№6. Ethical Hacking Labs. Social engineering

13 April 2023 7 minutes Author: Endpool

Mastering the Art of Social Engineering: Prevention Methods and Strategies

Social engineering is a technique used to manipulate individuals into divulging sensitive information, performing actions, or granting access to restricted areas or systems. This technique uses human behavior, psychology and trust to trick victims into believing they are communicating with a legitimate source. Common social engineering attacks include phishing, spamming, stalking, and stalking. These attacks can be carried out in person, by phone, email or other communication channels. Social engineering is a significant threat to individuals and organizations, so security training is critical to preventing these types of attacks. Social engineering is the art of manipulating people to gain unauthorized access to information or systems or to perform actions that may not be in their best interest. It is often used in cyber attacks to trick people into revealing sensitive information, clicking on a malicious link, or opening a file. Social engineering can take many forms, including phishing, pretexting, stalking, and quid pro quo. This is a common tactic used by attackers to bypass technical controls and gain access to systems or data.

To protect against social engineering, it is important to familiarize yourself with the risks and tactics used in these attacks and implement security measures such as strong passwords and multi-factor authentication. Vishing is phishing during phone calls. Since voice is used for this type of phishing, it is called vishing → voice + phishing = vishing. Given the ease and vastness of data available on social media, it’s no surprise that phishers confidently communicate on behalf of friends, relatives or any associated brand without arousing suspicion.

Types of phishing


SMiShing is a form of social engineering attack that uses text messages (SMS) to trick people into clicking a malicious link or providing sensitive information. SMiShing attacks aim to obtain personal information, such as passwords or credit card numbers, or to install malware on the victim’s device. SMiShing attacks often originate from a legitimate source, such as a bank or other trusted organization, and are difficult to detect. It is important to be cautious when receiving unsolicited text messages and avoid clicking on links or providing sensitive information without verifying the authenticity of the sender.

Search engine phishing

Search engine phishing refers to the practice of attackers using search engine optimization (SEO) tactics to lure users to fraudulent websites that mimic legitimate sites, such as online banking or e-commerce sites. Phishing sites attempt to trick users into providing personal or confidential information, which can then be used by attackers for fraudulent purposes. Users may be directed to these sites through malicious links or paid search results that have been manipulated by attackers. Search engine phishing is difficult to detect, making it a significant threat to Internet security.


Phishing is not very different from phishing, but the target group becomes more specific and limited in this type of phishing attack. This technique targets executive positions such as CEO, CFO, COO, or any other senior management position who are considered to be major players in any organization’s information chain, commonly known as “whales” in phishing terms. Technology, banking and healthcare are the biggest target sectors for phishing attacks. This is due to two main factors: a huge number of users and a greater reliance on data.

Using the Social Engineering Toolkit (SET)

The Social Engineering Toolkit (SET) is an open source Python-based tool for pentesting. SET is specifically designed to perform sophisticated attacks on humans using their behavior. The attacks built into the toolkit are designed as targeted and targeted attacks against an individual or organization that are used during a penetration test.


Clone a website. Get username and password. Creation of reports for conducted pentesting.


Kali Linux virtual machine. Any Windows virtual machine.


Log in to Kali Linux; Remember that every version of Kali comes with SET pre-installed, to run (on Kali 2019.4) go to Kali menu > 13 – Social Engineering Tools > SET (Social Engineering Toolkit). Accept the Terms of Service by typing y.

Clone a website

1) From the SET main menu, select the first Social-Engineering Attacks option by entering the number:

2) Next, select Website Attack Vectors:

A web attack vector is a unique way of using multiple web attacks to compromise an intended target.

3) In the next menu, select Credential Harvester Attack Method .

The Credential Harvester method will use a web clone of a website that has a login login and collect all the information posted on the website.

4) Next, select Site Cloner:

Site cloner is used to clone a website of your choice. Next, enter the Kali Linux IP address and the URL to clone, in this example we will use facebook.com as shown below:

Send the generated email

Now you have to send the IP address of your Kali computer to the object and make it click. For this demo, we’ll be using Gmail. Launch a web browser on Kali and sign in to your Gmail account to create an email.

To create a valid link, click Edit Link and first enter the actual address in the Link To field, then enter a fake URL in the Display Text field.

You can check the fake URL, one click will display the real URL.

Log in to the cloned website

Log in to Windows as the victim, open a web browser, and log in to your email (the account you sent the phishing email from).

When the victim clicks on the URL, they get a copy of facebook.com. The victim will be asked to enter his login and password in the fields of the form. After the victim enters the username and passwords and clicks “Login”, they are not allowed to log in; instead it redirects to a legitimate Facebook login page, see URL.

Get your credentials

SET on Kali Linux receives the entered username and password, which can be used by an attacker to gain unauthorized access to the victim’s account.


Detect phishing sites with the NetCraft extension

Netcraft — is an online security services company that provides anti-fraud and anti-phishing, application testing, and automated penetration testing services. The company also offers a free web tool that allows users to check hosting locations, DNS records, and other website details. Netcraft services help individuals, businesses and organizations protect their online presence from potential threats and vulnerabilities. considered harmful.


Detect phishing with PhishTank

PhishTank — is a free community website that allows users to submit, track and share phishing URLs. It is operated by OpenDNS, a subsidiary of Cisco Systems, and is one of the largest repositories of phishing data in the world. Users can submit suspicious URLs to PhishTank, and then a team of volunteers review them to determine if they are actually phishing sites. The collected data is used by various organizations to improve anti-phishing protection, including web browsers, security software, and financial institutions.



Wifiphisher — is a security tool that performs automated phishing attacks on Wi-Fi networks to obtain credentials or infect victims with “malware.” This is a social engineering attack that can be used to obtain WPA/WPA2 passphrases, and unlike other methods, it does not require brute force. After achieving a man-in-the-middle position with the Evil Twin Wifiphisher attack, it redirects all HTTP requests to a phishing page controlled by the attacker.


SPF is a SpeedPhish framework

SPF (SpeedPhish Framework) — is an open source phishing toolkit designed to simplify the process of creating and deploying phishing campaigns. The framework includes pre-built templates, email content customization, and email scheduling features to create realistic phishing emails. SPF also supports multi-phishing campaigns, allowing security professionals to monitor and track the success rates of their phishing campaigns. The framework can be used for educational and outreach purposes, as well as for red teaming and penetration testing.


Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.