background image

136

Chapter 10

Of course, social engineering is nothing new. One person trying to coax 

another to perform acts that he normally wouldn’t do is as old as time itself. 
Many in the security community believe that social engineering is one of the 
biggest risks organizations face, because it’s extremely difficult to protect 
organizations from being attacked in this way. (You might remember the 
ultrasophisticated Operation Aurora attack, for example, in which social-
engineering was used to attack Gmail and other sources of Google data.)

An 

attack vector

 is the avenue used to gain information or access to a sys-

tem. SET categorizes attacks by attack vector (such as web, email, and USB-
based attacks). It uses email, spoofed websites, and other vectors to reach 
human targets, typically tricking individuals into compromising the target or 
releasing sensitive information. Naturally, each vector can have a different 
success rate depending on its target and the communication used. SET also 
comes prebuilt with email and website templates that can be used for social-
engineering attacks. SET heavily uses the Metasploit Framework.

Because of the social nature of the attacks themselves, each example in 

this chapter is coupled with a brief story.

Configuring the Social-Engineer Toolkit

By default, in Back|Track, SET is located in the 

/pentest/exploits/set/

 directory. 

Before you begin, make sure that you are running the latest version of SET.

root@bt:/pentest/exploits/set# 

svn update

Next, configure your SET configuration file according to what you’re 

attempting to accomplish. We’ll cover a couple of simple features within the 
configuration file 

config/set_config

 within the root SET directory.

When using the SET web-based attack vectors, you can turn 

ON

 the 

WEBATTACK_EMAIL

 flag to perform email phishing in conjunction with the web 

attack. This flag is turned 

OFF

 by default, which means that you will configure 

SET and use the web attack vector without the support of email phishing.

METASPLOIT_PATH=/opt/framework3/msf3

WEBATTACK_EMAIL=ON

One of the web-based attacks available in SET is the 

Java applet attack

which uses self-signed Java applets. By default, this attack uses 

Microsoft

 as 

the publisher name; however, if the Java Development Kit (JDK) has been 
installed, you can turn this option 

ON

 and sign the applet with whatever name 

you want. When you turn this flag 

ON

, additional options will be available 

through the interface.

SELF_SIGNED_APPLET=ON

The 

AUTO_DETECT

 setting is one of the most important flags and is turned 

ON

 by default. It tells SET to detect your local IP address automatically and to