The Social Engineering Toolkit’s evolution, goals

Social engineering expert, Dave Kennedy, a veteran penetration tester and contributor to social-engineer.com, saw a gap in the tools available for security when it came to evaluating an organizations preparedness for social engineering attacks.

Two years ago, he built the first social-engineering toolkit, a free download on educational resource social-engineer.org.

Kennedy, who is also CSO at security systems vendor Diebold, spoke with CSO about how the toolkit was created and how it can help companies improve their security.

[Check out Kennedy’s advice for making the most out of the toolkit in 3 tips for using the Social Engineering Toolkit]

CSO: Tell us about the origins of the social engineering toolkit. Before I joined Diebold, I was heavy on the exploitation and penetration side of the house. We would perform pen tests for other companies and customers to try and identify weaknesses.

Kennedy:

When I joined Diebold, Chris (Hadnagy, founder of social-engineer.com) and I were close to the social engineering aspect of security. We were seeing a big shift in the industry and we felt social engineering was going to be the very next wave of attacks coming on. No one was doing it as part of their pen testing, no one was incorporating it into the services they do or looking at it from that perspective.

From that [observation], the toolkit was born. I spent about two months writing it, initially. And when it became available, it just blew up. People were downloading and using it immediately, so there is obviously a huge interest in it.

Learn more about social engineering tricks and tactics

• 4 ways criminal outsiders get inside
• 3 examples of ‘human hacking’
• Exploiting 5 security holes at the office (includes video)

Besides addressing a need, what was your initial goal in creating it?

Really what it is designed to do is test the effectiveness of your education and awareness program and test the controls you have on your associates and employees. It is designed to make sure you can withstand a social-engineering attack and to see how well you do in one.

The tool is for pen testers, security researchers, folks that want to test how effective their awareness program is working. It does a lot of things, like bypasses antivirus and bypass security technologies. It has a lot of cutting-edge attack vectors so you can simulate a real world attack using different attack vectors. You can do spear phishing, you can do website attacks where it makes a website look legitimate but has a bunch of bad stuff on it. It has a lot of different techniques and is basically an all-encompassing tool for leveraging social engineering in penetration testing.

How much personalization does the pen tester have to put into creating an attack if using the toolkit?

The steps walk you through how to set it up for your individual target. A social engineer has to make things look very believable. You have to make your victims think it is a logical web site they are going to, or a logical email they are opening. The pen tester really has to do the research on the company they are going after, and create a pretext off of their victim and actually leverage the social engineer toolkit to be flexible enough to do that.

But the toolkit will clone a website and make it look legit in nature. It will clone it and go and rewrite all of the stuff and put all the bad code on it that will be used. It sets it up for you automatically.

The toolkit is open source. Do you make a lot of updates based on what you get from open-source developers?

We have a development team now. At first, it was just me. We expanded that and added a few folks that have contributed on the open-source side. And we have received some submissions from members of the security community, who really contribute and add functionality and features to it.

Also, if there is a new attack vector or new exploit, or anything like that, we definitely leverage that. We are also hooked very well into the Metasploit framework, so if you want to leverage Metaspoit exploits in it, you can do that as well.

It’s a continual evolution of the product. From what it was when it first came out two years ago to what it is today, it is night and day. There continue to be new attack vectors and new ways of circumventing security technologies and we really try and test it continually.

Give me some more examples of how it has changed over the years.

There are a number of things that have changed. The wireless attack vector was a major release, for example. You can set up a fake access point within the toolkit and you can leverage any attack vector within there. So if someone associates with your access point, every web site they go to will be malicious in nature.

There is also the teensy USB HID, a way of using a small device, basically a small microchip, to put code on it to actually attack a org and by pass their autorun technique. A lot of people like to put USB thumb drives in a parking lots or key areas in a building. But these days everyone has disabled autorun. This technique we developed is a little piece of hardware that when inserted into a computer actually acts like a keyboard and drops a piece of malware onto a computer that way and bypasses autorun.

The way we deploy payloads has changed. Traditional pieces of malware write a file to the system, and execute it, which has the potential to be picked up by antivirus and whitelisting and blacklisting technologies. Weve been able to write code in Java and leverage Powershell to inject straight into memory and not have to worry about touching a disk. So it circumvents a lot of security technology out there.

I would say it is completely different today than what it was two years ago. Weve added 20 or 30 new attack vectors since it first launched. When I first wrote it, it was about 1,000 lines of code. There are probably 300,000 lines of code now to it.

What kind of feedback do you get on it from pen testers?

It’s crazy. You go to a conference or a company and everyone seems to be using it. Results are astonishing about how vulnerable people find they are to social engineering.

I’ve seen a huge mind-shift in the industry now about what we have to do in order to protect against social engineering. Companies I talk to say they have seen significant increases in awareness after using the toolkit. It really helps them detect those kinds of attacks and prevent them.