How to Use the Social Engineering Toolkit (SET) for Mock Phishing Tests
The Social Engineering Toolkit (SET) is a powerful tool designed for cybersecurity professionals to simulate social engineering attacks, particularly phishing campaigns. It comes bundled with Kali Linux, a widely used penetration testing suite developed and maintained by Offensive Security, a leader in proactive network security testing.
Getting Started with SET
To launch SET, follow these steps:
Open the Kali Linux start menu and navigate to Social Engineering Tools (#13).
Launch SET and accept the disclaimer (which is worth reading!).
Important: SET is explicitly designed as a security testing tool, not for malicious hacking. It is open-source, and its intended purpose is to promote cybersecurity awareness and defense.
Overview of SET’s Phishing Capabilities
SET offers a variety of phishing attack vectors and integrates seamlessly with Metasploit, allowing users to execute exploits in conjunction with SET. In this guide, we will clone a website and test the Credential Harvester feature to simulate a phishing attack.
Step-by-Step: Cloning a Website & Capturing Credentials
1. Selecting the Phishing Attack Method
In the SET main menu, select option #2 (Website Attack Vectors).
Then, choose option #3 (Credential Harvester Attack Method).
2. Cloning a Target Website
SET provides an option to use a custom phishing page, but for this example, we will clone an existing website.
Select option #3 (Site Cloner) and enter the URL of the site you wish to mimic (e.g., facebook.com).
3. Configuring the Attack
Enter the attacker’s IP address:If performing the test over the internet, use your public/WAN IP address (port forwarding must be enabled on the attacker firewall device).
If testing within a local network (LAN), use your internal IP address.
After entering the IP address, SET will clone the target website and generate a fake login page identical to the real one.
4. Capturing Credentials
Once a user enters their credentials on the spoofed site, SET logs them.
SET will notify you that an XML report has been generated and saved in the .SET folder within the root user directory.
5. Viewing the Captured Credentials
Open the XML report using any text editor (e.g., Mousepad).
Verify that the credentials entered on the cloned site have been successfully recorded.
Final Thoughts & Ethical Considerations
This exercise demonstrates how easily phishing attacks can be executed, highlighting the importance of cybersecurity awareness. Ethical penetration testing and red team exercises using SET can help organizations train employees, identify vulnerabilities, and improve security protocols.