The Social-Engineer Toolkit (SET) v7.1 “Blue Steel” Released

TrustedSec is proud to announce the release of the Social-Engineer Toolkit (SET) v7.1 “Blue Steel”. This release incorporates a lot of new additions, improvements, and bug fixes. The most exciting feature is a large rewrite of the MSSQL Bruter attack vector. Originally this was written using impacket and the TDS module. This has been re-written to support python-pymssql which is compliant with python3. TDS didn’t support legacy SQL servers (2000) as well as heavy threading support. With python-pymssql its significantly faster to brute force MSSQL servers and has additional reliability.

Addition to the pymssql fix, there’s a number of additions to the MSSQL attack vector. First, the old Windows debug conversion method has been replaced with the Matthew Graeber technique of echoing a binary onto the system through the xp_cmdshell stored procedure in a — BEGIN CERTIFICATE — method, then using certutil to take the base64 encoded binary back to a binary using the certutil method (Original release on git from Matthew: click here). This means that there is more support and especially if PowerShell is not on the system. The PowerShell deployment method has also been significantly improved and consistently more reliable in the MSSQL bruter method.

Next, the MSSQL bruter option now supports space separated IP addresses in conjunction with CIDR notations, single IP addresses, ranges, and files. This allows multiple formats to be allowed when using the MSSQL bruter method depending on what you are using.

Another addition is the previous version of SET would rely on UDP port 1434 as a method for discovery on SQL servers. This was problematic in locations where UDP wasn’t allowed. Additionally older legacy versions would be spotty on if it would return an actual dynamic port for SQL servers. To address this the new method uses BOTH the UDP 1434 as well as the standard TCP 1433 discovery in order to identify if a SQL server is in place. This allows a much better discovery. Lastly, in the MSSQL bruter options, there is better handling and reporting on discovered SQL servers, as well as representation of port numbers and a full list to help pentesters with additional information.

Amongst other additions, RIDENUM has been updated to handle better when going after certain newer operating systems, multiple bug fixes, and additional features.

You can get the latest version by updating on the PenTesters Framework (PTF) immediately, or manually downloading from:

git clone

Full Changelog:

version 7.1

* added so you can use multiple IP addreses based on space on mssql bruter
* rewrote mssql bruter to incorporate pymssql
* rewrote delivery payload method to use certuil instead of windows debug method
* added better description around handling tabnabbing
* added better ability to handle powershell injection
* rewrote and moved off impacket to pymssql
* added import own binary for mssql deployment
* changed deployment method from old base64 conversion bypass to Matthew Graeber’s certutil binary method
* added option to import new file or metasploit file for meterpreter bypass method
* added better handling around binary injection technique for binary dropper method
* added better threading within brute forcing sql accounts
* fixed an issue where SET directory would not properly fill in dll hijacking and give invalid /root/.setsrc path instead of .set/src
* reduced file format generation counter to when it prompts error message
* fixed an issue in mssql bruter that would remove the port parameter when attempting to brute force
* added if udp 1434 is not found, it will fall back to nmap to discover if 1433 default port is open – ran into pentest where udp wasn’t allowed and missed SQL servers because of this
* added better handling and description of the SQL servers found during the test – might be useful for pentests to store that data somewhere
* added more improvements and handling around MSSQL server
* added latest version of ridenum to fasttrack
* changed to to be consistent with naming schema