Today we release a new version of the Social-Engineer Toolkit (SET) v7.2 codename: “Wine and Gold”. For non-Cavs or non sports ball fans – apologies but couldn’t resist. This version has a number of enhancements and additions and represents over two months worth of development. Based on the show “Mr. Robot” which we think is awesome – they utilized a technique called SMS spoofing which was removed in old versions of SET. Since the shows release, we’ve seen a number of folks asking for it back so we’ve including the SMS spoofing package back in this version of SET (v7.2). In addition, there has been a number of improvements including the HTA attack vector obfuscation, reliability, and payload delivery, better handling of the attack vectors and more. In addition there is a new config option (located under /etc/setoolkit/set.config) which is called WGET_DEEP. This option will clone a website and its images which allows for at times better handling for cloning websites. To turn this on, edit your /etc/setoolkit/set.config file (which is automatically updated when updating to the latest) and turn WGET_DEEP to ON. When using the website attack vectors (cloner.py) this will automatically go through and pull the entire website structure.
Some additional things that have changed – better compatibility around python 3, MS08-067 relies on the Metasploit exploit now vs the python one which was old. Additionally theres a new startup menu which if the version of SET you are using is out of date, it will let you know that theres a new update available.
Full changelog below:
* fixed an issue on installer not copying SET directory properly (why was I moving a file and … nevermind.)
* changed delay time for HTA attack vector from 3 seconds to 10 seconds to allow proper loading
* added wording when using gmail and application specific passwords
* rewrote ms08-067 instead of being the python exploit to use the metasploit default which is much more reliable
* re-introduced the SMS spoofing method (now option 10) – it has been optimized and reduced to only use SMSGang as a main provider.
* added ability to add your own attachments via file format attacks instead of having to use the ones built in
* added ability to add your own attachments via mass mailer attack vector
* added new config option called wget_deep and incremented config to 7.2 – this will allow 1 deep download wgets
* added ability to select on deeper wgets through web cloner in the web attack vectors – this will allow you to clone the site and not just the index.html which might be better.. to enable this edit /etc/setoolkit/set.config and turn WGET_DEEP to on.
* added a new check upon startup (which may delay the start of set for a couple seconds, but it will check to see if there is a new version of SET available for you automatically – this is displayed on the main launcher UI when you first start SET
* fixed setup.py a bit to reflect more on whats out there.. I may convert this to a standard setup installer eventually
* updated the licensing agreement – should check it out =)
* changed the default payload in HTA and Java Applet attack to be reverse_https instead of reverse_tcp (although both can be specified)
* number of fixes around spacing for python3 and python3 compatibility (urllib)
* removed string decode on HTA attack vector which is no longer needed in python3 (and python2)
* changed urllib2 to import urllib instead for python2 and python3 compatibility in setcore
* changed encoding techniques to bytes instead of strings for python3 compatibility
Author: David Kennedy
Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.