We are proud to release the latest version of the Social-Engineer Toolkit (SET) version 4.1 codename “Gangnam Style” (you have to do the dance when using SET now). This version has a number of new enhancements including the ability to natively use Apache with the multiattack combining the Java Applet Attack and the Credential Harvester. Traditionally speaking, the credential harvester attack could only be used by the native SET HTTP server. We recently developed a php hook that gets copied over to the web root along with the standard Java Applet attack. If the Java Applet fails, the backup for credential harvester can be used. In addition, a number of stability updates were given to the standard Credential Harvester attack. The harvester now supports multi-threading for faster response times when hitting the website. All-in-all this release adds a ton of new functionality and features. In addition to these changes, the Metasploit Meterpreter ALLPORTS payload is now supported through the PyInjector and ShellCode Injection techniques for the Java Applet. Lastly, we’ve added a new Java Applet that has been redesigned and heavily obfuscated. Enjoy!
Once of the most effective attacks it the credential harvester or the Java Applet. Did you know you can use both? By selecting the multi-attack vector and turning on the Java Applet and Credential Harvester together works amazing. A couple of things to note when you do this. There are a couple of configuration options you will most likely want to change. The first:
1. If this is a large organization, consider using the APACHE_SERVER mode. This will move the appropriate files to the Apache directory. From here, a file will be exported in the web root as harvester_
2. You will probably want to turn off the AUTO_REDIRECT and JAVA_REPEATER. If they end up hitting cancel. They will still end up placing their username and passwords into the field. To do this edit the config/set_config and turn AUTO_REDIRECT and JAVA_REPEATER to OFF.
To download the Social-Engineer Toolkit, here over to here!
* Removed the Java Exploit from being built into the Java Applet. Being detected by to many AV vendors.
* Added core libraries to the scraper, needed for check_config and apache mode checks
* Added check for apache mode within harvester, will move new php customize script to apache directory and extract under different directory
* Rewrote new check mechanism in scraper for config checks and cleaned up code
* Fixed a bug that would cause the verified signature import to error out when selecting number 9 in the web attack menu
* Added a custom php script into harvester that allows you to check harvested credentials through apache
* Added compatibility with multiattack and apache mode for credential harvester and java applet combined
* Fixed the allports payload, really buggy at first with powershell injection, got it more stable
* Added better stability for the credential harvester to handle exceptions when being passed certain pieces of data including null connections
* Added better stability on the multiattack credential harvester php and applet attack
* Fixed a bug that would cause payload selection to not work correctly when using pyInjector
* Added so the peensy attack will prompt for an IP address and rewrite the pde file for the appropriate IP addresses
* Added datetime on teensy devices so they don’t overwrite the teensy.pde files anymore
* Added better encoding into the java applet attack vector
* Added better packing and encryption on the pyinjector attack, loads super fast now when executing applet
* Added better reliability in the Java Applet
* Even more improved load times for the Java Applet and executable execution
* Added anti debugger and encryption to the initial staged downloader which is used for fast loading of payloads
Author: David Kennedy
Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.