Skip to Main Content
July 27, 2016

The Social-Engineer Toolkit (SET) v7.3 "Underground" released.

Written by David Kennedy
Security Testing & Analysis Social Engineering
TrustedSec is proud to announce the release of The Social-Engineer Toolkit (SET) v7.3 codename "Underground". This version is a complete rewrite of the SMS spoofing module and now uses the awesome folks over at spoofmytextmessages.com as the main provider. The API fully integrates into theirs and allows you to spoof text messages directly through SET. You will first need to visit: https://www.spoofmytextmessage.com/ Then purchase your credits for SMS spoofing and from there, you are all set and ready to go. SET will automatically grab your token keys for authorization and allow you to send spoofed text messages. Be sure to check your country legality and ensure SMS spoofing is allowed. Special thanks to the crew over at spoofmytextmessage.com who were super awesome and helped with getting this into SET. In addition, there's a ton of new features including better handling around powershell injection, python 3 conversions, fast-track improvements and more. For a full change log see below: ~~~~~~~~~~~~~~~~ version 7.3 ~~~~~~~~~~~~~~~~ * completely rewrote the SMS spoofing module from scratch to use spoofmytextmessage.com which the folks over there are super helpful and provided an undocumented API to be used within SET. This now works great and has been extensively tested. * sped up the load process when using the main menu system the loading would pull from github each time the show_banner() function was called - this only loads once per SET load now * fixed a string integer error from input to raw_input in the RDP DOS use after free in exploits * added libapache2-mod-php to setup.py - needed for credential harvester * added python-requests to setup.py - needed for sms spoofing * added better check for python-requests in sms spoofing * added better formating within sms spoofing * added error handling to sms spoofing if something goes wrong during auth process * removed socket error when no internet connection using update check * use global lock for checking previous use on update * general cleanup of setcore * cleaned up setup file and added better descriptions * fixed a bug that would cause fsattack to not load properly * moved from pulling entire setcore which is a few thousand lines to adding src/core/set.version which contains the version - much faster in pulling down * fixed a bug in dell drac that caused it to error out * added timeout delay for pulling new version biggest challenge here is that urllib base is socket and socket timeout is tied to gethostbyname() which does not support a timeout, needed to add multiprocessing poll for 8 seconds to add timeout delay when checking for updates * added check for urllib for python2 and python3 compatibility * changed delldrac to python 2 to 3 compatibility and rewrote requests to use solid urlopen instead of requests * added keyboard exception handling for urllib pull for version You can always get SET from the github page: Get SET from GitHub