Since Telegram is getting popular and most usabale instant message communication platform new attack vectors are appearing. This tool is dedicated to enchance and test information security mostly of first grade company employees.
This work is merely a demonstration of what adept attackers can do. It is the defender's responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. TSET should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.
- Python >3.5
- MongoDB
- Tor
- Nginx
For python modules see requirements.txt file
- Install python3, nginx, supervisor, mongodb, tor
- Install python modules from requirements
- Create app and get Telegram API key and hash from https://my.telegram.org/auth
- Setup /config/main.txt
- Setup /extensions/hello.py for penetration tester Telegram account
- Setup /templates/oauth for link to mimic
- Gather scope of phones to test
- Run webserver with python script start.py at your domain.tld. You need at least 2 workers.
- Generate and spread testing link: domain.tld?phone=XXXXXXXXXXX (only digits)
- Read logs and receive notifications from /extensions/hello.py to find social weak points.