Saturday, August 7, 2010

Social-Engineer Toolkit (SET) v0.6.1 Released

SET v0.6.1 adds the ability to utilize the built-in SET Web Server and combine the attack with SSL. Here are some scenarios where this attack really can be extremely helpful. For one, SET will allow you to create self-signed certificates automatically for you (granted you have openssl installed). In this instance the user would be presented with a certificate mismatch and whether or not to trust the individual site. While this is still most likely going to be successful in nature, it still isn’t 100 percent. My recommendation for this new addition is if your doing a penetration test, register a name of the victims site that is similar in nature, like for example your targeting CompanyXYZLMNOP you register a domain name like or LMNOP.COM is available and you can do CompanyXYZ.LMNOP. In this scenario you would have the DNS records point to the SET website, which you’ve already cloned the legitimate site. From there register for a $80 certificate and utilize SET with an legitimate SSL based certificate that looks and feels real. You will need the private key and client cert in PEM format

For more info and download check

No comments: