The Social-Engineer Toolkit
161
attacks through a web interface. The wireless attack vector creates a rogue
access point on the attacking machine. When the target connects to the access
point, any website he visits is redirected to the attacker machine, which can
then launch a number of SET attacks (such as harvester or the Java applet)
on the target.
Looking Ahead
Like Metasploit, SET is a work in progress. The security community has
embraced the capabilities and potential of SET and continues to contribute
to making it better. Social-engineering attacks are on the rise, so ensuring
that you can properly test these attack vectors is imperative for any compre-
hensive security program.
As organizations and vendors get better at securing their network perim-
eters with software and hardware solutions, we often forget how easy it is to
call or email a user and convince him to click or download something that
can be used for an attack. Social engineering in general takes skill and practice,
and a good attacker knows that he needs to ensure that the attack is specially
crafted to target weaknesses in his targets’ company user awareness programs
or systems. A skilled attacker knows that spending a few days researching an
organization, looking at Facebook or Twitter pages, and determining what
may trigger someone to click hastily is just as important as the tools used
behind the attack.
Tools like SET are useful to attackers, but always remember that as a
penetration tester, your skill is defined by your creativity and your ability to
navigate difficult situations. SET will aid you in attacking your targets, but,
ultimately, if you fail, it’s probably because you weren’t creative enough.