Unless you don’t follow the Infosec/Social engineering scene you should know what the Social-Engineering toolkit is, and that a new version was release today, version 0.7 aka “Swagger Wagon”. However since I am really happy that I have a new version to play with I will try to assist anyone that’s new to SET by pointing you in the right direction to get you started and by sharing a bit of information on how the project got started.
I did a post a few weeks back on using version 0.6.1 to exploit the Microsoft windows OS DLL flaw which you can view here. However today’s posting is all about the new features that you are getting with version 0.7, what has been fixed and a mini interview with the creator of SET none other than Mr David Kennedy aka ReL1k.
For a quick recap..
What is SET?
The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
New features and bug fixes :
* Fixed the NAT/Port FWD descriptions to be a little bit more descriptive
* Bug fixes on payload gen with x64 bit payloads in Metasploit
* Added new Multi-Attack Payload option to utilize multiple attack vectors
* Incorporated Multi-Attack into each web attack vector
* Added a PID management system in SET for stray processes
* Cleaned up payloadgen code and SET code to reflect new multiattack changes
* Added the web jacking attack vector by white_sheep, emgent, and the Back|Track team
* Fixed an issue with ARP Cache defaulting, it should now poison everyone
* Added better error handling within the SET menus, still needs a bit more work
* Cleaned up color schema and removed old code
* Added the Adobe CoolType SING Table ‘uniqueName’ Overflow zero day from Metasploit in spear phishing
* Added two more Teensy based payloads, thanks Garland!
* Added HTML support for Spear-Phishing Attack Vector
* Added HTML support when WEBATTACK_EMAIL=ON for web attack vector
* Added the Adobe Cooltype SING Table Overflow zero day for browser exploit
* Added the new SET User Manual to readme/. This is a big update and has updated content for 0.7
* Fixed a simple yes or no answer when requirements for SET were not met
If you are new to SET you should start here:
- IRC.freenode.net #social-engineer
Mini interview with SET’s creator David Kennedy aka “ReL1k”:
Question: Do you think social engineering is a growing threat or would you say its something of the pass?
Answer: Social-Engineering has always been problematic however it is ever increasing because of the controls put in place on the external perimeter. Your typically not seeing the same types of attacks externally facing as you once were. This is a good thing and a testament that security is starting to work in the industry however, with social-engineering you face a whole new slew of problems.
Q: Where did the name SET came from?
A: Me and Chris from social-engineer.org were sitting on skype talking about making a tool, kind of just came to mind and stuck with it.. We never had any idea it would get this big.
Q: What made you start this project?
A: When Chris Hadnagy (loganWHD) was starting up social-engineer.org, we were sitting there talking and came to the conclusion that there really was no penetration testing tools out there dedicated to social-engineering. We knew the effects of social-engineering and how easy it was, but there was nothing out there to help aid in testing social-engineering.
Q:Who was your intended audiences for this framework?
A: I try to keep SET as easy as possible, you have the basic setup, but then you can customize and do more advanced setup based of your needs. It’s really intended for super technical folks as well as hobbyists.
Q: What other framework like this can SET be compared too?
A: I’m not sure there are other frameworks out there that can be compared to SET, it’s specially designed to Social-Engineering, not something that’s really out there. SET can’t be compared to something like a exploitation framework like Metasploit who has full time commitment and years of maturity with some of the most brilliant minds in the industry. But someday hope SET will reach that level on the social-engineer side.
Q: Do you plan on commercialising this project at any point in time and start charging for its use?
A: Never, SET will always remain free and open source. That has always and will always be my goal. *Awesome answer :)*
Q: What was the total number of downloads for version 0.6.1?
A: SET v0.6.1 has over 1.3 million downloads last time I checked. These are unique IP addresses, not downloads over and over again. I think that’s awesome in some fashions, but scary in another…
Q: What are a few of your favorite features in this new version?
A: The multi-attack is awesome, the ability to load multiple attack vectors in one, then have multiple attacks targeted at a victim. The webjacking is really awesome too, it’s a really convincing attack.
Q: What inspired your new code name for the this version?
A: Well 0.6 was inspired on my favorite drink, Arnold Palmers. This drink for some reason gets me to spit out thousands of lines of code effortlessly. Now in 0.7 (swagger wagon), me and my wife recently added two twins to our household and bought a mini-van, so the family was the influence for this version code name 🙂. *I think the should give you a free case for saying that :)*
Q: What’s the best way someone can contribute to this project if the have ideas and suggestions?
A: Email is the best route, I really try to take every one’s recommendations and if it fits, incorporate it into SET. You can always find me on IRC as well on #social-engineer.org. Or like Kos did, he sent me his python code and I worked it into the 0.6 version of SET. I’m always looking at improving SET and making it better, it wouldn’t be anywhere near where it is now without the help of everyone contributing with bug fixes, ideas, and additions.
So there you have it, a new version is out if you haven’t had a chance to play with older versions now is your change at the new and improve version. I am sure in few months I will be doing another blog posting if ReL1k keeps drinking those “Arnold Palmers” . Go get your copy, send in your sample codes, report your bugs, and lets make this version hit over 2M downloads.