The Social-Engineer Toolkit (SET) was developed to coincide with the release of Social-Engineer.org, a set of resources conceived by Chris Hadnagy (loganWHD) and written by one of this book’s authors, David Kennedy. The site offers a centralized location for social-engineering tutorials and explains terminologies, definitions, and scenarios that can help prepare you for hacking the human mind.
The purpose of SET is to fill a gap in the penetration testing community and bring awareness to social-engineering attacks. And it has succeeded— SET has been downloaded 1 million times and is now an industry standard for deploying social-engineering attacks. The toolkit attacks human weaknesses, exploiting curiosity, credibility, avarice, and simple human stupidity. Social-engineering attacks are at an all-time high and have always been a large risk for many organizations.
Of course, social engineering is nothing new. One person trying to coax another to perform acts that he normally wouldn’t do is as old as time itself. Many in the security community believe that social engineering is one of the biggest risks organizations face, because it’s extremely difficult to protect organizations from being attacked in this way. (You might remember the ultrasophisticated Operation Aurora attack, for example, in which social-engineering was used to attack Gmail and other sources of Google data.)
An attack vector is the avenue used to gain information or access to a system. SET categorizes attacks by attack vector (such as web, email, and USB-based attacks). It uses email, spoofed websites, and other vectors to reach human targets, typically tricking individuals into compromising the target or releasing sensitive information. Naturally, each vector can have a different success rate depending on its target and the communication used. SET also comes prebuilt with email and website templates that can be used for social-engineering attacks. SET heavily uses the Metasploit Framework.
Because of the social nature of the attacks themselves, each example in this chapter is coupled with a brief story.
By default, in Back|Track, SET is located in the /pentest/exploits/set/ directory. Before you begin, make sure that you are running the latest version of SET.
root@bt:/pentest/exploits/set# svn updateNext, configure your SET configuration file according to what you’re attempting to accomplish. We’ll cover a couple of simple features within the configuration file config/set_config within the root SET directory.
When using the SET web-based attack vectors, you can turn ON the WEBATTACK_EMAIL flag to perform email phishing in conjunction with the web attack. This flag is turned OFF by default, which means that you will configure SET and use the web attack vector without the support of email phishing.
METASPLOIT_PATH=/opt/framework3/msf3 WEBATTACK_EMAIL=ON
One of the web-based attacks available in SET is the Java applet attack, which uses self-signed Java applets. By default, this attack uses Microsoft as the publisher name; however, if the Java Development Kit (JDK) has been installed, you can turn this option ON and sign the applet with whatever name you want. When you turn this flag ON, additional options will be available through the interface.
SELF_SIGNED_APPLET=ON
The AUTO_DETECT setting is one of the most important flags and is turned ON by default. It tells SET to detect your local IP address automatically and to use that as the address for the reverse connection and web servers. If you are using multiple interfaces or your reverse payload listener is housed at a different location, turn this flag OFF. When this option is OFF, SET will allow you to specify multiple scenarios to ensure that the proper IP address scheme is used, for example, in a scenario that includes NAT and port forwarding. These options are reflected within the SET interface.
AUTO_DETECT=OFF
When you use the toolkit, by default it uses a built-in Python web-based server. To optimize performance, set the APACHE_SERVER flag to ON, and SET will use Apache for the attacks.
APACHE_SERVER=ON
Those are the basics of the configuration file. As you can see, you can significantly change SET’s behavior depending on which flags are set in the tool. Now let’s run the tool.