Regardless of whether you’re a single individual working on your own, or an employee from a mid- or large-sized company, you can be never safe from social engineering attacks. It’s one of the most popular types of methodologies used by crackers to capture your sensitive data.
When a social engineering attack is performed, the weakest link in the chain is not the computer system, the firewall, services or apps. It’s us, the humans behind those technologies.
Fortunately, social engineering techniques and attacks aren’t only used by bad guys, but also by blue teams as a way to educate employees and general staff about avoiding these malicious traps.
That’s why today we’re going to review one of the most popular social engineering tools around: The Social Engineering Toolkit.
What is the Social Engineering Toolkit? (SET)
Known as SET, the Social Engineering Toolkit has been in wide use since its creation.
Written by Dave Kennedy from TrustedSec, it’s an open source, free Python cybersecurity tool used by security researchers, penetration testers, blue and purple teams from around the world. Instead of targeting apps, SET uses humans as the main target of its attack techniques.
It offers many brilliant features, including faking phone numbers, sending SMS, or helping to create a phishing page by instantly cloning the original. Let’s explore the full powers of this toolkit:
- Multi-platform: It can run on Linux, Unix and Windows.
- Supports integration with third party modules.
- Allows multiple tweaks from the configuration menu.
- Includes access to the Fast-Track Penetration Testing platform
- Social engineering attack options such as Spear-Phishing Attacks, Website Attacks, Infection Media Generator, Mass Mailing, Arduino-Based Attack, QRCode Attacks, Powershell Attack Vectors, and much more.
SET offers multiple attack vectors and techniques, and it’s almost impossible to cover them all in one article. However, we can highlight the main attacks here:
Phishing Attacks: This option allows you to choose from several phishing attack options to help you decide how to approach your victim. You can craft email messages with malicious payloads attached, and send them to a small or large number of recipients.
It also lets you spoof your email address by changing simple variables, which makes it really easy to use.
Web Attack: This module combines different options for attacking your victim to compromise the remote victim. It includes attack techniques such as Java Applet Attack and Metasploit Browser Exploit to deliver malicious payloads. Also handy is the Credential Harvester method, which lets you clone a website and harvest the information from user and password fields, as well as the TabNabbing, HTA Attack, Web-Jacking and Multi-Attack techniques, all with the same goal of tricking end users into revealing their credentials.
Infectious Media Generator: This interesting option enables you to create an infected media device (USB/CD/DVD) with an autorun.inf file, that can be later inserted into any PC and will automatically run a Metasploit payload if autorun is enabled.
Create a Payload and Listener: By using the fourth option from the main menu, you’ll be able to create malicious payloads for Windows, including Shell Reverse_TCP, Reverse_TCP Meterpreter, Shell Reverse_TCP X64 and Meterpreter Reverse HTTPS. As you can see by the names, you’ll be able to spawn command shells, create reverse connections, tunnels, and more.
Mass Mailer Attack: This type of attack can be performed against one or multiple individuals, even letting you import users lists to send to any people you wish. It also lets you use a Gmail account for your email attack, or use your own server or open relay for mass delivery.
Apart from these main options, you’ll also find other useful attack choices such as Arduino-Based, Wireless Access Point, QR Code Generator and Powershell Attack Vectors.
Now that you have a general overview of the Social Engineering Toolkit, let’s jump into the fun part, installing and testing this software.
Installing the Social Engineering Toolkit is pretty easy with most operating systems. On most Linux distros the manual installation can be performed by using the following commands:
git clone https://github.com/trustedsec/social-engineer-toolkit/ set/ cd set pip install -r requirements.txt
Just make sure you have pip installed.
How can I use it?
Once you have SET installed, you can easily invoke it from command line by typing:
First you’ll see an agreement message. Read it, accept it and that’s it, you’re ready to use this tool. Then you’ll probably see the following welcome message:
After that, you’ll notice a menu, showing you the most common options:
If you click one of them, you’ll get the full list of available attacks. For example, we chose number 1 and this was the full available menu for that option:
The same goes for the rest of the options offered. Simply choose the type of attack you wish to perform, then configure the way to perform it.
When talking about social engineering, one of the most common methods that comes to mind is the use of phishing emails. Let’s see how good SET is in this particular area.
We went back to the main menu, chose option 5, and this was what we got:
As you can see, it lets you choose from two different options: either email a single address, or multiple ones. We’ll go for the single email address. Once we’ve chosen that, it shows us the following screen, where we can actually start the phishing email attack:
We used a phishing email example, taken from a real-world Paypal phishing attack, to see it live in our email test box. Of course, a bit of formatting was missing from our example, but it was just that, a live test playing with this tool. A real attacker would put greater effort into both email style and text, of course.
As you can see, the email arrived perfectly—but thanks to the Gmail filter, it was flagged as spam and potentially ‘dangerous’, as well as labeled as ‘phishing scam’.
There are many options to explore when it comes to working with the Social Engineering Toolkit.. For this tutorial we merely covered installation and main options, and showed how easy it can be to use one of the most traditional phishing methods available: a fake email, which could potentially include a call-to-action to a malicious website.
There are, however, many other things to explore, such as how to create templates, malicious payloads, spoof data, network traffic, and more.
With tools like this at your fingertips, you don’t need to be a very advanced user to perform a malicious attack against organizations or individuals.
One thing we must always remember is the fact that social engineering attacks rely not only on human psychology, but also on information gathering focused on the victim.
Knowing how much information you’re exposing about your infrastructure, apps and company is crucial for reducing your attack surface—to prevent social engineering attacks as well as any other type of digital attack.
If you want to stay one step ahead of the bad guys, try SurfaceBrowser™, our enterprise-grade surface analyzer tool that will help you find known and unknown critical data about your servers, DNS, email service, SSL certificates, and open ports in mere seconds! Book a demo with our sales team today!