Posts Tagged Social Engineering Toolkit

I have to say… SET is just plain awesome. The Social Engineering Toolkit (SET) is a set of python scripts created by David Kennedy (aka rel1k) to automate many client side penetration testing vectors. In conjunction with Social-Engineer.org, which is also a top-notch resource, it provides for some of best extensibility in this type testing. A couple of weekends ago Dave released 0.4 of SET at Shmoocon. I’ll be honest, i hadn’t used it much until now but, after a good bit of research I now appreciate its full glory.

SET’s Python scripts allow you to easily create phishing email attacks, create clones of any given URLs you provide it in a web based attack, and then on that page exploit the users machine using a java applet or browser exploits. It can create Malicious PDFs as well. In 0.4 there are many improvements:

- An improved java applet that is multi-platform and deals well with any permission type
- 0.4 adds Metasploit browser exploits in addition to the java applet
- Can launch the “Aurora” style attacks with Metasploit
- Improved cloned sites and redirect to legit site.
- Integrates with Backtrack’s sendmail or gmail addresses
- Spear phishing with input of email lists improved

The SET is highly tied to the Backtrack and Social-Engineer.org communities. Training authors and contributors to these sites are well recognized penetration testers with a high level of interest on client-side and social engineering based attack vectors. You’ll recognize names like Paul Hand, Chris Nickerson, Mati Aharoni, Chris Hadnagy, of course Dave Kennedy, etc, all working on these projects. In addition a whole section of the free Metasploit Unleashed training is dedicated to SET and they have an excellent setup and usage article here. Also Social-Engineer.org has an excellent writeup as well.

SET has a large fanbase with many useful videos on usage and customized scopes. The First video is actually the new SET 0.4 updates presentation and a recording of all the Firetalks (shorter than regular presentations) at Shmoocon, recorded by Adrian Crenshaw (Irongeek).

The Shmoocon firetalks are very interesting as well.  Adrian’s presentation on trapping script kiddies, and BruCon Organizer Benny’s Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie are both very interesting. In addition it was good to hear more about the Pentoo Penetration Testing distribution.

Check it and some of the other vids below =)

Read the rest of this entry »