Guarding against social engineering attacks

Persuasion

Man, Well

In the user manual, the author talks about the rationale behind not using command-line options but instead presenting the user with a menu-driven set of options: "The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command-line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target."

The manual I downloaded refers to an earlier version, but it's easy to grasp any subtle menu differences in the menu options. After you've moved around the menu and submenus for a while, you'll see a heap of clever ASCII art. The menu in Figure 5 was presented on my current version when I chose the Social-Engineering Attacks option.

Figure 5: A list of social engineering attacks.

At the risk of not doing SET the justice it deserves, I'll quickly look at what some of the options might do in the hope that you'll explore the others yourself in the future.

Teach a Man to Fish

From option 1 on the menu shown in Figure 5, you enter the Spear-Phishing Attack Vectors submenu. The prompt then changes from set> to set:phishing> , offering just enough information to know where you are and what you are doing. Figure 6 shows the spear phishing choices.

Figure 6: How to target heaps of people with malicious email.

If you follow option 1 and let SET do all the heavy lifting, you're presented with the payload options shown in Figure 7. As you can see, you have a great deal of choice across a number of formats.

Figure 7: The payload options for a spear phishing attack are plentiful.

In an effort to encourage you to try SET yourself, I leave it to you to drill further down into the other options – for testing purposes only, of course.

More, More, More

The Infectious Media Generator social engineering attack immediately presents some useful information (Figure 8). As you can see, all types of popular media (USB sticks/drives, CDs, and DVDs) are the targets in question. An autorun.inf file is used for this particular attack, in which a payload is created on request in one of two formats. Note that the prompt has dropped into the informative set:infectious> mode.

Figure 8: The Infectious Media Generator option means your USB stick is going to be needing some medical attention soon.

Option 8 of Figure 5 presents a QRCode generator (Figure 9) that lets you craft a URL to embed into a QRCode, which could be something as nefarious as a Java applet that's then sent out by email.

Figure 9: QRCodes are still all the rage for reasons that continue to escape me.

From the uppermost level of Figure 4, I'll move on to Penetration Testing (Fast-Track) . Those of you familiar with penetration testing will have heard of Fast-Track, which I was sad to see didn't seem to have a live website any longer. As you can see in Figure 10, the options it brings to the table to complement SET are comprehensive and useful for security auditing.

Figure 10: Fast-Track's options complement SET's features nicely.

From customized exploits through SQL brute-forcing, you'll find a number of interesting options worth exploring.

By now you should be able to tell I'm a big fan of SET. Hunting through some of the more obscure options, I even found an attack on Google Analytics, seemingly with a fully fledged user manual included. In Figure 11, you can see what's available from this submenu option (hidden under the Third Party Modules option).