Social Engineering Toolkit (SET) Cheat Sheet

Overview

The Social Engineering Toolkit (SET) is an open-source Python-driven framework designed for social engineering penetration tests. Developed by TrustedSec, it automates complex social engineering attacks to test an organization's security awareness and vulnerability to human-focused attacks.

⚠️ Warning: Only use SET on systems and against targets with explicit written permission. Unauthorized use may violate laws and regulations.

Installation

Kali Linux

# Already pre-installed on Kali, or install/update with:
sudo apt update
sudo apt install set
sudo apt install setoolkit

# Launch SET
sudo setoolkit

Manual Installation (Linux)

# Clone the repository
git clone https://github.com/trustedsec/social-engineer-toolkit.git
cd social-engineer-toolkit

# Install dependencies
pip3 install -r requirements.txt

# Install SET
sudo python3 setup.py install

# Launch SET
sudo setoolkit

Docker Installation

# Pull the Docker image
docker pull trustedsec/social-engineer-toolkit

# Run SET in a container
docker run -it trustedsec/social-engineer-toolkit

Basic Usage

Starting SET

# Launch SET with root privileges
sudo setoolkit

# Launch SET from source directory
cd social-engineer-toolkit
sudo python3 setoolkit

Navigation

# Use numbers to select options
# Use 99 to return to the previous menu
# Use exit or quit to exit SET

Main Menu Options

Social-Engineering Attacks

1) Social-Engineering Attacks
   - Primary attack vectors for social engineering

Penetration Testing (Fast-Track)

2) Penetration Testing (Fast-Track)
   - Quick penetration testing tools

Third Party Modules

3) Third Party Modules
   - Additional modules contributed by the community

Update SET

4) Update the Social-Engineer Toolkit
   - Update to the latest version

Update Configuration

5) Update SET configuration
   - Change configuration settings

Help

6) Help, Credits, and About
   - Information about SET

Social-Engineering Attacks

Spear-Phishing Attack Vectors

1) Spear-Phishing Attack Vectors
   1) Perform a Mass Email Attack
   2) Create a FileFormat Payload
   3) Create a Social-Engineering Template
   4) Create a Android/MacOS/Windows/iOS Payload
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
   10) SMS Spoofing Attack Vector

Website Attack Vectors

2) Website Attack Vectors
   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Web Jacking Attack Method
   6) Multi-Attack Web Method
   7) HTA Attack Method
   8) Badpdf Attack Method

Infectious Media Generator

3) Infectious Media Generator
   1) USB/CD/DVD (AutoRun) Method
   2) Advanced File Format Infection

Create a Payload and Listener

4) Create a Payload and Listener
   - Generate standalone payloads

Mass Mailer Attack

5) Mass Mailer Attack
   1) E-Mail Attack Single Email Address
   2) E-Mail Attack Mass Mailer

Arduino-Based Attack Vector

6) Arduino-Based Attack Vector
   - Hardware-based attacks

Wireless Access Point Attack Vector

7) Wireless Access Point Attack Vector
   - Create rogue access points

QRCode Generator Attack Vector

8) QRCode Generator Attack Vector
   - Generate malicious QR codes

Powershell Attack Vectors

9) Powershell Attack Vectors
   - PowerShell-based attacks

Website Attack Vectors

Credential Harvester

# Select from main menu:
1) Social-Engineering Attacks
2) Website Attack Vectors
3) Credential Harvester Attack Method

# Then choose one of:
1) Web Templates
2) Site Cloner
3) Custom Import
4) Tabnabbing

# For Site Cloner:
# Enter IP for POST back: [your IP]
# Enter URL to clone: https://example.com

Web Templates

# Available templates include:
1) Java Required
2) Google
3) Gmail
4) Facebook
5) Twitter
6) Yahoo

Multi-Attack Web Method

# Select from main menu:
1) Social-Engineering Attacks
2) Website Attack Vectors
6) Multi-Attack Web Method

# Choose attack methods to include
# Enter IP for POST back: [your IP]
# Enter URL to clone: https://example.com

Spear-Phishing Attacks

Mass Email Attack

# Select from main menu:
1) Social-Engineering Attacks
1) Spear-Phishing Attack Vectors
1) Perform a Mass Email Attack

# Choose payload:
1) Adobe PDF Embedded EXE
2) Custom EXE to VBA
3) Fileformat Bugs
...

# Configure email settings:
# Enter email address to send from: attacker@example.com
# Enter the gmail password: password
# Enter the recipient: victim@example.com

File Format Payloads

# Select from main menu:
1) Social-Engineering Attacks
1) Spear-Phishing Attack Vectors
2) Create a FileFormat Payload

# Choose payload:
1) Adobe PDF Embedded EXE
2) Adobe PDF Embedded PowerShell
3) Microsoft Word Macro
...

Infectious Media Generator

USB/CD/DVD AutoRun Method

# Select from main menu:
1) Social-Engineering Attacks
3) Infectious Media Generator
1) USB/CD/DVD (AutoRun) Method

# Choose payload:
1) Windows Reverse_TCP Meterpreter
2) Windows Reverse_TCP VNC
3) Windows Bind_TCP Meterpreter
...

Advanced File Format Infection

# Select from main menu:
1) Social-Engineering Attacks
3) Infectious Media Generator
2) Advanced File Format Infection

# Choose file format:
1) Adobe PDF
2) Microsoft Word
...

Payload Creation

Standalone Payloads

# Select from main menu:
1) Social-Engineering Attacks
4) Create a Payload and Listener

# Choose payload:
1) Windows Reverse_TCP Meterpreter
2) Windows Meterpreter Reverse_TCP X64
3) Windows Reverse_TCP VNC
...

Android Payloads

# Select from main menu:
1) Social-Engineering Attacks
1) Spear-Phishing Attack Vectors
4) Create a Android/MacOS/Windows/iOS Payload
1) Android Meterpreter

Advanced Techniques

Custom Website Import

# Select from main menu:
1) Social-Engineering Attacks
2) Website Attack Vectors
3) Credential Harvester Attack Method
3) Custom Import

# Enter the path to your website: /path/to/website
# Enter IP for POST back: [your IP]

PowerShell Attacks

# Select from main menu:
1) Social-Engineering Attacks
9) Powershell Attack Vectors

# Choose attack:
1) Powershell Alphanumeric Shellcode Injector
2) Powershell Reverse Shell
3) Powershell Bind Shell
...

QRCode Generator

# Select from main menu:
1) Social-Engineering Attacks
8) QRCode Generator Attack Vector

# Enter the URL: https://malicious-example.com
# Enter path to save QRCode: /path/to/save/qrcode.png

Integration with Metasploit

Using Metasploit Payloads

# When selecting payloads, choose Metasploit options
# SET will automatically integrate with Metasploit

Setting Up Listeners

# After creating a payload:
# Do you want to start the listener now? yes

Configuration

Update SET Configuration

# Select from main menu:
5) Update SET configuration

# Edit configuration settings in the text editor

Configure Web Templates

# Templates are stored in:
/usr/share/set/src/webattack/web_clone/

Configure Email Templates

# Templates are stored in:
/usr/share/set/src/templates/

Troubleshooting

Common Issues

# Fix permission issues:
sudo chmod -R 755 /usr/share/set/

# Fix Python dependency issues:
pip3 install -r requirements.txt

# Fix database issues:
rm /usr/share/set/config/set_config.db

Debugging

# Run SET with debug output:
sudo setoolkit --debug

Best Practices

Security Considerations

# Run in isolated environment
# Document permission and scope
# Avoid causing harm or disruption
# Report findings responsibly

Performance Tips

# Test attacks in isolated environments first
# Use realistic scenarios
# Customize templates for specific targets
# Monitor and document all activities

Resources

• Official GitHub Repository
• TrustedSec Website
• SET Documentation
• Social Engineering Framework

---

This cheat sheet provides a comprehensive reference for using the Social Engineering Toolkit (SET). Always ensure you have proper authorization before conducting any social engineering tests.