[SET v5.1] The Social-Engineer Toolkit codename “Name of the Doctor”

The Social-Engineer Toolkit (SET) version 5.1 codename “Name of the Doctor” has been released. This version adds a complete rewrite of the MSSQL Bruter as well as a new attack vector utilizing the PSExec functionality within Metasploit.

The MSSQL Bruter now incorporates UDP port 1434 quick discovery by sending a specially crafted packet to MSSQL servers and returning the port automatically. This technique eliminates the need to port scan and quickly identifies the SQL server as well as what port the SQL server is listening on. In addition, SET has moved away from the _mssql python module and towards impacket from Core Security. Main reason for this is due to some instabilities in later versions of _mssql with execute_query() being broke as well as the functionality built into impacket makes it much easier to use.

In addition to utilizing impacket, originally in SET you had two options for payload delivery, the first being POwerShell and the second the binary 2 hex debug conversion attack vector. This has been changed to automatically detect if PowerShell is installed on the victim machine, if it is – SET will automatically deploy a PowerShell injection technique that has been completely rewritten in the MSSQL module. If it does not detect PowerShell, it will automatically revert back to the debug. Lastly on the MSSQL Bruter portions, performance has been increased significantly on the brute forcing, discovery, and deploying of payloads.

For a video of the features, check out below:

Vimeo: Video

A new attack vector build into SET is the new psexec attack vector inside the Fast-Track menu. During a penetration test, often times you may have credentials to a server and want Meterpreter on a wide scale level. The psexec traditional module gets picked up by Anti-Virus due to known signatures being used. You can either use the EXE::Custom advanced feature however it still doesn’t give you the ability to select RHOSTS (multiple IP addresses) unless you custom script it or through something like railgun. The newer module “psexec_command” allows you to specify RHOSTS as well as execute a command on the operating system. Inside of SET, the psexec attack vector will automatically created a meterpreter backdoor through PowerShell and deploy it to systems you have permission to (RHOSTS). You can either use a username and password that you’ve decrypted or the hash for the pass the hash attack vector.

In addition to the new attack vectors, a number of other improvements, bug fixes, and enhancements have been made in this release. For more on all of the changes, check out the changelog before:

Changelog v5.1

• when specifying a custom wordlist in SET – added the ability for ports to be specified ipaddr:portnum for example 192.168.5.5:2052 just in case a SQL server is not listening on 1433
• incorporated udp port 1434 enumeration instead of portscanning – much more faster and efficent – also finds ports that are not on port 1433 (thanks Larry Spohn)
• removed the src/core/portscan.py it is no longer needed
• added impacket as a dependacy – will be used for psexec command execution and TDS connections via mssql
• fixed an issue that would cause the import modules to not load properly when relaunching the MSSQL Brute attack
• improved the speed of the MSSQL brute attack on initial brute force
• completely rewrote MSSQL Brute to incorporate impacket – SET no longer uses the _mssql module – highly buggy in the latest versions
• improved udp 1434 detection capability by piping through the printCIDR function which will utilize CIDR notations when scanning
• incorporated new function called capture which will take stdout from function calls and present them as a string – important when doing regex in impacket
• streamlined the MSSQL bruter to automatically profile the system to determine if Powershell is installed, if so it will automatically do powershell injection, if not it will fall back to the Windows debug method for payload delivery
• rewrote the entire powershell deployment module – it now ties in to standard powershell shell payload delivery system
• added dynamic shellcode patching to the MSSQL bruter – now generates shellcode automatically, cast it unicode, then base64 encoding for EncodedCommand powershell bypass technique
• rewrote the hex2binary deployment method to support the new impacket method – it will now automatically deliver a binary based on the attack vector that you want to use
• shrunk the powershell injection code to fit properly within MSSQL xp_cmdshell one call
• added one line for xp_cmdshell disable which works on later versions of Windows
• removed the portscan functionality completely out of the MSSQL payload
• rewrote all portions of the MSSQL bruter to be fully impacket and removed the dependacy for _mssql from fast-track
• added new attack vector within the Fast-Track menu “PSEXEC Powershell Injection” which will allow you to specify psexec_command and compromise via direct memory injection
• added ability to set threads within the new PSEXEC PowerShell Injection technique
• added quick dynamic patching for the powershell injection technique for payloads
• added a new trustedsec intro ascii art that has the TS logo on it
• updated rid_enum to the latest github version inside SET

Download SET v5.1 “Name of the Doctor”

[SET Version 5.0] The Social-Engineer Toolkit "The Wild West"

Social-Engineer Toolkit (SET) v5.0 codename: The Wild West is a culmination of six months of development, bug squashing, and user feedback. New with this version includes a completely redesigned multiprocessing web server that handles non-rfc compliant HTTP information. The builtin SET web server would on occasion crash when receiving unexpected characters. The new version of the web server is stable, and significantly faster. This version if Kali Linux compliant (FSH) where all information is now moved and removed from src/program_junk and to your ~/.set home directory.

In addition to FSH structuring of SET, we have also added some significant performance and stability updates. For example, traditionally if you launched an attack, you would have to exit out of SET completely then relaunch. The dynamic importing has now changed to fix this and improve the ability to reuse modules.

For a full list of changes, the changelog can be found below:

~~~~~~~~~~~~~~~~

version 5.0

~~~~~~~~~~~~~~~~

* fixed a bug that would cause tabnabbing to throw an exceptions around check_options

* added setcore modules into tabnabbing to allow centralized routines

* fixed a bug that would cause webjacking to throw an exeptions around check_options

* added git clean -fd prior to set update, this will force a clean when pulling the latest files

* fixed a bug that would cause a system not setup properly when installing in setup.py

* fixed a bug on start_dns() upon launch will cause errors on certain systems

* added installation script for putting SET into /usr/bin and /usr/share for FSH compliant installer

* added set-update to the installation path, can type that anywhere now

* added set-automate to the list to be typed in anywhere

* fixed a bug that would cause the java applet method to not work a second time in use (reload)

* rewrote MASSIVE amounts of code to no longer use src/program_junk for storage of applications, its now all under ~./set

* fixed a os.chdir issue when using it to spawn a web server during java applet, moved to multi processing instead of threading.thread

* fixed a bug that caused credential harvester to throw an exceptions with the new ~./.set directory structure

* centralized setdir into the main repository to handle it through there and to call the ~/.set directory

* added additional passwords to wordlist.txt used for fast-track mssql brute forcing

* fixed a mssql access bug that would cause fast-track to error out if unspecified IP was added

* removed the pymssql check from the initial SET start and onto Fast-Track since it’s only used there

* turned java repeater to ON by default, much better success rate in SE pentesting

* rewrote large portions of payloadgen to incorporate the changes to the new ~/.set path variables

* added a new file structure to launch set called se-toolkit. The set executable is now depricated and should no longer be used – to launch set just type ./se-toolkit

* updated the setup.py installation to be more robust when performing installations (windows, etc.)

* moved all of the reporting structures within SET to the new ~/.set directory

* added a checkup routine in set and se-toolkit to check for the reports directory

* fixed a bug that would cause multi powershell injection to trigger even when using the powershell menu, it will just generate one now

* fixed an issue that could cause powershell injection to not work properly using the fast patch method

* fixed an issue that would cause definepath to not be specified when using the SE Toolkit Interactive shell

* fixed relative path issues in sccm_main and powershell teensy vectors to point to new .set directory

* fixed an issue that would cause the SE toolkit to hang on a weird bug when importing binascii – moved binascii to main import above and no longer hung

* fixed a before assignment error when using the windows debug conversion in the fast-track mssql menu (meta_path reference)

* changed reports directory within the teensy side to move to ~/.set/reports

* moved the report_generator in harvester to pull and report on the new ~/.set reports structure

* fixed an issue where webjacking would not post properly on certain websites (index2.html conflict issue)

* added the Metasploit MS13-009-IE SLayoutrun Use After Free Exploit to the Metasploit Brwoser Exploit attacks

* fixed a parsing issue with the JMX bean exploit in the SET menu text from appearing to be on one line

* added a new description on setting up sendmail for Kali Linux

* added a check for multi powershell injection and check for solo instances through powershell teensy and not to generate a ton

* changed the email handler from control-c to END instead. Control-C will break multiprocessing within src.html.spawn and this is the proper way to do it

* cleaned up setcore with old code and optimized other areas of the code base

* reduced the description of the allports payload when selecting in web attack method

* added a completely new and redesigned multi threaded and multiprocessing web server – should be significantly faster with less bugs and crashing when handling non-rfc compliant HTTP requests

* optimized applet load time to be much more efficent when being loaded into the web attack vector (about 4 seconds improvement)

* rewrote exceptions handler for the new web server to check to see if anything is running on port 80 when starting

* turned java repeater to on by default – more stable and tested on multiple platforms

* fixed an issue that would cause the java applet web cloner to fail upon running it twice – added reload(module) option to fix the bug

* fixed an issue that caused powershell.prep to not load if used twice

* fixed an import error when using powershell injection through the main menu

* changed initial set menu in powershell to be the standard setprompt

* changed the default port to 443 on powershell delivery in the set option number 10

* fixed an issue that would cause the powershell injection to spawn on port 22 versus 443 as specified

* removed the man left in the middle attack – no longer in use, outdated and not maintained

* removed beautifulsoup as a dependancy for SET due to the removal of man left in the middle

* added the ability to call the web server and stop it based on stop_server()

Download The Social-Engineer Toolkit (SET) v5.0

[SET v4.7] The Social-Engineer Toolkit

 

The Social-Engineer Toolkit (SET) version 4.7 codename “Headshot” has been released. This version of SET introduces the ability to specify multi-powershell injection which allows you to specify as many ports as you want and SET will automatically inject PowerShell onto the system on all of the reverse ports outbound. What’s nice with this technique is it never touches disk and also uses already white listed processes. So it should never trigger anything like anti-virus or whitelisting/blacklisting tools. In addition to multi-powershell injector, there are a total of 30 new features and a large rewrite of how SET handles passing information within different modules.

 

Change log for version 4.7

• removed a prompt that would come up when using the powershell injection technique, port.options is now written in prep.py versus a second prompt with information that was already provided
• began an extremely large project of centralizing the SET config file by moving all of the options to the set.options file under src/program_junk
• moved all port.options to the central routine file set.options
• moved all ipaddr.file to the central routine file set.options
• changed spacing on when launching the SET web server
• changed the wording to reflect what operating systems this was tested on versus browsers
• removed an un-needed print option1 within smtp_web that was reflecting a message back to user
• added the updated java bean jmx exploit that was updated in Metasploit
• added ability to specify a username list for the SQL brute forcing, can either specify sa, other usernames, or a filename with usernames in it
• added new feature called multi-powershell-injection – configurable in the set config options, allows you to use powershell to do multiple injection points and ports. Useful in egress situations where you don’t know which port will be allowed outbound.
• enabled multi-pyinjection through java applet attack vector, it is configured through set config
• removed check for static powershell commands, will load regardless – if not installed user will not know regardless – better if path variables aren’t the same
• fixed a bug that would cause linux and osx payloads to be selected even when disabled
• fixed a bug that would cause the meta_config file to be empty if selecting powershell injection
• added automatic check for Kali Linux to detect the default moved Metasploit path
• removed a tail comma from the new multi injector which was causing it to error out
• added new core routine check_ports(filename, ports) which will do a compare to see if a file already contains a metasploit LPORT (removes duplicates)
• added new check to remove duplicates into multi powershell injection
• made the new powershell injection technique compliant with the multi pyinjector – both payloads work together now
• added encrypted and obfsucated jar files to SET, will automatically push new repos to git everyday.
• rewrote the java jar file to handle multiple powershell alphanumeric shellcode points injected into applet.
• added signed and unsigned jar files to the java applet attack vector
• removed create_payload.py from saving files in src/html and instead in the proper folders src/program_junk
• fixed a payload duplication issue in create_payload.py, will now check to see if port is there
• removed a pefile check unless backdoored executable is in use
• turned digital signature stealing from a pefile to off in the set_config file
• converted all src/html/msf.exe to src/program_junk/ and fixed an issue where the applet would not load properly

 

It can also be downloaded through github using the following command: 
git clone https://github.com/trustedsec/social-engineer-toolkit/set/

[SET] Social-Engineer Toolkit v4.3 "Turbulence"

The Social-Engineer Toolkit (SET) v4.3 has been released today! This version is over two solid months of development and has over 60 new features, additions, fixes, and enhancements. Most notably is the new payload selection called “Multi-pyInjector”. Multi-pyInjector allows you to inject as many payloads as you want to into memory and select them all through the Social-Engineer Toolkit. In a number of situations where egress filtering may be stringent, the last thing you want is to get shut down by outbound connections. With the Multi-pyInjector technique, you can have native Metasploit payloads be directly inserted into memory realtime and without the need of touching the hard-disk.

In addition to the Multi-pyInjector, there is now a new configuration option called TRACK_EMAIL_ADDRESSES. When this is turned on, SET will automatically insert additional fields in the query string parameter of an email web attack. Say you are sending emails to 300 people and want to track the users that click the link. SET will automatically track the links and what they input on the website. This way, when doing social-engineer attacks you can track the users that click on the emails all through the SET interface. Note that this attack currently requires Apache, as the code written out is custom PHP. In later versions, we will be writing it so that it works within the SET HTTP server. When you turn TRACK_EMAIL_ADDRESSES to ON, SET will automatically located Apache and move all the appropriate files for you.

Next, in the previous version when generating alphanumeric shellcode or straight shellcode, SET would utilize Metasploit (msfvenom) to create the shellcode on each instance which caused a significant amount of time. In 4.3, the shellcode is dynamically patched and already generated. This cuts down on load times for generation and into SET by about 90 percent. If you watched the video above, you’ll notice that when you select your payloads and the generation of them takes less than a second. This is due to the new patching method in place in the SET core libraries.

There are way to many things to run through that’s new in this version. Optimized and faster loaded Java Applet, newly encrypted payloads, code cleanup, and more. Enjoy this version of SET brought to you by TrustedSec!

Download Social-Engineer Toolkit v4.3 "Turbulence"

[SET] Social-Engineer Toolkit 4.1.3

TrustedSec Release the latest version of Social-Engineer Toolkit (SET) as 4.1.3. As most of us know that, It is an open source, python-driven, social-engineering penetration testing framework of custom tools which solely focuses on attacking the human element of penetration testing.

It was designed in order to arm penetration testers and security researchers with the ability to effectively test heavily advanced social-engineering attacks armed with logical methods. The Social Engineer Toolkit leverages multiple attack vectors that take advantage of the human element of security in an effort to target attackers.

Change version 4.1.3:

* Added multiple checks when importing file, no longer exits the entire application

Download Social Engineer Toolkit 4.1.3:

svn co http://svn.trustedsec.com/social_engineering_toolkit set/