Three tips for using the Social Engineering Toolkit

Two years ago, Dave Kennedy, a penetration tester, social engineering expert and contributor to the website, wanted to create a tool for pen testers to simulate social engineering attacks.

With this in mind, he built the first social-engineering toolkit, a free download on the sites companion, educational resource, The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

Kennedy, now CSO at security systems vendor Diebold, says the popularity of the toolkit has been remarkable. It is considered by many to be the standard for companies using social-engineering-based attacks as part of their pen testing. The SET, which is added to and updated frequently, is downloaded approximately one million times after each new release, according to Kennedy.

Kennedy spoke with CSO about his advice for maximizing results when using the social engineering toolkit.

Learn more about social engineering tricks and tactics

4 ways criminal outsiders get inside

3 examples of 'human hacking'

Exploiting 5 security holes at the office (includes video)

Do your research and prep work

"As simulated adversaries for companies, as pen testers, we always to run the latest and greatest and sexiest software exploits out there. But now when I do a pen test, I don't even run exploits anymore. The techniques that are built within the social engineering toolkit dont leverage exploits. They utilize legitimate ways that Java works, legitimate ways that email works, to attack a victim," said Kennedy.

But the onus is on you, said Kennedy, to do the research into the company you are pen testing, first, in order to have the best chance for success. "Focus on learning the company you're going after for the pen test and building the attack off of that. We like to look at how the company does business, their subsidiaries, and the path of least resistance. A lot of times, browsing through the company website, looking through LinkedIn are valuable ways to understand the company and its structure. We'll also pull down PDF's, Word documents, Excel spread sheets and others from the website and extract the metadata which usually tells us which version of Adobe or Word they were using and operating system that was used."

Chris Hadnagy, founder of, agrees.

"Information gathering is the most important part of any engagement. I suggest spending over 50 percent of the time on information gathering," said Hadnagy. "Quality information and valid names, emails, phone number makes the engagement have a higher chance of success. Sometimes during information gathering you can uncover serious security flaws without even having to test, testing then confirms them."

Social engineering goes to the movies

Teach, don't scold

Kennedy said he advises pen testers using the kit prepare the company in advance that the success rate of the pen test is likely to be high. But even with some warning, that may not be welcome news to the organization. This can be a chance to teach them, rather than point out problems, said Kennedy.

"One thing that drives me nuts in security community is the rating of users. Somehow it is supposed to be the user that understands this stuff. But for those of us in security, it is our job to teach and not to scold. When you do these kinds of engagements, it is an education opportunity, not a "you-did-something-wrong" opportunity."

Kennedy recommends letting the organization know that when a user makes a mistake and falls for a social engineering scam, this is perfectly acceptable and happens to everybody.

"Tell them: "This is something we learn from, and here is why it was bad," and point out some things they can learn from in the future," he said.

Also assure them the likelihood of a better score in future pen tests using the kit is likely.

"Users will start to recognize these things with repetition," he said.

Embarrassing a company due to its flaws is a horrible idea, said Hadnagy.

"Any time an audit is done the results should be used as part of employee education. This can be done without embarrassment by educating the employees first at point of failure. For example, when I do phishing for my clients, I do not just include their names in the report, but when the employee clicks they are automatically sent to an education page about phishing."

Hadnagy said during the mass education an employee should not be mentioned and no jokes should be made. A tool like SET allows a tester to track who clicks and who responds, this can be beneficial because in larger organizations it can point out areas of weakness and where education can be more beneficial.

Critique your approach, not just the employees

"I think the biggest challenge for folks using the kit sometimes is understanding the concept of social engineering and how you go about attacking an organization. You really have to understand how a company ticks in order to pull off a successful social engineering attack," said Kennedy.

So, when once you've completed your pen test, look back on what worked and what might not have to not only offer information that will help the organization shore up defenses--but also to see where you yourself may have come up short on researching your company.

"A lot of failures come as the result of pen testers who haven't done the research. The folks often just have a shock and awe mentality where they go in and just see if anything sticks. That almost always guarantees failure."

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsExcelToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts