As a security expert, how can you test social engineering against the human element within your organization? One solution is pentesting via Kali Linux. You can utilize the various tools within the Kali Linux OS to identify weaknesses in your security training, group of employees or processes. This article will break down some of the best Kali Linux tools available for social engineering pentesting.
Social engineering pentesting with Kali Linux
If you’re looking to evaluate your staff’s susceptibility to social engineering attacks, you might need to use different types of tools. Kali has several tools that will help you with this task. Here is the list of some of the best ones and what they’re specifically used for:
Kali Linux social engineering tool: Maltego
Maltego is an OSINT (open-source intelligence) investigation tool that shows how different pieces of information are interlinked. With Maltego, you can find relationships between people and various information assets, including email addresses, social profiles, screen names and other pieces of information that link a person to a service or organization. Having all of this information can help you simulate a social engineering attack to help you evaluate your employees’ security awareness. You can launch Maltego from the Kali Whisker Menu or by going to Applications > Kali Linux > Top 10 Security Tools > and selecting Maltego at number five. Maltego uses a graphic user interface, making it easy to visualize relationships.
Kali Linux social engineering tool: Social Engineering Toolkit (SET)
Social Engineering Toolkit (or SET) is an open-source, Python-driven toolkit aimed at penetration testing around social engineering. SET has various custom attack vectors that enable you to set up a believable attack in no time. SET includes a website tool that converts your Kali box into a web server with a range of exploits that can compromise most browsers. The idea is to send your target a link that routes them through your site, which automatically downloads and executes the exploit on their system. You can even use the pre-built templates in SET to clone a legitimate website so that the exploit looks more realistic. SET has pre-formatted phishing pages of popular sites, including Facebook, Twitter, Google and Yahoo. You can open SET in Kali Linux by going to Applications > KaliLinux > Exploitation Tools > Social Engineering Toolkit | toolkit or by entering setoolkit as a shell prompt.
Kali Linux social engineering tool: Wifiphisher
Wifiphisher is a unique social engineering tool that automates phishing attacks on Wi-Fi networks to get the WPA/WPA2 passwords of a target user base. The tool can choose any nearby Wi-Fi access point, jam it (de-authenticate all users) and create a clone access point that doesn’t require a password to join. Any person who connects to the evil twin-like open network is presented with a seemingly legitimate phishing page asking for the Wi-Fi password to download a firmware update, which is cited as the reason the Wi-Fi isn’t working. Once the targets enter a password, Wifiphisher sends an alert while stalling for time. After transmitting the captured password, it will display both a fake reboot timer and a fake update screen to buy you time for testing the captured password. It’s a handy tool for evaluating your security defenses against Wi-Fi-based social engineering. You can launch the python script by entering this command: $ sudo python wifiphisher.py
Kali Linux social engineering tool: Metasploit MSF
Metasploit Framework is a penetration testing tool that can help you identify, exploit and validate vulnerabilities. It delivers the content, tools and infrastructure to conduct extensive security auditing along with penetration testing. One of the most powerful features packaged into Metasploit is the option to set up a fake SMB server. This implies that when a person on the network tries to access the server, their system will have to show their credentials in terms of their “domain password hash.” If you are patient, you may be able to capture domain credentials as users attempt to authenticate against the SMB server. Sending an embedded UNC path to the target can help you collect their domain credentials when they click on it. MSF is updated frequently, and new exploits are updated as soon as their creators publish them. You can launch Metasploit through the Kali Linux menu or by entering the following command in the terminal. $ msfconsole -h
Kali Linux social engineering tool: MSFvenom Payload Creator (MSFPC)
MSFPC is a user-friendly tool that makes it easy to create basic payloads. It helps users avoid the need to write long msfvenom commands to generate payloads. With this generator, you can create payloads with a minimum of one argument. MSFPC can be used to create Windows, Linux and even Android payloads. Its script is a real timesaver when you want to create simple payloads quickly. Although this doesn’t involve encoding to help bypass antivirus virus, it can still be useful to learn. Sometimes, you just want to make a quick payload, deliver it somewhere, and carry on with your routine. In scenarios like these, msfpc.sh can come in handy. To use MSFPC, you must only define the payload you want by either the file extension you want it to have or the platform you are going to drop it on. Typing msfpc in the terminal will allow you to run the tool.
Utilize Kali Linux tools for social engineering defense
As you can see, Kali Linux is stocked with tools that can help you conduct social engineering penetration testing. With the help of these offerings, you can evaluate your firm’s security posture and arm personnel with the knowledge they need to avoid these threats. It’s time to close security gaps and improve your defenses against social engineering.
Sources
Maltego Teeth Package Description, Kali Tools Directory Kali Linux – Social Engineering, Tutorialspoint