Skip to Main Content
September 09, 2010

Social-Engineer Toolkit 0.7 Codename "Swagger Wagon" and Online Tutorials

Written by David Kennedy
Security Testing & Analysis Social Engineering
The release date for SET v0.7 is scheduled for this Monday September 13, 2010 at 1:00PM EST. The new version of SET incorporates two brand new web attack vectors, slew of bug fixes, and two new Teensy attack based payloads. Special thanks to the Back|Track team, Emgent, White Sheep, and Garland for all of the help with this one. The new web attack vector incorporates a technique that SET dubs web jacking, which when the victim goes to click a link, it appears in everyway shape and for to be legitimate, as soon as they click, it rewrites the page to the malicious attackers page and can intercept the credentials. In addition to the web jacking attack, there is now the multiattack vector, this attack will allow you to combine all web attack vectors into one webpage. So for example you can now use the java applet, metasploit browser exploits, credential harvester, tabnabbing, web jacking, and the rest all at the same time all housed on one attack web page. This is useful if one attack fails, you have multiple ones to back you up to ensure that it goes off without a hitch. In addition to Monday's big release, we are teaming up with the Social-Engineer team and Offensive-Security team and launching an updated online tutorial for SET v0.7 which details every nook and cranny within SET. The updates will be posted on tutorials as well as the Metasploit-Unleashed course at The tutorial is no joke, it spans over 54 pages and has a detailed coverage on every attack vector in SET and includes step by step walkthrough. Below is a snippet of the changelog: * Fixed the NAT/Port FWD descriptions to be a little bit more descriptive * Bug fixes on payload gen with x64 bit payloads in Metasploit * Added new Multi-Attack Payload option to utilize multiple attack vectors * Incorporated Multi-Attack into each web attack vector * Added a PID management system in SET for stray processes * Cleaned up payloadgen code and SET code to reflect new multiattack changes * Added the web jacking attack vector by white_sheep, emgent, and the Back|Track team * Fixed an issue with ARP Cache defaulting, it should now poison everyone * Added better error handling within the SET menus, still needs a bit more work * Cleaned up color schemas and removed old code * Added the Adobe CoolType SING Table 'uniqueName' Overflow zero day from Metasploit * Added two more Teensy based payloads, thanks Garland! * Added HTML support for Spear-Phishing Attack Vector * Added HTML support when WEBATTACK_EMAIL=ON for web attack vector