The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.
The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, “Metasploit: The Penetrations Tester’s Guide” written by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni.
The next major revision of The Social-Engineer Toolkit (SET) v7.7 codename “Blackout” has just been released. This version incorporates support for hostnames in the HTA attack vector, and a redesigned Java Applet attack vector. Java is still widely used in corporations and with a valid code signing certificate can be one of the easiest ways to get a shell in an organization. In this version, the Java Applet is substantially more improved on reliability, evasion, and code execution. In addition, it’s now possible to specify a text file that has multiple commands to execute which you can incorporate your own payloads. Before you could only use either your own EXE or the Meterpreter shells built into SET. If you are doing something like your own PowerShell payload or another framework, you can have multiple commands:
command1,command2,command3This will execute each command in sequence and since through HTML parameters, can be as large as you want them to be.
For a video on the new text feature within the Applet, visit below.
Changelog:
~~~~~~~~~~~~~~~~
version 7.7
~~~~~~~~~~~~~~~~
* rewrote grab_ipaddress() function to be a centralized routine that incorporates hostnames or IP addresses.
* rewrote grab_ipaddress() to include automatic detection of ipaddress or failover to manual entry. This will allow easier selection fo IP addresses without having to drop into a different window
* add hostname support for hta attack vector
* removed deploy binaries as a default option in the set.config file
* added ability for new menu for java applet that now allows you to specify multiple commands – useful if you want to insert things like empire payloads, etc.
* rewrote java applet to have additional functionality for multiple command menu
* better handling on command output
* fixed custom applet from not working properly
* fixed custom executable from not working properly
* added new unsigned obfuscated jar file
* added Java.java source files for customization
* added new Java Applet self-signed with new expirations
