Open SEToolkit by opening a terminal and typing setoolkit.
Open up the Website Attack Vectors menu by pressing 2:
For this tutorial, we will be using the Metasploit Browser Exploit Method. Once you open that menu, you will be prompted to choose a template for your malicious website. For this purpose, I’m going to choose the Web Templates by pressing 1.
You will then be prompted to choose a browser exploit. I find the Metasploit Browser Autopwn to be the most successful. This auxiliary module loads many exploits and payload handlers at once to to grab a wildcard target. This is the best method of attack if you are phishing. However, this can red flag many security systems, so just be careful! Type 43 to choose this option.
Next, SEToolkit will ask you for the payload to use. I find that using your own custom payload will work the best. I will use my own custom executable in this tutorial.
You will then be prompted to insert the port and IP address. I’m going to hide mine in this picture, sorry. (I recommend port 443.) The rest is pretty self explanatory.
If you are using the custom payload, you must upload it to your Apache server, and give SEToolkit the download link. For example, when you put the payload into the root directory of your Apache server, your URL should look similar tohttp://192.168.1.16/malicious.exe . Just make sure you use your own IP address!
Now that we have told SEToolkit where our payload lies, it should give you this screen, and then load Metasploit to listen.
Once Metasploit has started, it will automatically start loading its Autopwn auxiliary tool, and listen for incoming connections on port 443. Do not stop Metasploit from loading! It may take a minute. The first thing you should see is something similar to this:
Once Metasploit has finished loading the modules, it should display the amount of modules loaded, and one URL to send to a victim. In this case, Metasploit found 20 exploit modules that would work.
Make sure you port forward if you’re doing this over the Internet!
Send this link out on social media, or by email to a friend. While they check out your fake website, Metasploit will try to automatically exploit them. Just make sure you set up persistence before it’s too late!
SEToolkit and Metasploit combined are just unstoppable! The exploits of Metasploit and the phishing methods of Social Engineering Toolkit are the way to get the job done.