KOHb - Getty Images
How to use Social-Engineer Toolkit
Testing system components for vulnerabilities is just one part of the network security equation. What's the best way to measure users' resilience to social engineering threats?
Every security professional knows that systematically testing defenses is a good idea. Systematic and empirical control testing quite literally underpin much of our discipline. That's reflected by a variety of security operations -- from penetration testing, phishing simulation, and vulnerability scanning to container scanning, data loss prevention and beyond. All these validate the control operation and serve to provide demonstrable feedback that the countermeasures in place perform effectively.
When it comes to how to test, however, technologists sometimes fall into the trap of overfocusing on the technology ecosystem. As a result, many of the tools we rely on center too much on the underlying components -- among them the systems, applications and OSes -- that support the technology. These technical validation efforts are important, but it's also important to test the human element.
Just as we systematically test the security profile of an application, server or network, so too must we test how resilient users are. How likely, for example, are users to fall victim to manipulation, confidence schemes, social engineering and other malicious campaigns?
There aren't a lot of tools available to assess users' resistance to these types of attacks. But there is one helpful option: Social-Engineer Toolkit (SET).
Editor's note: Tools such as SET can be used in ways that are lawful and helpful as a security practitioner, but they can also be used illegally, unlawfully and unethically. Make sure any planned use is ethical, lawful and legal. If you're not sure about the legality, do not proceed until you are. This might require some research on your part, such as an honest discussion with internal counsel about what you have planned.
How to get started with SET
SET is a group of utilities used primarily in a red team context, such as a pen test, to launch social engineering attacks. The open source app, written by TrustedSec founder Dave Kennedy, enables security professionals to execute a variety of common attacks, such as creating plausible-seeming websites that mirror users' trusted destinations, conducting tabnabbing and performing other browser-based attacks.
Let's examine some of SET's capabilities and discuss ways to use the toolkit.
How to install SET
There are a few ways to install the software. One option is to obtain a platform where it is preinstalled or installed in a default configuration. Penetration-focused Linux distributions, such as Kali and BlackArch, include the toolkit as part of a default install.
If you prefer to install it on another platform, you can use a CLI -- instructions for doing so are in the project's readme -- or run it in Docker. A Dockerfile is included in the project source.
How to start SET
Run SET from the command line using the setoolkit command. The main menu then displays.
Let's run through the various modules available from the main menu and what they do.
Several options are either informative such as option 6, "Help, Credits, and About," or maintenance-related, such as option 4, "Update the Social-Engineer Toolkit," and option 5, "Update SET configuration." While useful, these are self-explanatory, so we don't cover them here.
The first three options are the attack tools you might consider using as part of a penetration test or as part of a social engineering campaign:
- Option 1, "Social-Engineering Attacks," contains tools to fabricate a variety of strikes, including credential-harvesting pages, malicious email campaigns, malicious QR codes, nefarious media and more.
- Option 2, "Penetration Testing (Fast-Track)," contains additional pen testing attack frameworks, such as Microsoft SQL Bruter, which attempts to gain access to SQL servers by uncovering weak passwords through brute force.
- Option 3, "Third Party Modules," contains remote administration tools to use post-exploitation to enable lateral movement or maintain a presence on the remote host.
All these are worth time exploring and investigating, but this article focuses on option 1.
Social engineering with SET
After selecting "Social-Engineering Attacks" from the main menu, you are presented the following list of specific techniques:
- Spear-Phishing Attack Vectors. Create and send emails with malicious payloads.
- Website Attack Vectors. Attack using browser exploits or malicious website content.
- Infectious Media Generator. Generate malicious media -- for example, a CD or USB drive -- to compromise a host when inserted.
- Create a Payload and Listener. Generate a malicious payload, or monitor for inbound connections from compromised victims.
- Mass Mailer Attack. Send email to one or more targets.
- Arduino-Based Attack Vector. Create a keystroke-playback USB-attached device that operates as a keyboard upon connection. This can then send preassigned keystrokes, for example, to compromise the host via malicious commands.
- SMS Spoofing Attack Vector. Use predefined templates, or create original text messages that spoof the SMS source to enable phishing and credential-harvesting attacks.
- Wireless Access Point Attack Vector. Create a malicious wireless AP to enable man-in-the-middle or other attacks.
- QRCode Generator Attack Vector. Generate QR codes with arbitrary and potentially malicious destination URLs.
- Powershell Attack Vectors. Create malicious PowerShell for shellcode, Security Account Manager (password) dumping, reverse shell, etc.
- Third-Party Modules. Use specialized applications from third parties.
All of SET's attack techniques help organizations protect themselves from social engineering attacks, but the "Website Attack Vectors" and "Create a Payload and Listener" options are particularly useful:
- Website Attack Vectors lets practitioners set strikes such as the following:
- Tabnabbing involves capturing a user's browser tab to redirect it to a location you control.
- Credential harvesting is setting up a bogus website for the purpose of capturing credentials.
- Other web-based techniques.
- Create a Payload and Listener automates the process of creating a file with a malicious payload and simplifies the process of creating the listener for that malicious payload to connect back to.
SET also gives users the choice to use a Meterpreter-based -- i.e., Metasploit -- shell, which is an environment already familiar to many red teamers.
How to use SET as part of a bigger strategy
SET has multiple enterprise use cases. First and perhaps most obviously, use it to assist with pen testing. SET supports any red team activity that includes a social engineering component.
Second, use SET as part of your security awareness training program. Want to test how employees react to a random QR code? Place a code in a highly visible location -- a break room or cafeteria -- and record who follows the link. Or use the Wi-Fi attack vector to measure users' resilience against connecting to potentially malicious APs.
Finally, use SET to test hardening measures. If you expect autorun to be disabled on managed endpoints, for example -- it is disabled by default on modern versions of Windows -- explicitly test that capability using the media creation feature.
With some creativity, these features support both red and blue team use cases. Time spent exploring SET's capabilities is time well spent.
Ed Moyle is a technical writer with more than 25 years of experience in information security. He is currently CISO at Drake Software.