Kali Tools for Social Media is a collection of the best and most common tools used in social engineering. Using these tools you can perform physical, phishing and other social engineering attacks which includes the following commands:
Kali Linux also includes hundreds of free Kali commands for social engineering. Use Kali Linux to manipulate the media and to gain control over your target. These tools can be used in nearly any situation online or off. Use social engineering attacks to gain information, spread confusion, and get access to places most people aren’t even aware exist.
What is Social Engineering and who are the attackers main target?
Social engineering is an art of manipulating people in order to gain crucial information that can be utilized for performing malicious action. In social engineering instead of targeting on the weakness of network or a machine we target the weakness of people.
- Receptionist and Help-Desk Personnel: Attacker can extract phone number and email id from them.
- Technical Support Executives: Attacker can pretend to be senior manager, a customer or a vendor to gain information from them.
- System Administrator: They are the one who maintains the systems of all the employees
- User and Clients: Attacker can pretend as technical support and can gain information from them
- Senior Executive: They can target HR, Finance CxO’s of company to gain critical information
What are the 4 phases of social engineering?
- Research the Target Company: Before attacking the target organization’s network, an attacker gathers as much information as he/she can in order to infiltrate the system Social engineering is a technique which helps in extracting information. While researching attacker gets indulged in activity like dumpster driving (searching the waste coming out of the organization in order to get some crucial information) browsing company’s website and finding employee details.
- Select a target: After an attacker has performed enough research on the target company then he selects targets for extracting sensitive information. Most preferably he targets the employee that is frustrated of his job as they are easier to be manipulated.
- Develop Relationship: Once attacker finds out the target on which he would be performing social engineering he tries to build a relationship with that employee to gain his/her trust.
- Exploit the Relationship: After an attacker is successful in developing a relationship, he exploits the relationship to gain crucial information about organization’s account finance information, etc.
What is credential grabbing?
We will be learning about how to create a malicious link for credentials grabbing. Credential grabbing is one of the most common phishing attack that tricks user in providing there credentials in some fake website or malicious website.
Pre Requisites
Web Browser = Victim System (compromised)
Kali Linux = Attacker (Metasploit Framework)
Top Kali Linux Tools for Hacking and Penetration Testing
There are several types of tools that comes pre-installed. If you do not find a tool installed, simply download it and set it up. It’s easy.6.4M90
Hydra
If you are looking for an interesting tool to crack login/password pairs, Hydra will be one of the best Kali Linux tools that comes pre-installed.
It may not be actively maintained anymore – but it is now on GitHub, so you can contribute working on it as well.
Wireshark
Wireshark is the most popular network analyzer that comes baked in with Kali Linux. It can be categorized as one of the best Kali Linux tools for network sniffing as well.
It is being actively maintained, so I would definitely recommend trying this out. And it’s really easy to install Wireshark on Linux.
Metasploit Framework
Metsploit Framework is the most used penetration testing framework. It offers two editions – one (open source) and the second is the pro version to it. With this tool, you can verify vulnerabilities, test known exploits, and perform a complete security assessment.
Of course, the free version won’t have all the features, so if you are into serious stuff, you should compare the editions here.
Skipfish
Similar to WPScan, but not just focused for WordPress. Skipfish is a web application scanner that would give you insights for almost every type of web applications. It’s fast and easy to use. In addition, its recursive crawl method makes it even better.
For professional web application security assessments, the report generated by Skipfish will come in handy.
Social engineering pentesting with Kali Linux
Kali Linux social engineering tool: Maltego
Maltego is an OSINT (open-source intelligence) investigation tool that shows how different pieces of information are interlinked. With Maltego, you can find relationships between people and various information assets, including email addresses, social profiles, screen names and other pieces of information that link a person to a service or organization.
Having all of this information can help you simulate a social engineering attack to help you evaluate your employees’ security awareness. You can launch Maltego from the Kali Whisker Menu or by going to Applications > Kali Linux > Top 10 Security Tools > and selecting Maltego at number five.
Maltego uses a graphic user interface, making it easy to visualize relationships.
Kali Linux social engineering tool: Social Engineering Toolkit (SET)
Social Engineering Toolkit (or SET) is an open-source, Python-driven toolkit aimed at penetration testing around social engineering. SET has various custom attack vectors that enable you to set up a believable attack in no time.
SET includes a website tool that converts your Kali box into a web server with a range of exploits that can compromise most browsers. The idea is to send your target a link that routes them through your site, which automatically downloads and executes the exploit on their system.
You can even use the pre-built templates in SET to clone a legitimate website so that the exploit looks more realistic. SET has pre-formatted phishing pages of popular sites, including Facebook, Twitter, Google and Yahoo.
You can open SET in Kali Linux by going to Applications > KaliLinux > Exploitation Tools > Social Engineering Toolkit | toolkit or by entering setoolkit as a shell prompt.
Kali Linux social engineering tool: Wifiphisher
Wifiphisher is a unique social engineering tool that automates phishing attacks on Wi-Fi networks to get the WPA/WPA2 passwords of a target user base. The tool can choose any nearby Wi-Fi access point, jam it (de-authenticate all users) and create a clone access point that doesn’t require a password to join.
Any person who connects to the evil twin-like open network is presented with a seemingly legitimate phishing page asking for the Wi-Fi password to download a firmware update, which is cited as the reason the Wi-Fi isn’t working.
Once the targets enter a password, Wifiphisher sends an alert while stalling for time. After transmitting the captured password, it will display both a fake reboot timer and a fake update screen to buy you time for testing the captured password. It’s a handy tool for evaluating your security defenses against Wi-Fi-based social engineering.
You can launch the python script by entering this command:
$ sudo python wifiphisher.py
Kali Linux social engineering tool: Metasploit MSF
Metasploit Framework is a penetration testing tool that can help you identify, exploit and validate vulnerabilities. It delivers the content, tools and infrastructure to conduct extensive security auditing along with penetration testing.
One of the most powerful features packaged into Metasploit is the option to set up a fake SMB server. This implies that when a person on the network tries to access the server, their system will have to show their credentials in terms of their “domain password hash.”
If you are patient, you may be able to capture domain credentials as users attempt to authenticate against the SMB server. Sending an embedded UNC path to the target can help you collect their domain credentials when they click on it.
MSF is updated frequently, and new exploits are updated as soon as their creators publish them. You can launch Metasploit through the Kali Linux menu or by entering the following command in the terminal.
$ msfconsole -h
Kali Linux social engineering tool: MSFvenom Payload Creator (MSFPC)
MSFPC is a user-friendly tool that makes it easy to create basic payloads. It helps users avoid the need to write long msfvenom commands to generate payloads. With this generator, you can create payloads with a minimum of one argument.
MSFPC can be used to create Windows, Linux and even Android payloads. Its script is a real timesaver when you want to create simple payloads quickly. Although this doesn’t involve encoding to help bypass antivirus virus, it can still be useful to learn.
Sometimes, you just want to make a quick payload, deliver it somewhere, and carry on with your routine. In scenarios like these, msfpc.sh can come in handy.
To use MSFPC, you must only define the payload you want by either the file extension you want it to have or the platform you are going to drop it on. Typing msfpc in the terminal will allow you to run the tool.
Conclusion
The Kali Linux Social Engineering Toolkit allows us to research, phish, and gather information from our target. So what does a Social Engineering tool look like? Let’s find out! Classes are broken down into tabs so we can see what commands are available. Essentially this is a place where we can learn various commands and get some practice in when it comes time to actually use them. We have the ability to edit our search query strings used inside of many of the commands by typing out a new one on the fly. This style will make it easier for people who are familiar with SEDE or another command line style program that offers similar functionality