Lab 2.1.

1 - Social Engineering Toolkit

Summary:
In this lab we will use the Social Engineering Toolkit (SET) to create a fake website and use it to capture login
credentials. This is an example of one technique used in many phishing emails.

Instructions:
• Go to CYBER.ORG Range (https://apps.cyber.org)
• Click on the Range tab, then click on Launch Kali.
• Once the status changes to booted, click Open.
• Open a terminal by clicking the black square with the white border in the top left toolbar.

• At the prompt type the following command and press Enter:

sudo setoolkit

• When presented with the terms of service, enter “y”

• The Social-Engineering Toolkit will start, and you will see a menu.

Copyright © 2023 Cyber Innovation Center All Rights Reserved. Not for Distribution.
• From the SET menu, follow these selections
• #1 Social Engineering Attacks
• #2 Website Attack Vectors
• #3 Credential Harvester Method
• #1 Web Templates
• You’ll see something like the following, just press the enter key

• Select the Twitter web template. You will get a series of messages that ends with “Information will be
displayed to you as it arrives below”

• Open a web browser (globe button to the left of the terminal in the toolbar) - type 127.0.0.1 in the
address bar. You will see a fake version of Twitter.
• Enter a name and password (NOT your real one!) and click to login.

Copyright © 2023 Cyber Innovation Center All Rights Reserved. Not for Distribution.
• It will look like the login and webpage failed. This is because the fake webpage harvested your login
information and then directed you to the real Twitter website.
• Return to SET (in the terminal window that should still be open) and you should see that your name and
password were captured.

Let’s review how a threat actor would use this type of attack:
• Attacker uses SET to set up a fake version of a popular website login page.
• Attacker takes URL link of fake page and sends it in a phishing email to lots of victims OR puts the link in a
social media post.
• The victim clicks the link to login to the website, not realizing this is not the real login page.
• The victim enters their username and password, clicks Enter. The fake website redirects the user’s
browser to the real website. The user thinks they typed in their password incorrectly and logs in again,
successfully this time because it is the real website.
• Every time a victim logs into the fake website, the attacker receives their username and password.
• Press CTRL-C and then Enter to return to the SET menu. If desired, try this again with Google.

Closure discussion:
1. What kind of malicious attack is this that we talked about (social engineering is not the answer)?

2. How could a user protect themselves against this type of attack?

3. Paste screenshots of each step of your twitter page and the username and password that it captured.

Copyright © 2023 Cyber Innovation Center All Rights Reserved. Not for Distribution.