting for victims to submit their credentials through our fake login page.
Let's simulate a victim's action. Open a new terminal tab (Ctrl+Shift+T in most Linux environments) and use curl to send test credentials to our local phishing server. This mimics what happens when someone fills out and submits a login form:
```
curl -X POST -d "username=testuser&password=Test123!" http://localhost
```
Immediately check your SET terminal. You should see confirmation that credentials were captured, displayed in this clear format:
```
[*] WE GOT A HIT!
Username: testuser
Password: Test123!
```
SET automatically logs all captured credentials for later review. To see the complete attack log including our test entry, run:
```
sudo cat /var/lib/set/logs/set.log
```
The log file will show your test credentials along with the exact time they were captured. In real attacks, this file would contain all successfully phished credentials over time.

Review Captured Data

Now that you've completed the phishing simulation, let's examine the results. This final step will show you how to access and interpret the data collected by the Social Engineer Toolkit (SET), as well as properly clean up your testing environment to maintain security best practices.

First, we'll view the complete SET log file which contains all captured credentials in their raw format. This file is stored in a protected system location, so we need to use sudo:
```
sudo cat /var/lib/set/logs/set.log
```
This command displays the contents of SET's main log file, where all captured credentials are automatically stored during the phishing simulation.
For better organization and future reference, let's create a working copy of this data in your project directory. We'll also change the file ownership to your lab user account:
```
cd ~/project
sudo cp /var/lib/set/logs/set.log captured_credentials.txt
sudo chown labex:labex captured_credentials.txt
```
The chown command ensures you have proper permissions to work with this file without needing sudo for subsequent operations.
Now let's view the formatted report we just created:
```
cat captured_credentials.txt
```
You should see structured output similar to this example, showing the captured credentials along with timestamps and source information:
```
[*] 2023-11-15 14:30:22 - Credentials captured:
Username: testuser
Password: Test123!
IP Address: 127.0.0.1
```
It's important to clean up your testing environment after completing the exercise. This removes the phishing page we created and stops the web server:
```
sudo rm /var/www/html/index.html
sudo service apache2 stop
```
These commands ensure no residual testing materials remain that could pose security risks.
Finally, let's document our findings by creating a summary report that counts how many credentials were captured:
```
echo "Phishing Test Results" > test_summary.txt
echo "Total credentials captured: $(grep -c 'Username' captured_credentials.txt)" >> test_summary.txt
cat test_summary.txt
```
This creates a simple report showing the total number of credential pairs captured during your test. The grep -c command counts how many times 'Username' appears in your captured data file.

Summary

In this lab, you have learned how to simulate phishing attacks using the Social Engineer Toolkit (SET). The process included installing SET, configuring phishing pages through credential harvesting, and cloning target websites to create deceptive login interfaces.

The exercise provided hands-on experience with penetration testing tools and social engineering techniques. You explored how attackers capture credentials and gained awareness about defensive strategies against such security threats.