Social Engineering Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET has quickly became a standard tool in a penetration testers arsenal. SET is written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be focused attacks against a person or organization used during a penetration test.
SET is a menu driven based attack system, which is fairly unique when it comes to hacker tools. The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target.
The Social Engineering Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.
The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, “ Metasploit: The Penetrations Tester’s Guide ” written by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni.
- Multi-platform: It can run on Linux, Unix and Windows.
- Supports integration with third party modules.
- Allows multiple tweaks from the configuration menu.
- Includes access to the Fast-Track Penetration Testing platform
- Social engineering attack options such as Spear-Phishing Attacks, Website Attacks, Infection Media Generator, Mass Mailing, Arduino-Based Attack, QRCode Attacks, Powershell Attack Vectors, and much more.
SET offers multiple attack vectors and techniques, and it’s almost impossible to cover them all in one article. However, we can highlight the main attacks here:
Phishing Attacks: This option allows you to choose from several phishing attack options to help you decide how to approach your victim. You can craft email messages with malicious payloads attached, and send them to a small or large number of recipients.
It also lets you spoof your email address by changing simple variables, which makes it really easy to use.
Web Attack: This module combines different options for attacking your victim to compromise the remote victim. It includes attack techniques such as Java Applet Attack and Metasploit Browser Exploit to deliver malicious payloads. Also handy is the Credential Harvester method, which lets you clone a website and harvest the information from user and password fields, as well as the TabNabbing, HTA Attack, Web-Jacking and Multi-Attack techniques, all with the same goal of tricking end users into revealing their credentials.
Infectious Media Generator: This interesting option enables you to create an infected media device (USB/CD/DVD) with an autorun.inf file, that can be later inserted into any PC and will automatically run a Metasploit payload if autorun is enabled.
Create a Payload and Listener: By using the fourth option from the main menu, you’ll be able to create malicious payloads for Windows, including Shell Reverse_TCP, Reverse_TCP Meterpreter, Shell Reverse_TCP X64 and Meterpreter Reverse HTTPS. As you can see by the names, you’ll be able to spawn command shells, create reverse connections, tunnels, and more.
Mass Mailer Attack: This type of attack can be performed against one or multiple individuals, even letting you import users lists to send to any people you wish. It also lets you use a Gmail account for your email attack, or use your own server or open relay for mass delivery.
Apart from these main options, you’ll also find other useful attack choices such as Arduino-Based, Wireless Access Point, QR Code Generator and Powershell Attack Vectors.
Now that you have a general overview of the Social Engineering Toolkit, let’s jump into the fun part, installing and testing this software.
Social Engineering Toolkit – Download & Install on Windows or Linux
Method 1 – Setoolkit on Windows
- Download and install Python.
- Download and install PyCrypto library.
- Clone SET git repository from https://github.com/trustedsec/social-engineer-toolkit/
- Open your cmd and run Social-Engineer Toolkit:
NOTE: You need to install Metasploit for attacking your target.
Method 2 – Social Engineering Toolkit on Windows
I use windows subsystem.
- Enable Windows subsystem
- Open PowerShell as Administrator and run:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
- Restart your computer when prompted.
- Open PowerShell as Administrator and run:
- Install any Linux distro from Windows Store
Here are links directly to the store installers:
- Open Ubuntu
- Run command
apt-get –force-yes -y install git apache2 python-requests libapache2-mod-php python-pymssql build-essential python-pexpect python-pefile python-crypto python-openssl
- Install SET
$ git clone https://github.com/trustedsec/social-engineer-toolkit/ set/
$ cd set
$ python setup.py install
Social Engineering Toolkit on Linux
pip3 install -r requirements.txt python setup.py
git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/ cd setoolkit pip3 install -r requirements.txt python setup.py
SET Documentation can be found here.