«
»

Exploit the User with SET – The Social Engineering Toolkit


I have to say… SET is just plain awesome. The Social Engineering Toolkit (SET) is a set of python scripts created by David Kennedy (aka rel1k) to automate many client side penetration testing vectors. In conjunction with Social-Engineer.org, which is also a top-notch resource, it provides for some of best extensibility in this type testing. A couple of weekends ago Dave released 0.4 of SET at Shmoocon. I’ll be honest, i hadn’t used it much until now but, after a good bit of research I now appreciate its full glory.

SET’s Python scripts allow you to easily create phishing email attacks, create clones of any given URLs you provide it in a web based attack, and then on that page exploit the users machine using a java applet or browser exploits. It can create Malicious PDFs as well. In 0.4 there are many improvements:

- An improved java applet that is multi-platform and deals well with any permission type
- 0.4 adds Metasploit browser exploits in addition to the java applet
- Can launch the “Aurora” style attacks with Metasploit
- Improved cloned sites and redirect to legit site.
- Integrates with Backtrack’s sendmail or gmail addresses
- Spear phishing with input of email lists improved

The SET is highly tied to the Backtrack and Social-Engineer.org communities. Training authors and contributors to these sites are well recognized penetration testers with a high level of interest on client-side and social engineering based attack vectors. You’ll recognize names like Paul Hand, Chris Nickerson, Mati Aharoni, Chris Hadnagy, of course Dave Kennedy, etc, all working on these projects. In addition a whole section of the free Metasploit Unleashed training is dedicated to SET and they have an excellent setup and usage article here. Also Social-Engineer.org has an excellent writeup as well.

SET has a large fanbase with many useful videos on usage and customized scopes. The First video is actually the new SET 0.4 updates presentation and a recording of all the Firetalks (shorter than regular presentations) at Shmoocon, recorded by Adrian Crenshaw (Irongeek).

The Shmoocon firetalks are very interesting as well.  Adrian’s presentation on trapping script kiddies, and BruCon Organizer Benny’s Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie are both very interesting. In addition it was good to hear more about the Pentoo Penetration Testing distribution.

Check it and some of the other vids below =)

Shmoocon FireTalks: Both Nights from Adrian Crenshaw

Social-Engineering Toolkit v0.3 from David Kennedy

SET v0.4 Web Attack Vector from David Kennedy

Social-Engineer Toolkit v0.4 Aurora Attack from David Kennedy

, , , , , , , , , ,

This entry was posted on Sunday, February 21st, 2010, 3:22 pm and is filed under Tool Talk. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. #1 by rAWjAW - February 22nd, 2010 at 09:03

    Great write up on SET! We are glad that people are loving this tools as much as we are!

    “You’ll recognize names like Chris Nickerson, Mati Aharoni, Chris Hadnagy, of course Dave Dennedy, etc, all working on these projects.”

    Also, minor typo in the sentence above, “Dave Dennedy” ;)

    Quote

  2. #2 by admin - February 22nd, 2010 at 10:07

    Thank rAWjAW , fixed =)

    Quote

  3. #3 by David Kennedy - February 22nd, 2010 at 14:27

    Hey thanks for the write-up bro, it has been a fun project in writing and couldn’t have done it without major contributions from everyone.

    Thanks again, will keep the ball rolling on releases and blowing away each individual prior release ;-)

    -Dave Kennedy (ReL1K)

    Quote

  4. #4 by admin - February 22nd, 2010 at 14:31

    Thanks Dave =)

    Quote

  5. #5 by CoderW3x - February 22nd, 2010 at 14:50

    awsome post for a very awsome stuff for a very very cool guy (Dave) thx a lot :)

    Quote

  6. #6 by Bobby Jones - February 22nd, 2010 at 15:11

    Great work by the sackman! We love the Set!

    Quote

  7. #7 by fraktil - March 3rd, 2010 at 11:32

    Great blog! Here’s an article you may be interested in –

    Top 10 Best Security Plugins for WordPress: http://graphicalerts.com/top-10-best-security-plugins-for-wordpress/

    Quote

  8. #8 by Kelvin - March 21st, 2010 at 21:50

    Thanks for harding working!
    I just tried testing SET 0.4 web attack. And I followed exactly the steps in video, somehow it does not work at all. I dont get any sessions. and client box opens website from email(gmail), no security msg pop. Did I do something wrong? have anybody else tested yet?
    plus, firewalls are disabled on client computer(xp and win7)

    Quote
(will not be published)
  1. No trackbacks yet.