Skip to Main Content
September 12, 2011

The Social-Engineer Toolkit (SET) v2.1 being released at DerbyCon

Written by David Kennedy
Security Testing & Analysis Social Engineering
Wow. We have been busy on this one. Overall, this is probably one of our largest releases to date. We just came out with 2.0 so we couldn't just up it to 3.0 :-) But needless to say, consider this a major release. There is literally over 15 new features, new attack vectors, and one really really big surprise for DerbyCon. To cover a few of them, one of the problematic parts of any major tool is the fact of anti-virus detection. Awhile back Bernardo Damele (http://bernardodamele.blogspot.com/) came out with shellcodeexec which essentially is a standalone binary that takes an argument to pass alphanumeric shellcode to it. It's read in and written straight to memory. I've rewritten the Java Applet to incorporate this vector which allows payloads to be shot straight into memory without ever touching disk. The implications of this are huge as anti-virus should no longer trigger on Metasploit-based payloads within SET or the Java Applet attack.
secmaniac
Secondly, the development team decided to merge Fast-Track into SET. You will now have the capabilities of leveraging several of the attacks within Fast-Track, now in SET. In stating that, not everything has been converted. We decided to completely rewrite everything within Fast-Track, there's essentially no line of code the same, it's been completely rewritten from scratch. The reasons for this were mainly due to Fast-Track was primarily my first python project and wasn't scalable. We've since built SET to be modular and more robust on code-reuse. In order to leverage everything we had built, we decided to rewrite it completely from scratch. Right now the Metasploit Autopwn Automation, MSSQL Bruter, and Custom Exploits have been added to the menus. More to come. There are so many more things added this release, but those were the main highlights. We also are adding one more HUGE thing that you will have to wait for DerbyCon to find out. Let's just say it will be amazing. Video below:
Change log thus far (more to come): * Added new menu for fasttrack integration * Defined new folder structure for fasttrack integration * Rehauled the initial menu to slim down and break into social-engineering attacks versus Fast-Track attacks * Added new core module through setcore called kill_proc * Added new core module through setcore called meta_database * Added new autopwn functionality through fasttrack/autopwn.py, with the additions of fasttrack, the code is being completely redone, nothing will be the same * Added a new config option called METASPLOIT_DATABASE. This will be what database type to use with metasploit, default is postgresql * Restructured normal set to be a new main menu versus just a calling stager. set.py and fasttrack.py will be the two main files for the functionality behind SET * Added scapy packet manipulation tool into src/core for indepth protocol creation lateron * Added portscan.py into core, this is a fast port scanner that will be used versus leveraging third party modules * Added new mssql module for port scanning mssql through the fasttrack menu * Added validate IP in the portscan to check if a solo IP address is legitimate * Added new definition scan() into the fasttrack mssql module * Added _mssql module as a dependancy and updated setup.py to include it during installation * Added new core module check_mssql() to ensure proper import for pymssql for Fast-Track attacks * Added new definition brute() for mssql brute forcing within fasttrack * Added the ability to use a mssql shell for raw queries for microsoft SQL based systems * Added the ability to do either powershell or h2b attack method via windows debug to sql bruter * Added new function call launch_hex2binary in the mssql module in fasttrack * Fixed a bug in the interactive shell when quitting out caused a global exception for socket(AF) versus socket.socket(AF). It no longer throws an exception * Added all payloads from SET including interactive shell, ratte, and others into the MSSQL Bruter in Fast-Track * Added the ability to leverage powershell to deploy in Windows 7 and Server 2008 x64 bit systems where debug is removed * Added the ability to use Metasploit based payloads within the mssql bruter * Added a background http server nonthreaded to keep alive when SET does the mssql bruter * Added a new expoits section to the fast-track menu, this will be the ultimate home for custom exploits and such * Added MS08-067 to the new exploits section in the fasttrack menu * Added the Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) in the fasttrack exploits menu section * Added additional spacing around the SET interactive shell to clear it up a bit when doing menu selection * Added the ability to trigger the auto re-enable of the xp_cmdshell stored procedure if disabled * Added the Apple QuickTime PICT PnSize Buffer Overflow from Metasploit to the Spear-Phishing attack vector * Added the Mozilla Firefox 3.6.16 mChannel use after free vulnerability from Metasploit into the Metasploit Browser attack vector * Added the Apple Quicktime PICT PnSize and FireFox 3.6.16 mChannel use after free to the SET-web interface * Fixed the menu structure around the web gui to reflect the new menu change with 1 - being social-engineering attacks versus all on the initial screen * Added the latest teensy attacks into the web gui, includes gnome wget, binary 2 teensy, sdcard teensy, and X10 arduino jammers * Added an awesome new option in the java applet attack vector, it will allow you to select shellcodeexec which means the Java applet will now deploy shellcodeexec then execute alphanumeric shellcode. Meterpreter will never touch disk! * Rewrote the java applet quite a bit to reflect the new changes on the java applet * Added new options in payloadgen for the java applet new menu structure for shellcodeexec * Fixed a bug that caused the create a fileformat payload to error out when specifying certain payloads * Added similar format to new menu structure to the SET interactive shell * Fixed some carriage return issues within the SET interactive shell