Computer Based Social Engineering Tools: Social Engineer Toolkit (SET)
From Learn to be a true Social Engineer
The Social-Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It's main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed. Currently SET has two main methods of attack, one is utilizing Metasploit[1] payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing. The second method supports your own open-mail relay, a customized sendmail open-relay, or Gmail integration to deliver your payloads through e-mail. The goal of SET is to bring awareness to the often forgotten attack vector of social-engineering.
Contents |
How to Obtain SET
To download and obtain a copy of SET is simple:
" svn co http://svn.thepentest.com/social_engineering_toolkit "
Information
The beauty with the current version of SET is it does not require any external python modules. If you notice, the overall format of SET is very similar to that of Fast-Track's interactive menu. This was intentional as it will probably become a module in Fast-Track eventually. In the soon to be released Metasploit Framework Unleashed Course[2] by Offensive Security there will be a whole module on how to use this awesome tool. It will cover both email and web attack how-to's.
In the mail attack vector, there are two options on the mass e-mailer, the first would be to send an email to one individual person. The second option will allow you to import a list and send it to as many people as you want within that list. The mass e-mailer will allow you to send emails to multiple individuals in a list. The format is simple, it will email based off of a line.
Here are some screen shots:
Now that user opens the PDF, and is presented with a working PDF. See below:
Recently added to the toolkit is the ability to spoof source IP addresses utilizing your own open-relay server or utilizing sendmail. Mail-relays allow you to originate emails appearing to come from any domain name. Most organizations protect against mail relays by utilizing reverse lookups to determine if the domain name matches the original sender. Some organizations don't and this is when the sendmail attack would be a perfect opportunity for us to attack our victims.
Lastly, you can configure your own open-relay server, say for example you're on a pentest and your customer has an open-relay SMTP server and are allowed to send emails to internal addresses from any user account.
Web Attack Vector
Another option for exploitation other than e-mail is creating a fake web-site that serves up a Metasploit Payload and once they visit, we serve a Java Applet "signed" by the Microsoft Corporation and if they accept it, our payload is delivered.
Another instance we can use if we are on the inside of the network is an automatic ARP cache poison to where we can have SET poison a victim on the subnet and replace all the HREF's of the victim with our website.
The Social Engineering Toolkit "Web Attack" will create a fake "professional" looking website for you with malicious java applet code. When you entice a victim to the website either through social-engineering, a XSS vulnerability, E-Mail, or other options, it will prompt the user to say "Yes" to run the applet signed by Microsoft. Once accepted a payload will be run on the remote system and executed.
The payload itself will be generated dynamically through Metasploit and the handler and everything be setup for you automatically through the SEF Web Attack toolkit.
Now the victim performs a normal Google search. Let's see what happens:
Notice that the security warning is asking us to trust an application signed by the Microsoft Corporation.
SET is still a work in progress and new attacks will be getting released within the toolset. SET utilizes multiple attack vectors in order to make your social-engineering experience a little bit easier.
References
- ↑ http://www.metasploit.com/
- ↑ http://www.offensive-security.com/blog/offsec/metasploit-unleashed-information-security-training-at-its-best/