Social Engineering Toolkit


It is a common saying in information security that users are the vulnerability that can never be patched. Put all the security controls in place that you want, but if an employee can be convinced to give up sensitive company information, it is all for naught. In fact, many of the most famous hacks include no system exploitation at all.

For example, consider notorious hacker Kevin Mitnick. Many of Mitnick’s most famous exploits came down to walking into a building, convincing the security guard he had permission to be there, and then walking out with what he wanted. This kind of attack, called social engineering, exploits human vulnerabilities: a desire to be helpful, unawareness of security policies, and so on. 

Social-engineering attacks can involve complex technical requirements or no technology at all. A social engineer can buy a cable guy uniform at the thrift store and potentially walk into an organization, and even into the server room. The IT help desk can receive a frantic call from the boss’s assistant, who claims to have locked himself out of his webmail account. People generally want to be helpful, so unless there is a secure policy in place, the help desk worker may read back the password over the phone or set it to a default value, even though the caller is not who he says he is.

A common vector for social-engineering attacks is email. If you are ever short on entertainment at work, check out your email spam folder. Among the advertisements to make some things bigger and others smaller, you will find people trying desperately to give you all their money. Attempting to trick a user into giving up sensitive information by posing as a trusted person via email or other electronic means is known as a phishing attack. Phishing emails can be used to lure targets to visit malicious sites or download malicious attachments, among other things. Social-engineering attacks are the missing element needed to trick users into falling victim to the client-side attacks.

The Social-Engineer Toolkit

TrustedSec’s Social-Engineer Toolkit (SET), an open source Python-driven tool, is designed to help you perform social-engineering attacks during pentests. SET will help you create a variety of attacks such as email phishing campaigns (designed to steal credentials, financial information, and so on using specially targeted email) and web-based attacks (such as cloning a client website and tricking users into entering their login credentials).

SET comes preinstalled in Kali Linux. To start SET in Kali Linux, enter setoolkit at a prompt, as shown:

Note: If this is your first time using the toolkit, you will get a prompt to accept the terms and conditions.

After running the setoolkit command you'll get a menu as shown:

Spear-Phishing Attacks

We’ll use SET to run social-engineering attacks, so enter a 1 at the prompt to move to the Social Engineering Attacks menu. The Social-Engineering Attacks menu gives us several attack options as seen:

 We’ll create a spear-phishing attack, which will allow us to create malicious files for client-side attacks, email them, and automatically set up a Metasploit handler to catch the payload.

Select option 1 to choose Spear-Phishing Attack Vectors. The Spear-Phishing Attack Vectors menu is seen as:

The first option, Perform a Mass Email Attack, allows us to send a malicious file to a predefined email address or list of addresses as well as set up a Metasploit listener for the selected payload. The second option, Create a FileFormat Payload, lets us create a malicious file with a Metasploit payload. The third option allows us to create a new email template w to be used in SET attacks.

Choose option 1 to create an email attack. A selection of payload options is shown as:

In this example we'll use option 14 Adobe util.printf() Buffer Overflow to create a PDF attack. We Will be prompted to choose a payload for the malicious file. This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code.

The usual suspects are all here, including Windows Meterpreter Reverse_ TCP. We’ll choose this option for our sample attack.

After this, it's better to change the name of the file so that the likeliness of the targeted user opening the file increases.

Here, we have to select single or mass attack. We are going to proceed with attacking a single email address. After that we can select a predefined template for the email and then we have to give the address we want to send the pdf to.

 After that we get an option to use a gmail account or an open relay/own server to send the mail. and then give the details about the account. It is better to use own server as there is a high chance that google will block the malicious mail.

After that, we can setup a listener 

Now we wait for a curious user to open our malicious PDF and send us a session. Use ctrl-C to close the listener and type exit to move back to the previous menu.

Web Attacks

In this section we’ll look at web-based attacks. Return to the Social Engineering Attacks menu and choose option 2 (Website Attack Vectors).You should be presented with a list of web-based attacks as shown

Here we will proceed with the credential harvester attack method.

Choose option 1 to set template and then enter the IP address for the website to post credentials back to. We can just use the local IP address for the Kali virtual machine

Then we have to select a template. Here we chose twitter.

This is how the cloned site looks (at After entering credentials you should be redirected to the real twitter site. To a user it will just seem like he typed in his password incorrectly. In the meantime, back in SET, you should see a result that looks something like


Companies should put time and effort into training all employees about social-engineering attacks. No matter what sort of security technologies you put in place, employees have to be able to use their workstations, their mobile devices, and so on to get their job done. They will have access to sensitive information or security controls that, in the wrong hands, could harm the organization. Some security-awareness training may seem obvious, like “Don’t share your password with anyone” and “Check someone’s badge before you hold the door to a secure area for him or her.” Other security awareness may be new to many employees. Security-awareness training about malicious files, USB switchblades, and other attacks can help stop users from falling victim to these types of social-engineering attacks.


 In this post we’ve looked at only a couple of social-engineering attacks that we can automate with SET. The scripts for your attacks will change based on your clients’ needs. Some clients may have a specific attack scenario in mind, or you may find the need to run multiple attacks at once. For instance, you may create a multipronged attack where you harvest credentials and the malicious website runs a malicious Java applet. In addition to the web-based attacks and malicious files we looked at here, SET can create other attacks, such as USB sticks, QR codes, and rogue wireless access points.

Connect to me on LinkedIn