Automation is the key to success in many disciplines, and in the hacking world, a social engineering toolkit is considered invaluable by both cyber criminals and ethical hackers alike. The Social-Engineer Toolkit (SET) is an open source solution driven by Python and preinstalled on Kali Linux, which is considered the best Linux distro for penetration testing. It is possible to install it on any Linux distro, but you may need to install other prerequisite software first. Search "SET install + your Linux distro" to verify the requirements before installing SET.
It is worth noting that SET has been downloaded more than two million times, which equates to a host of hackers (ethical or otherwise) with a range of tools that target human error in any home or office network environment. Should we be worried? How complex is this software? What functions are included? Here's what you need to know.
To combat attacks from a social engineering toolkit we first need to understand social engineering. Social engineering is the exploitation of human weakness using a variety of techniques that may include (but are not limited to) phishing, dumpster diving, on-premise hacking, social media research, brute-force attacks or injection attacks. In all cases, the agenda is the same: To obtain usernames and passwords from target users. The use of a social engineering toolkit, such as SET, provides an automated solution for many attack vectors (including spear phishing, website attacks, mass mailers, SMS spoofing, wireless access points and QR codes) by means of a user-friendly GUI.
There are many examples of how to use SET successfully on YouTube, but I have selected one that encourages a standard nontechnical user to log into a fake Facebook page. In less than five minutes, the hacker can gather the target username and password. IT pros have little to worry about from this type of blatant attack, but what about your network users? A second example demonstrates how to take over a Windows 7 computer, showing the level of control that can be easily acquired remotely. Everything from webcams, microphones and screenshots to file access and registry edits are now possible, all because the target clicked on a single link.
In the penetration testing world, hackers attempt to exploit your weakest link, normally nontechnical or careless employees. It is my opinion that IT pros will generally not fall for any attempted hack that involves clicking on a link or logging into a cloned site. However, it is fair to say to that we must protect our networks by educating employees, perhaps using SET to test specific targets and by openly demonstrating how various techniques are used.
One Toolkit to Rule Them All
Hackers are not seeking a 100-percent success rate and are happy with the small percentage of users that respond to scam emails, phishing attacks and dummy login pages. SET also allows you to create fake wireless access points, rootkits, executables and PowerShell exploits that bypass antivirus solutions. In addition, it can perform network penetration testing, identifying areas that are vulnerable to attack. Once identified, the hacker is free to roam your network and gather any data considered worthy of download.
Perhaps the most worrying aspect of the ready availability of social engineering toolkits is that the skills needed to use them effectively are not limited to advanced coders. You just need to know basic Linux commands, which can be picked up in minutes. However, the tools are designed for ethical use and every company should test their networks for vulnerabilities using the pen-testing features. After you have solved any identified vulnerabilities, it is also worth testing your staff. If successfully hacked, you will need to resort to security awareness training for all your users.
Doug Fodeman, the content director and co-owner of The Daily Scam, also believes in the importance of user training. In a Digital Guardian article, he says, "I have found that educating employees about the threats that target them is MORE important than hardware and software defenses. And it isn't difficult to teach employees the simple methods to recognize threats such as mouse-over skills and understanding the anatomy of an email address or domain name."
Are you prepared to test your company's social engineering defenses using SET?