The next major revision of The Social-Engineer Toolkit (SET) v7.7 codename “Blackout” has just been released. This version incorporates support for hostnames in the HTA attack vector, and a redesigned Java Applet attack vector. Java is still widely used in corporations and with a valid code signing certificate can be one of the easiest ways to get a shell in an organization. In this version, the Java Applet is substantially more improved on reliability, evasion, and code execution. In addition, it’s now possible to specify a text file that has multiple commands to execute which you can incorporate your own payloads. Before you could only use either your own EXE or the Meterpreter shells built into SET. If you are doing something like your own PowerShell payload or another framework, you can have multiple commands:
This will execute each command in sequence and since through HTML parameters, can be as large as you want them to be.
For a video on the new text feature within the Applet, visit below.
~~~~~~~~~~~~~~~~ version 7.7 ~~~~~~~~~~~~~~~~ * rewrote grab_ipaddress() function to be a centralized routine that incorporates hostnames or IP addresses. * rewrote grab_ipaddress() to include automatic detection of ipaddress or failover to manual entry. This will allow easier selection fo IP addresses without having to drop into a different window * add hostname support for hta attack vector * removed deploy binaries as a default option in the set.config file * added ability for new menu for java applet that now allows you to specify multiple commands – useful if you want to insert things like empire payloads, etc. * rewrote java applet to have additional functionality for multiple command menu * better handling on command output * fixed custom applet from not working properly * fixed custom executable from not working properly * added new unsigned obfuscated jar file * added Java.java source files for customization * added new Java Applet self-signed with new expirations