The Social-Engineer Toolkit or as its more commonly known (SET) was created by the founder of TrustedSec, Dave Kennedy. Dave is also one of the founders of DerbyCon, a security conference that occurs in Louisville every year. It is a great CON and I encourage people to check it out.

Its an open-source tool written in python that is intended for Social Engineering focused Penetration Tests and integrates heavily with Metasploit.

SET was included in BackTrack 5 and the Kali Linux distribution. If you want to pull it down manually it can be downloaded on github using the below command.
git clone set/


One of the many great features within SET is its ability to clone a site for various Social Engineering attacks. SET can clone a site of your choosing or use one of its
built in templates.



From this point you can choose what attack vector you would like to use. In the below example we will be using the Java Applet Attack method
and tell set to provide a reverse meterpreter session back to the attacker via the Java applet. This is a very basic example of what SET can do, but it
shows how SET helps penetration testers and social engineers.

Because after all who wouldn’t click a Java Applet that told you it was TRUSTED? You can also see how by default SET assists with Egress busting by
attempting to connect back out using multiple ports commonly allowed outbound by most firewalls.

In this second example SET can again use one of its templates or clone a site of your choosing, but instead of getting shells we will harvest
user credentials. A good use case for this on a pentest would be sending a spear phishing email to a target along with a link, or using DNS redirects
to send them to your cloned site. Think OWA or remote access portal login pages.


The newest version as of the time of this post adds a complete overhaul of the PowerShell injection techniques inside SET and adds a new automatic process downgrade attack detailed here:

The updated version of the attack will automatically detect if PowerShell is installed (Which it should be by default on Windows Vista, 7, 8, and Server 2008).
If it detects that the host is 64-bit it will automatically downgrade the process to 32-bit for native shellcode injection. This is a huge help
for penetration testers, since before most had to create the attack targeted for both platforms (x86 and x64) with listeners waiting for the shell to return
to the one that executed successfully. ie Before you would need to multi/handlers on two different ports waiting for you session to come back.