Skip to Main Content
December 17, 2012

The Social-Engineer Toolkit (SET) V4.3 "Turbulence" Released

Written by David Kennedy
Security Testing & Analysis Social Engineering
The Social-Engineer Toolkit (SET) v4.3 has been released today! This version is over two solid months of development and has over 60 new features, additions, fixes, and enhancements. Most notably is the new payload selection called "Multi-pyInjector". Multi-pyInjector allows you to inject as many payloads as you want to into memory and select them all through the Social-Engineer Toolkit. In a number of situations where egress filtering may be stringent, the last thing you want is to get shut down by outbound connections. With the Multi-pyInjector technique, you can have native Metasploit payloads be directly inserted into memory realtime and without the need of touching the hard-disk.
The Social-Engineer Toolkit (SET) v4.3 "Turbulence" from David Kennedy on Vimeo.
In addition to the Multi-pyInjector, there is now a new configuration option called TRACK_EMAIL_ADDRESSES. When this is turned on, SET will automatically insert additional fields in the query string parameter of an email web attack. Say you are sending emails to 300 people and want to track the users that click the link. SET will automatically track the links and what they input on the website. This way, when doing social-engineer attacks you can track the users that click on the emails all through the SET interface. Note that this attack currently requires Apache, as the code written out is custom PHP. In later versions, we will be writing it so that it works within the SET HTTP server. When you turn TRACK_EMAIL_ADDRESSES to ON, SET will automatically located Apache and move all the appropriate files for you. Next, in the previous version when generating alphanumeric shellcode or straight shellcode, SET would utilize Metasploit (msfvenom) to create the shellcode on each instance which caused a significant amount of time. In 4.3, the shellcode is dynamically patched and already generated. This cuts down on load times for generation and into SET by about 90 percent. If you watched the video above, you'll notice that when you select your payloads and the generation of them takes less than a second. This is due to the new patching method in place in the SET core libraries. There are way to many things to run through that's new in this version. Optimized and faster loaded Java Applet, newly encrypted payloads, code cleanup, and more. Enjoy this version of SET brought to you by TrustedSec! ~~~~~~~~~~~~~~~~ version 4.3 ~~~~~~~~~~~~~~~~ * Added print statements to exporting powershell injection attacks. When using the powershell attacks it will tell you the location of the file * Removed the autorun script for enumeration on OSX, seems to break the host now * Added new set routine metasploit_shellcode which has predefined built meterpreter payloads, this will completely speed up the generation time on pyinjector * Added new set routine called shellcode_replace which will dynamically create IP addresses and port from the shellcode * PyInjector now no longer needs to dynamically create shellcode through msfvenom, the shellcode is now pregenerated and dynamically created on the fly speeding up payload delivery by at least 40 seconds. * Increased the powershell injection creation time by adding the new creation routine that has predefined payloads already generated via shellcode then dynamically changes the shellcode on the fly * Stablized and added more meterpreter payloads so that you have a choice between https, reverse_tcp, http, and allports. * Recompiled the pyinjector payloads and encrypted / packed with anti-debuggers * Recompiled shellcodeexec payload and encrypted / packed with anti-debuggers * Added a backup path for the credential harvester for the raw logs under src/logs/harvester.logs. In case theres an issue with the harvester not reporting back the findings you can find the log in the backup directory under the src/logs/harvester.log * Added a pause delay in the fast-track MSSQL attack vector in order for sluggish systems to catch up with the payload delivery system * Removed a stale file that wasn't needed in the SET root directory * Fixed a bug that would cause the authentication piece for open relays without password authentication to fail (thanks Jeremy) * Cleaned up the smtp_web code and added more comments into the file * Re-issued the SET self signed certificate for Java Applet it was expired * Cleaned up code in the Java Applet and obfuscated the code again * Added check for wget, if installed it will clone better otherwise it will use urllib2 * Added a new OSX/LINUX deploy binaries, you can turn this on and off in the config if you don't want to generate OSX / Linux payloads. By default it will now remain off, it makes the load time to generate things significantly faster. * Fixed a bug where pyinjector would die and cause a loop on victim machine if closed improperly * Added brand new payload called MultiPyInjector which will inject multiple payloads into memory. You can dynamically add this now through the Java Applet attack vector and select as many payloads as you want. * Fixed a bug with the multipyinjector that would cause certain areas to error out on specified port. * Fixed a patching bug for port 21 where patching the shellcode caused an error message. * Encrypted and packed the multi-pyinjector payload and added anti-debugger technology. * Added the ability to dynamically patch Metasploit payloads for the MultiPyInjector new payload. Uses the same as PyInjector now * Added new config option called TRACK_EMAIL_ADDRESSES=ON/oFF which will now allow you through web attack vectors to track email addresses through SET. When you send out a large phish, the email address will be base64 encoded in the URL you specify within the toolkit. You will be prompted to insert where in the menu you want, for example say was your normal phish link. You would specify SET will then replace just the INSERTUSERHERE with the TO field of each victim which will be base64 encoded. Once clicked, SET will then handle the requests and let you know the user that clicked on each one in order to track. * Cleaned up the code in the smtp_web and made it more readable for the mail function. Needed to be done while adding the TRACK_EMAIL_ADDRESSES * Fixed a bug that would cause the WEBATTACK_EMAIL to fail when using the credential harvester * Added track email addresses to harvester and java applet attack vectors when TRACK_EMAIL_USERS is specified * Added base 64 handling to credential harvester and directly into a index.php versus index.html - needed in order to execute php code * Tested the new track email addresses with credential harvester and made it track if track_email is on to automatically kick in apache server mode and webattack email without having to specify in the config * Tested the new track email with java applet and made it track if track_email is on to automatically trigger WEBATTACK_EMAIL and APACHE_SERVER to automatically set to ON * Converted old code from legacy times around checking config files to check_config through src/core/setcore routines * Tested SET 4.3 on Windows 8 fully patched on the various different attacks, everything appears to be working as anticipated. Powershell injection is also working properly now with minor modifications. * Added a check within Java Applet to automatically disable Apache if it is already started