This article is about Kali Linux Tools for Social Media. In this post, we will discuss how to use social engineering toolkit in Kali Linxu 2020, Kali Linux Tools List and Kali Linux Social Engineering Toolkit Commands.
Social engineering tools in kali linux 2020 is a presentation of how to use social engineering toolkit in kali linux 2020 with keyboard shortcuts keys and how to hack passwords on any computer passwords with Kali linux 2020. It will give you a great understanding of the capabilities of social engineering tools in kali linux by 2020.
We’re taking a look at some of the best Kali Linux penetration testing tools accessible to ethical hackers and penetration testers today. Let’s take a moment to review a few key terms before moving on to the list.
Kali Linux: Top 5 Tools for Social Engineering
#1. Kali Linux Social Engineering Tool: Maltego
Maltego is an OSINT (open-source intelligence) investigation tool that shows how different pieces of information are interlinked. With Maltego, you can find relationships between people and various information assets, including email addresses, social profiles, screen names and other pieces of information that link a person to a service or organization.
Having all of this information can help you simulate a social engineering attack to help you evaluate your employees’ security awareness. You can launch Maltego from the Kali Whisker Menu or by going to Applications > Kali Linux > Top 10 Security Tools > and selecting Maltego at number five.
Maltego uses a graphic user interface, making it easy to visualize relationships.
#2. Kali Linux Social Engineering Tool: Social Engineering Toolkit (set)
Social Engineering Toolkit (or SET) is an open-source, Python-driven toolkit aimed at penetration testing around social engineering. SET has various custom attack vectors that enable you to set up a believable attack in no time.
SET includes a website tool that converts your Kali box into a web server with a range of exploits that can compromise most browsers. The idea is to send your target a link that routes them through your site, which automatically downloads and executes the exploit on their system.
You can even use the pre-built templates in SET to clone a legitimate website so that the exploit looks more realistic. SET has pre-formatted phishing pages of popular sites, including Facebook, Twitter, Google and Yahoo.
You can open SET in Kali Linux by going to Applications > KaliLinux > Exploitation Tools > Social Engineering Toolkit | toolkit or by entering setoolkit as a shell prompt.
#3. Kali Linux Social Engineering Tool: Wifiphisher
Wifiphisher is a unique social engineering tool that automates phishing attacks on Wi-Fi networks to get the WPA/WPA2 passwords of a target user base. The tool can choose any nearby Wi-Fi access point, jam it (de-authenticate all users) and create a clone access point that doesn’t require a password to join.
Any person who connects to the evil twin-like open network is presented with a seemingly legitimate phishing page asking for the Wi-Fi password to download a firmware update, which is cited as the reason the Wi-Fi isn’t working.
Once the targets enter a password, Wifiphisher sends an alert while stalling for time. After transmitting the captured password, it will display both a fake reboot timer and a fake update screen to buy you time for testing the captured password. It’s a handy tool for evaluating your security defenses against Wi-Fi-based social engineering.
You can launch the python script by entering this command:
$ sudo python wifiphisher.py
#4. Kali Linux social engineering tool: Metasploit MSF
Metasploit Framework is a penetration testing tool that can help you identify, exploit and validate vulnerabilities. It delivers the content, tools and infrastructure to conduct extensive security auditing along with penetration testing.
One of the most powerful features packaged into Metasploit is the option to set up a fake SMB server. This implies that when a person on the network tries to access the server, their system will have to show their credentials in terms of their “domain password hash.”
If you are patient, you may be able to capture domain credentials as users attempt to authenticate against the SMB server. Sending an embedded UNC path to the target can help you collect their domain credentials when they click on it.
MSF is updated frequently, and new exploits are updated as soon as their creators publish them. You can launch Metasploit through the Kali Linux menu or by entering the following command in the terminal.
$ msfconsole -h
#5. Kali Linux social engineering tool: MSFvenom Payload Creator (MSFPC)
MSFPC is a user-friendly tool that makes it easy to create basic payloads. It helps users avoid the need to write long msfvenom commands to generate payloads. With this generator, you can create payloads with a minimum of one argument.
MSFPC can be used to create Windows, Linux and even Android payloads. Its script is a real timesaver when you want to create simple payloads quickly. Although this doesn’t involve encoding to help bypass antivirus virus, it can still be useful to learn.
Sometimes, you just want to make a quick payload, deliver it somewhere, and carry on with your routine. In scenarios like these, msfpc.sh can come in handy.
To use MSFPC, you must only define the payload you want by either the file extension you want it to have or the platform you are going to drop it on. Typing msfpc in the terminal will allow you to run the tool.
#6. What is Social Engineering and who are the attackers main target?
Social engineering is an art of manipulating people in order to gain crucial information that can be utilized for performing malicious action. In social engineering instead of targeting on the weakness of network or a machine we target the weakness of people.
- Receptionist and Help-Desk Personnel: Attacker can extract phone number and email id from them.
- Technical Support Executives: Attacker can pretend to be senior manager, a customer or a vendor to gain information from them.
- System Administrator: They are the one who maintains the systems of all the employees
- User and Clients: Attacker can pretend as technical support and can gain information from them
- Senior Executive: They can target HR, Finance CxO’s of company to gain critical information
What are the 4 phases of social engineering?
- Research the Target Company: Before attacking the target organization’s network, an attacker gathers as much information as he/she can in order to infiltrate the system Social engineering is a technique which helps in extracting information. While researching attacker gets indulged in activity like dumpster driving (searching the waste coming out of the organization in order to get some crucial information) browsing company’s website and finding employee details.
- Select a target: After an attacker has performed enough research on the target company then he selects targets for extracting sensitive information. Most preferably he targets the employee that is frustrated of his job as they are easier to be manipulated.
- Develop Relationship: Once attacker finds out the target on which he would be performing social engineering he tries to build a relationship with that employee to gain his/her trust.
- Exploit the Relationship: After an attacker is successful in developing a relationship, he exploits the relationship to gain crucial information about organization’s account finance information, etc.
What Is Credential Grabbing?
We will be learning about how to create a malicious link for credentials grabbing. Credential grabbing is one of the most common phishing attack that tricks user in providing there credentials in some fake website or malicious website.
Pre Requisites
Web Browser = Victim System (compromised)
Kali Linux = Attacker (Metasploit Framework)
Top Kali Linux Tools for Hacking and Penetration Testing
There are several types of tools that comes pre-installed. If you do not find a tool installed, simply download it and set it up. It’s easy.
1. Nmap
Nmap or “Network Mapper” is one of the most popular tools on Kali Linux for information gathering. In other words, to get insights about the host, its IP address, OS detection, and similar network security details (like the number of open ports and what they are).
It also offers features for firewall evasion and spoofing.
2. Lynis
Lynis is a powerful tool for security auditing, compliance testing, and system hardening. Of course, you can also utilize this for vulnerability detection and penetration testing as well.
It will scan the system according to the components it detects. For example, if it detects Apache – it will run Apache-related tests for pin point information.
3. WPScan
WordPress is one of the best open source CMS and this would be the best free WordPress security auditing tool. It’s free but not open source.
If you want to know whether a WordPress blog is vulnerable in some way, WPScan is your friend.
In addition, it also gives you details of the plugins active. Of course, a well-secured blog may not give you a lot of details, but it is still the best tool for WordPress security scans to find potential vulnerabilities.
4. Aircrack-ng
Aircrack-ng is a collection of tools to assess WiFi network security. It isn’t just limited to monitor and get insights – but it also includes the ability to compromise a network (WEP, WPA 1, and WPA 2).
5. John the Ripper
John the Ripper gets points for a creative name. This hacker’s resource is a multi-platform cryptography testing tool that works equally well on Linux, Windows, macOS, and Unix. It enables system administrators and security penetration testers to test the strength of any system password by launching brute force attacks. Additionally, John the Ripper can be used to test encryptions like DES, SHA-1, and many others.
Its ability to change password decryption methods is set automatically and contingent on the detected algorithms.
John the Ripper is a free tool, licensed and distributed under the GPL license, and ideal for anyone who wants to test their organization’s password security.
John the Ripper’s chief advantages include:
- Brute force testing and dictionary attacks
- Compatibility with most operating systems and CPU architectures
- Running automatically by using crons
- Allowing Pause and Resume options for any scan
- It lets hackers define custom letters while building dictionary attack lists
- It allows brute force customisation rules
6. Metasploit Framework
Remote computing is on the rise thanks to more people working from home. Metasploit Framework, or MSF for short, is a Ruby-based platform used by ethical hackers to develop, test, and execute exploits against remote hosts. Metasploit includes a complete collection of security tools intended for penetration testing, plus a powerful terminal-based console known as msfconsole, which lets you find targets, exploit security flaws, launch scans, and collect all relevant available data.
Available for Windows and Linux, MSF is most likely one of the most potent security auditing Kali Linux tools freely available for cybersecurity professionals.
Metasploit Framework’s features include:
- Network enumeration and discovery
- Evading detection on remote hosts
- Exploiting development and execution
- Scanning remote targets
- Exploiting vulnerabilities and collecting valuable data
7. Skipfish
Skipfish is a Kali Linux tool like WPScan, but instead of only focusing on WordPress, Skipfish scans many web applications. Skipfish acts as an effective auditing tool for crawling web-based data, giving pen testers a quick insight into how insecure any app is.
Skipfish performs recursive crawl and dictionary-based tests over all URLs, using its recon capabilities. The crawl creates a digital map of security checks and their results.
Noteworthy Skipfish features include:
- Automated learning capabilities.
- Differential security checks.
- Easy to use.
- A low false positive ratio.
- The ability to run high-speed security checks, with over 200 requests per second.
8. Social Engineering Toolkit
If you are ever interested in hacking social network accounts, we have just the tool for you! The Social Engineering Toolkit, also known as SET, is an open-source Python-based penetration testing framework that helps you quickly and easily launch social-engineering attacks. It runs on Linux and Mac OS X.
SET is an indispensable Kali Linux tool for hackers and pen testers interested in working with social engineering.
Here are the kinds of attacks you can launch with the Social Engineering Toolkit:
- Wi-Fi AP-based attacks, which redirect or intercept packets from Wi-Fi network users
- SMS and email attacks, here, which attempt to trick and generate fake emails to harvest social credentials
- Web-based attacks, which lets hackers clone a web page to drive real users by DNS spoofing and phishing attacks
- Creation of payloads (.exe), which creates a malicious .exe file that, once executed, compromises the system of any user who clicks on it.
Conclusion
Kali Linux, known by many as the “hacker’s” Linux distro, is an open source platform similar to BackTrack that allows security researchers and white hat hackers to test their skills in a controlled environment. Kali Linux Tools for Social Media is a collection of scripts designed to help those who perform social engineering / human based attacks against companies, government agencies or any other entity. This GitHub begins with Kali’s most popular “social engineering toolkit”, which offers numerous options to carry out different attacks. The project is also compatible with Python 2.x and 3.x.