Skip to Main Content
February 20, 2012

The Social-Engineer Toolkit (SET) 3.0 "#WeThrowBaseBalls" has been released.

Written by David Kennedy
Security Testing & Analysis Social Engineering
Greetings all. I'm excited to release the 3.0 version of the Social-Engineer Toolkit (SET) Codename "#WeThrowBaseballs". This release has been one of the most challenging ones thus far with the largest changelog, code rehaul, and features. I've literally been working on this for a solid three months. Please note that this is a major rehaul on the existing codebase, there are bound to be bugs. Please report bugs to davek [fusion_builder_container hundred_percent="yes" overflow="visible"][fusion_builder_row][fusion_builder_column type="1_1" background_position="left top" background_color="" border_size="" border_color="" border_style="solid" spacing="yes" background_image="" background_repeat="no-repeat" padding="" margin_top="0px" margin_bottom="0px" class="" id="" animation_type="" animation_speed="0.3" animation_direction="left" hide_on_mobile="no" center_content="no" min_height="none"][at] There's really way to much to cover on whats changed but here are a couple of major highlights (also check out the video!). It's truly humbling and inspiring to see how far SET has gone as being a tool used by virtually every penetration tester and security-minded folks. Could have never envisioned what it's turned into and can't thank everyone enough for the support. If you support SET, please vote for us on SecTools! 1. Support for Windows - Tested on XP, Windows 7, and Windows Vista. Note that the Metasploit-based payloads to not work yet - when SET detects Windows they will not be shown only RATTE and SET Shell 2. New attack vector added - QRCode Attack - Generates QRCodes that you can direct to SET and perform attacks like the credential harvester and Java Applet attacks 3. Improved A/V avoidance on the SETShell and better performance. I've also fixed the non-encrypted communications when AES was not installed 4. Added a number of improvements and enhancements to all aspects of SET including major rehauls of the coding population and moved from things like subprocess.Popen("mv etc.") to shutil.copyfile("etc") 5. Rehauled SET Interactive Shell and RATTE to support Windows 6. New Metasploit exploits added to SET Those are the main highlights. Check out the video below: Full changelog below: ~~~~~~~~~~~~~~~~ version 3.0 ~~~~~~~~~~~~~~~~ * added the Adobe U3D memory corruption exploit from Metasploit to SET * added new core library check_os for smart OS detection * bug fix in Phishing using the smtp_client module (Thanks for the patch Stephen Haywood) * rehauled set launcher to be windows compliant * rehauled set-proxy to be windows compliant * rehauled to be windows compliant * rehauled setcore to be windows compliant * added a new directory called thirdparty, this will dynamically import modules that are required versus having to install, if that fails you will have to manually download and install the depends * removed the subprocess.Popen depends on src/core/, this is no longer needed and covered to os.remove, os.makedirs, and shutil.copyfile instead * Completely rehauled src/html/ to where it is no longer needed using pexpect. The goal is to move all depends to not require pexepct as it is not supported in Windows. All code now resides in src/html/ and is multi threading and background threaded * uses multi-threaded webserver and rehauled to be windows compliant. pexpect is no longer used for windows systems as it is not supported, had to move to os.system for now, importing the module with thread locks caused lockup issues * rehauled to be compatible with windows * fixed a bug that would cause pexpect to not be found if selecting SET interactive shell (no longer needed) * rehauled src/webattack/web_clone/ to be windows compliant and now supports java applet attack rewrite for wgeting websites * changed set executable to cleanup program_junk but skip .svn which would cause conflicts, this works on both windows and nix based systems * fixed a bug on credential harvester if it wasn't installed it should except via ImportError versus IndexError. this was changed to ImportError and allow normal execution while disabling SSL support * rehauled src/webattack/harvester/ to be windows compliant * rehauled src/webattack/harvester/ to be windows compliant * added the ability to keep execution flow of the backdoored executable (thanks pure_hate), this is now configurable through the config/set_config but disabled by default * added a new option in config/set_config to allow customized user-agent strings when doing web_cloning..some websites only support certain browser versions, this will allow you to change to whatever browser ou want * changed the user agent string from mozilla firefox 3.6 to be Windows 7 IE 8, more compatibility with websites: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) * removed the ability to be able to use spear phishing or wireless attack vectors on Windows for now * converted src/webattack/web_clone/ to be the standard import for setcore, it was from src.core import setcore as core, changed to from src.core.setcore import * * bug fix when launching java applet attack and metasploit in 3.0 would cause the listener to not spawn properly * bug fix when selecting the SET interactive shell it would not copy the proper executable to pack/obfuscate * bug fix that would cause the last exploit in spear phishing to not show a number * changed some output on wget to use -O instead of standard moves to filenames, much cleaner * major bug fix on how the listener and SET interactive shell handled non-encrypted communications * added proper encryption/decryption routines to interactive shell and set listener * added the ability to leverage partial encryption/decryption of communications to interactive shell and listener * fixed a bug that would cause the shell to not work properly due to an invalid content length when parsing through payload * fixed a bug that would prompt for port on SET interactive shell even after it was specified * rewrote fasttrack mssql attack vector to be windows compliant - had to switch off pexpect and move to os.system with unthreaded http server modules * added verbose messaging to attack vectors that are not yet supported for SET * rehauled multiattack to support windows-based attacks - it also now prompts if invalid payloads are selected * fixed a bug that when selecting menu 99 within multiattack, would say invalid selection. it now properly exits * increased the response time for using the SET interactive shell, it now loads much quicker * added a new config option to either use a staged downloader or download the SET interactive shell directory, this new feature is best for A/V detection but might be a little slower on what the user experiences. All of my testing shows that it doesn't however I'm also not testing over the Internet. The main problem is the staged downloader does a download/exec which would get flagged by AV. The SET interactive shell on the other hand is a wrapped python interpreter so its much harder to detect and flag with signatures. This new config option can be turned on to support staged configs if you aren't worried about A/V. * added new options within (SET Interactive Shell prep) to detect the new config change options and flag the SE Interactive Shell as the main staged downloader * rewrote the Java Applet attack including the jar file to incorporate the straight staged downloader * added a new attack vector that I've been promising for several months called the QRCode Generator Attack Vector.. Create a QRCode with a URL then create a SET attack vector to assist with the attack * added new set menus to setcore so when you launch set theres some new ascii art... yea i got a little bored * fixed a bug that would cause the new stager option to not work within the Fast-Track MSSQL bruter menu * added a check to see if metasploit path was found, if not it will limit payloads only to SE Toolkit ones * added better handling around metasploit path detection and trigger error message when msf path is not set * added checking in to detect attack vectors that require metasploit * added a new cleanup routine that circles through directories cleaning up remenants of things saved out during normal operation * rewrote portions of teensy payloads to support windows * fixed a bug that would cause the menu to not load properly randomly (randrang was from 1 to 8 versus 2 to 8) * added permission change to executable on ratteserver so that it will always function normally if execute flag is removed * fixed a path issue with RATTEServer that would cause it to not properly load and flag an issue * converted RATTEServer to os.system versus pexpect child.spawn - easily more portable and less reliability on third party module * added RATTEServer for Windows (Cygwin mod) to support Windows operating system * added RATTEServer to payload selection list to now be supported via windows operating systems * added RATTEServer to payloadprep and to deploy RATTEServer based on operating system i.e. windows/posix * added the ability to import custom binaries into windows versus linux only mode * fixed a bug in RATTEServer that would flag an error when spawning RATTE on Windows * added a chmod +x routine per each run of set instance if posix is detected.. will make it easier if certain permissions aren't set properly * added the ability to natively copy ratteserver.binary and cygwin to program_junk to be run * added payloadprep detailed error logging to the default log file being generated by SET * rehauled java applet to add additional features and re-compiled and signed * rewrote portions of shellcodeexec for better a/v avoidance [/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]