Skip to Main Content
July 22, 2012

The Social-Engineer Toolkit (SET) v3.5.1 has been released.

Written by David Kennedy
Security Testing & Analysis Social Engineering
The Social-Engineer Toolkit (SET) v3.5.1 has been released. This version adds the ability to us the SET config to not deploy binaries to the victim machine through the Java Applet. The new configuration option can be found under config/set_config and DEPLOY_BINARIES. By turning this off, SET will rely solely on the POWERSHELL_INJECTION technique for compromising the victim machine. This means that you have the ability to never touch disk period during the Java Applet attack. In addition, AUTO_MIGRATE=ON has been turned on by default and will automatically migrate to a different thread/process. In IE10, IE would freeze periodically causing issues. Even though JVM is running in a separate thread pool, it would still cause freezing intermittently. The SET Command Center (web interface) had a bug fix to allow it to work properly. Full changelog below: ~~~~~~~~~~~~~~~~ version 3.5.1 ~~~~~~~~~~~~~~~~ * Fixed a bug in command center that would cause it to not load properly. * Fixed a bug in the new Java Applet Field Bytecode that would cause it to not properly select the payload * Added compatibility for IE10 on the Java Applet Attack Vector * Turned AUTO_MIGRATE=OFF to AUTO_MIGRATE=ON by default, allows sticky processes to free up when exploitation occurs * Added a new config option DEPLOY_BINARIES. When this is turned OFF, the Java Applet will only use the POWERSHELL_INJECTION technique and never deploy a binary. Note that you must know if the victim has POWERSHELL installed. * Fixed a couple typos in the credential harvester