The Social-Engineer Toolkit

161

attacks through a web interface. The wireless attack vector creates a rogue 
access point on the attacking machine. When the target connects to the access 
point, any website he visits is redirected to the attacker machine, which can 
then launch a number of SET attacks (such as harvester or the Java applet) 
on the target. 

Looking Ahead

Like Metasploit, SET is a work in progress. The security community has 
embraced the capabilities and potential of SET and continues to contribute 
to making it better. Social-engineering attacks are on the rise, so ensuring 
that you can properly test these attack vectors is imperative for any compre-
hensive security program.

As organizations and vendors get better at securing their network perim-

eters with software and hardware solutions, we often forget how easy it is to 
call or email a user and convince him to click or download something that 
can be used for an attack. Social engineering in general takes skill and practice, 
and a good attacker knows that he needs to ensure that the attack is specially 
crafted to target weaknesses in his targets’ company user awareness programs 
or systems. A skilled attacker knows that spending a few days researching an 
organization, looking at Facebook or Twitter pages, and determining what 
may trigger someone to click hastily is just as important as the tools used 
behind the attack.

Tools like SET are useful to attackers, but always remember that as a 

penetration tester, your skill is defined by your creativity and your ability to 
navigate difficult situations. SET will aid you in attacking your targets, but, 
ultimately, if you fail, it’s probably because you weren’t creative enough.