« Previous 1 2 3 4 Next »
Guarding against social engineering attacks
Persuasion
Man, Well
In the user manual, the author talks about the rationale behind not using command-line options but instead presenting the user with a menu-driven set of options: "The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command-line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target."
The manual I downloaded refers to an earlier version, but it's easy to grasp any subtle menu differences in the menu options. After you've moved around the menu and submenus for a while, you'll see a heap of clever ASCII art. The menu in Figure 5 was presented on my current version when I chose the Social-Engineering Attacks option.
At the risk of not doing SET the justice it deserves, I'll quickly look at what some of the options might do in the hope that you'll explore the others yourself in the future.
Teach a Man to Fish
From option 1 on the menu shown in Figure 5, you enter the Spear-Phishing Attack Vectors submenu. The prompt then changes from set> to set:phishing> , offering just enough information to know where you are and what you are doing. Figure 6 shows the spear phishing choices.
If you follow option 1 and let SET do all the heavy lifting, you're presented with the payload options shown in Figure 7. As you can see, you have a great deal of choice across a number of formats.
In an effort to encourage you to try SET yourself, I leave it to you to drill further down into the other options – for testing purposes only, of course.
More, More, More
The Infectious Media Generator
social engineering attack immediately presents some useful information (Figure 8). As you can see, all types of popular media (USB sticks/drives, CDs, and DVDs) are the targets in question. An autorun.inf
file is used for this particular attack, in which a payload is created on request in one of two formats. Note that the prompt has dropped into the informative set:infectious>
mode.
Option 8 of Figure 5 presents a QRCode generator (Figure 9) that lets you craft a URL to embed into a QRCode, which could be something as nefarious as a Java applet that's then sent out by email.
From the uppermost level of Figure 4, I'll move on to Penetration Testing (Fast-Track) . Those of you familiar with penetration testing will have heard of Fast-Track, which I was sad to see didn't seem to have a live website any longer. As you can see in Figure 10, the options it brings to the table to complement SET are comprehensive and useful for security auditing.
From customized exploits through SQL brute-forcing, you'll find a number of interesting options worth exploring.
By now you should be able to tell I'm a big fan of SET. Hunting through some of the more obscure options, I even found an attack on Google Analytics, seemingly with a fully fledged user manual included. In Figure 11, you can see what's available from this submenu option (hidden under the Third Party Modules option).
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)