Social Engineering Toolkit (SET) is a social engineering pen testing framework created by Dave (ReL1K) Kennedy. SET contains numerous tools to help pen testers test the human element during a security engagement.
We are going to cover the phishing capabilities of SET. To start off we will need to configure SET in Backtrack. Open /pentest/exploits/set/config/set_config in your text editor of choice.
nano /pentest/exploits/set/config/set_config
Set_config contains all of the configuration settings for SET. We are going to focus on configuring SET to work with sendmail. Look for SENDMAIL=OFF in set_config and change it to SENDMAIL=ON.
Next we need to ensure sendmail is installed by typing apt-get install sendmail. Answer yes when it asks you if you are sure you want to install.
To run SET navigate to /pentest/exploits/set and run ./set. If it was ran correctly you should receive a display like the one above.
Select 1) Social-Engineering Attacks from the list. You will then be prompted for the type of attack you would like to do.
Here we select 1) Spear-Phishing Attack Vectors. Now we are prompted to narrow down what type of spear-phishing attack we would like to preform.
We have selected 1) Perform a Mass Email Attack. Next we are presented with a list of payloads.
Here we select 11) Adobe PDF Embedded EXE Social Engineering. Now we need to select the type of PDF that we would like to use.
We select 2. Use built-in BLANK PDF for attack. Next we select what we want our payload to do.
Here we select 2) Windows Meterpreter Reverse_TCP. When the PDF is opened it will execute the reverse shell causing the victim to connect back to you. Doing this gets around most users firewalls as most only monitor incoming connections. Next we are asked to provide which port we would like the victim to connect to.
We will use the default port of 443 for our connection. After setting the port you may be asked to start sendmail. Choose yes if this happens. Next we need to choose if we want to specify a file name for our loaded file.
We selected 1. Keep the filename, I don’t care to make it easy. If you are truly doing this in a pentest you may wish to change the filename to something that will get it launched. Next we need to select if we are emailing one address or doing a mass email campaign.
Here we selected 1. E-Mail Attack Single Email Address as we are only going to email one user. Now we need to choose if we are using a predefined template or if we want to create our own one time template.
Here we select 1. Pre-Defined Template. Now we are presented with a list of templates.
We’ll keep it simple and chose 8: Status Report. Depending on your target this may or may not work. Then we need to select who we are sending our email to. For demo purposes we are choosing tim.the.victim@gmail.com.
Now we are prompted to select how we want to send the email out. Here we select 1. Use a gmail Account for your email attack. This may not work as Google may block the email due to attachment type. Enter your gmail account credentials and then select if you want to mark the email as high priority. Next your are prompted to start the listener and the email is sent out. Now you just sit back and wait for the user to open the attachment which then connects to your Metasploit listener. Check out our Using Metasploit post to learn about Metasploit.
Good post!
)
Something you haven’t included is encoding the payload. Almost all webmail and certainly corporate mail (with stuff like messagelabs) will pick up un-encoded payloads (and most of them are wise to Msfencoded ones too now, especially corporate ones – which are the only ones we should target during a pen test, right?). The toughest thing to get past in phishing is the filter, and SET out the box isn’t really that effective at doing this any more. Msfencode is a bit legacy now (and Msfvenom) and you’d be hard pushed to get a payload past most web/corp mail systems. In fact, gmail will block your payload before you send it in my experience (even encoded). I’m not saying this framework isn’t useful, just that if you’re wanting a malicious payload, you need to encode it or edit it in such a way that it wont be detected by modern mail filtering, which is not Msfencode (or nothing as you’ve used in this example) there are some really good AV avoidance techniques in PDFs using javascript, have a Google
) – well written though!
Good point! This was more of a get your feet wet tutorial as there are many options I did not cover. I encourage everyone to setup their own lab to hone their skills using SET. With that said creating your own template/payload is the only way to go when doing a pentest as you can craft it to your target. This includes avoidance of their AV.
Hello. Thanks for the tutorial!
I am trying to do something similar here, but is not working. SET is not responding. Do you think this is some bug i SET because i updated it to revision 1456.
Please take a look at my video to see my steps and to see what i mean:
I just tried your steps with 1458 and it worked as it should have. Update and try again.
Thank you for trying !
You mean it created the infected file ? Where did it save it ? Which directory ?
Cause in the pentest/exploits/set/src/program_junk directory is nothing saved.
Thanks again !
With version 1458 it proceeded to the next step of naming the file. Update and try it.
just updated to 1461 and the same thing again. This thing is making me crazy.
after giving the port to connect to (443) i get this:, as shown also in the video. From here
i don’t know what to do.
Generating fileformat exploit…
[*] Payload creation complete.
[*] All payloads get sent to the /pentest/exploits/set/src/program_junk/template.pdf directory
[-] As an added bonus, use the file-format creator in SET to create your attachment.
No previous payload created.
set:phishing> Enter the file to use as an attachment: #(1)
What file i should use at (1) when no file is created ?
Where is this file saved ?
Thanks !
Have you updated Backtrack?
No, since i first installed Backtrack 5 R2 which is the one i am using, on VMware, i haven’t updated it.
Doesn’t updating Backtrack, mean a new installation of it ? How can you update Backtrack otherwise ?
Thank you for your time ! I really appreciate it !
Run apt-get update and apt-get upgrade. It is going to take some time. That should get you running.
doing so….
Ok,
apt-get update
apt-get upgrade
I will let you know if the problem is still.
Ok, now i am really frustrated . After updating Backtrack, the problem is still there.
SET, for some reason is not working. Metasploit is working just fine. I did many things with Metasploit before two days. Everything was working just fine.
SET is giving me a hard time.
Thank you anyway my friend !
The only thing that is created in the program_junk file are these two files, which i don’t what they are:
root@bt:/pentest/exploits/set/src/program_junk# ls
payload.options set.options
Hello!!
I tried all the steps …but alaws at the end it shows that :
“es|no]:noing> Flag this message/s as high priority? [ye
[!] Something went wrong, printing the error: name ‘body’ is not defined”
I want a answer please if you can !
Thanx!!!!
Have you updated to the latest version? If so you might want to hit up the guys at TrustedSec (https://www.trustedsec.com/). Dave and the guys have put in a lot of work into SET recently and they should be able to help you with your issue. They are usually available through IRC at #setoolkit on freenode.net.