Skip to Main Content
June 28, 2016

New Release: The Social-Engineer Toolkit (SET) v7.2 "Wine and Gold"

Written by David Kennedy
Security Testing & Analysis Social Engineering
Today we release a new version of the Social-Engineer Toolkit (SET) v7.2 codename: "Wine and Gold". For non-Cavs or non sports ball fans - apologies but couldn't resist. This version has a number of enhancements and additions and represents over two months worth of development. Based on the show "Mr. Robot" which we think is awesome - they utilized a technique called SMS spoofing which was removed in old versions of SET. Since the shows release, we've seen a number of folks asking for it back so we've including the SMS spoofing package back in this version of SET (v7.2). In addition, there has been a number of improvements including the HTA attack vector obfuscation, reliability, and payload delivery, better handling of the attack vectors and more. In addition there is a new config option (located under /etc/setoolkit/set.config) which is called WGET_DEEP. This option will clone a website and its images which allows for at times better handling for cloning websites. To turn this on, edit your /etc/setoolkit/set.config file (which is automatically updated when updating to the latest) and turn WGET_DEEP to ON. When using the website attack vectors ( this will automatically go through and pull the entire website structure. Some additional things that have changed - better compatibility around python 3, MS08-067 relies on the Metasploit exploit now vs the python one which was old. Additionally theres a new startup menu which if the version of SET you are using is out of date, it will let you know that theres a new update available. Full changelog below: ~~~~~~~~~~~~~~~~ version 7.2 ~~~~~~~~~~~~~~~~ * fixed an issue on installer not copying SET directory properly (why was I moving a file and ... nevermind.) * changed delay time for HTA attack vector from 3 seconds to 10 seconds to allow proper loading * added wording when using gmail and application specific passwords * rewrote ms08-067 instead of being the python exploit to use the metasploit default which is much more reliable * re-introduced the SMS spoofing method (now option 10) - it has been optimized and reduced to only use SMSGang as a main provider. * added ability to add your own attachments via file format attacks instead of having to use the ones built in * added ability to add your own attachments via mass mailer attack vector * added new config option called wget_deep and incremented config to 7.2 - this will allow 1 deep download wgets * added ability to select on deeper wgets through web cloner in the web attack vectors - this will allow you to clone the site and not just the index.html which might be better.. to enable this edit /etc/setoolkit/set.config and turn WGET_DEEP to on. * added a new check upon startup (which may delay the start of set for a couple seconds, but it will check to see if there is a new version of SET available for you automatically - this is displayed on the main launcher UI when you first start SET * fixed a bit to reflect more on whats out there.. I may convert this to a standard setup installer eventually * updated the licensing agreement - should check it out =) * changed the default payload in HTA and Java Applet attack to be reverse_https instead of reverse_tcp (although both can be specified) * number of fixes around spacing for python3 and python3 compatibility (urllib) * removed string decode on HTA attack vector which is no longer needed in python3 (and python2) * changed urllib2 to import urllib instead for python2 and python3 compatibility in setcore * changed encoding techniques to bytes instead of strings for python3 compatibility