Social Engineering: How to Be a Craftsman of the Dark Arts

Author profile picture

@the_crew_cutSrinjoy Chakravarty

we win by creating a democratic, decentralized internet of the people, by the people, for the people

So you've been forced by your program director to take a course you didn't want to do. Let's say said course starts with 'A' and ends with 'ED'. Well you think, consoling yourself, at least I will make some new friends...
Three months later. Having sat through hours of endless lectures, you realize this hasn't worked out as you'd hoped. You've made acquaintances, got their email addresses, and at times even supposedly worked together in so-called 'teams'... but you wouldn't go so far as to say they're your friends.
So, what do you do? You have a thought... to create some mischief and liven up the last few weeks of class.
You've heard about hacking, know that everyone probably still uses Facebook, and stumble upon this guide...
So you have your shiny new Kali 2019.4 installed and running. If not, that's the first step...please go ahead and do so by 'legally' torrenting it from:
(Kali's earliest appearance in Hindu mythology is as a destroyer of evil)
Plan of Attack
So we want to know the usernames and passwords of all our peers in a certain class. Let's just say the class is huge, and owning all their credentials would give you cult status. Of course you don't intend to do anything other than getting some fame and then telling them to use 2FA and change their passwords. So how do we do it....
  1. Clone the Facebook login web page
  2. Spin up a web server that hosts the cloned web page on your Kali box
  3. Create a pathway for others to reach back to your box over the internet
  4. Compose a phishing email that appeals to the students greed / fear / sympathy and makes them click on a link that connect to the fake fb login
Let's work backwards...

Step 1: Set up Ngrok

So Ngrok allows you, with just one command, give a instant, secure URL to your localhost server, through any NAT or firewall. This means when you host your evil cloned FB login page on localhost:80 (port 80), Ngrok will give you a link that you can email your victims to click on and reach. So go ahead and sign up to Ngrok:
Once logged in...go ahead and download ngrok as showcased in step 1.
Then follow the setup instructions as follows (remember to do step 3 with your own ngrok auth token
Here I am doing it on my machine:
Keep ngrok running and make a note of the random url it generates for you:
Remember: Ngrok assigns a new random url everytime you stop/start in its free tier, so make sure you are using the right url for the following steps

Step 2: Cloning Facebook Login with Social Engineering Toolkit (SET)

So now let's unleash the power of Kali Linux! Kali is the offensive hacker's dream armory. It has ready-made tools for you to create mischief. Let's fire up the social engineering toolkit by first opening up a new terminal with Ctrl + Alt + T.
Next type in sudo setoolkit (we want to run social engineering toolkit as root user) and type in your root password.
Next type in 1 to select 1) Social-Engineering Attacks from the opening menu.
Then type in 2 to select 2) Website Attack Vectors from the second menu.
Now type in 3 to select 3) Credential Harvester Attack Method from the third menu (credential harvesting is a posh way of saying you want to steal your mate's passwords...'elizabeth may i possibly harvest your banking credentials')
Finally type in 2 to select 2) Site Cloner from the fourth menu to start the process of cloning the FB login page.
Now carefully make sure you copy the bit after the http:// from your running ngrok terminal for e.g. and paste that into the terminal prompt on the Social Engineering Toolkit, and then hit enter.
For the next SET prompt, copy your target Facebook login page for e.g.
and paste it in, then hit enter.
Ignore the next message that comes up and hit enter again.
Now your fake server is up and running on Kali, serving a FB login lookalike page and actively listening for any input data (usernames and passwords) that are entered. Once you successfully email out the link to your target victims / pseudo-friends and trick them into clicking it, they will be redirected to your fake FB login page where they will unwittingly enter their usernames and passwords.
Here I am doing it on my machine:

Step 3: Create a Phishing email with Emkei's Fake Mailer

So now for the part to get creative. Since this was originally an academic assignment for INFO 7300 at Northeastern, I'd like the students to get creative...
Make up your most convincing argument to your intended classmates, in the text body of an email, to try and get them to click on the link.
Note: Send the phishing email to yourself so that you can take a screenshot that the attack works and submit on Blackboard. For bonus points, also send the email to me so I can judge your creativity. Do not send it to any other classmates! Most convincing email will get a prize!
Let's head over to Emkei:
In the section labelled Content-Type: select the text/html radio button and check the Editor box.
Now, write a convincing email pretending to be a person in a position of influence in the Text: section. The criteria you will be graded on includes:
  1. The tone of voice in the email replicates the person you are mimicking.
  2. The mail is addressed to the victim in a realistic manner
  3. The signature of the sender is believable
  4. The from address accurately mimics the person of influence
  5. You incorporate a relevant attachment to legitimize the email further
  6. You email out at a time akin to when the person usually emails
  7. You covertly implant the ngrok url into an innocuous looking hyperlink
  8. From advanced settings, you take appropriate safeguards with Reply-To: and Errors-To: to ensure the actual person you are mimicking is never alerted

Step 4: Capture victim's credentials on disk for perusal

Having sent out the phishing email in the previous step, let's assume you have had your Kali sever/listener running for days. Victims have been entering their credentials and you have been capturing them.
Now hit Ctrl + C at which point the SET prompt will print the following message:
[*] File in XML format exported to /root/.set/reports/2020-01-17 16:07:35.782953.xml for your reading pleasure...
Hit enter again to save the report. Hit Ctrl + C two more times to exit out of the Social Engineering Toolkit.
Now you can head on over to the saved location and then open up the report with atom-nightly or your favorite IDE so that you can Ctrl + F within the file and look for usernames and passwords captured.
eos@kali:~$ cd /root/.set/reports/
eos@kali:/root/.set/reports$ ls -al
total 16
drwxr-xr-x 3 root root 4096 Jan 17 16:07  .
drwxr-xr-x 4 root root 4096 Jan 17 16:10  ..
-rw-r--r-- 1 root root   96 Jan 17 16:07 '2020-01-17 16:07:35.782953.xml'
drwxr-xr-x 2 root root 4096 Jan 17 16:07  files
eos@kali:/root/.set/reports$ cat 2020-01-17\ 16\:07\:35.782953.xml 
Stay Tuned!
Author profile picture

@the_crew_cutSrinjoy Chakravarty

Read my stories

we win by creating a democratic, decentralized internet of the people, by the people, for the people


The Noonification banner

Subscribe to get your daily round-up of top tech stories!