The Social Engineering Toolkit (SET) and Maltego

This blog post explains the functionality and purpose of Maltego and The Social Engineering Toolkit for testing an organization or company against potential social engineering attacks.

What is Maltego?

Have you ever heard of Maltego? I hadn’t until made aware of the tool from one of our instructors, Jonathan Jenkins. According to Paterva’s website, Maltego was “developed to deliver a clear threat picture to the environment that an organization owns and operates” and the “advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure”.

Maltego serves up the “aggregation of information posted all over the Internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits”.

This tool, which runs on open source technology, provides a powerful search and visualization interface for individual and commercial users. The free community version is accessible via online login, but it comes with limitations.

For the visual learners, watch the Paterva YouTube video on “Training Video for Absolute Beginners” for an introduction to the tool.

Essentially, Maltego is an efficient information gathering tool that researches and illustrates connections between people, organizations, groups, hardware and software, phrases, affiliations, even documents and files. The results, when the tool is effectively employed, provide a solid baseline for a social engineer targeting a person, audience, company, or organization.

For further understanding on how to Maltego works, refer to Paterva’s official documentation.

What is The Social Engineering Toolkit?

The Founder of TrustedSec, David Kennedy, developed The Social Engineering Toolkit (SET) to combine most known social engineering attacks all into one interface for a penetration tester. Why? Because “TrustedSec believes that social engineering is one of the hardest attacks to protect against and now one of the most prevalent”.

SET empowers a pen tester to:

• Automate and improve on known attacks
• Generate exploit-laced email messages and web pages
• Clone websites and inject pages with HTA files to compromise systems
• Perform a wide range of attacks, including:
  • PowerShell attacks
  • SMS spoofing attacks
  • Wireless access point attacks
  • Mass mailer attacks
  • Website attacks
  • Spear-phishing attacks
  • Infectious media generation and attacks
  • Payload and listener attacks
  • Arduino-based attacks
  • QRCode generation and attacks

This article, “Beginning with the Social Engineering Toolkit“, explains how editing the SET configuration file empowers pen testers to execute social engineering attacks with higher success rates. Once you learn how to manipulate and customize the configuration file, you can learn to better leverage SET.

Watch this video by Jeremy Martin to learn about the fundamental ways to use SET for exploitation.

The Importance of Research for Penetration Testing and Social Engineering

Both software tools demonstrate the necessity of research in the cyber security field. Maltego equips cyber security professionals and pen testers with a powerful and fast information gathering tool that aggregates information across the Internet and compiles it into an easily readable format. Maltego reduces research time and energy.

With the information acquired from Maltego, you can implement test attacks on a company, home, or organizational infrastructure with The Social Engineering Toolkit. SET tests and exposes holes within the infrastructure, whether they exist within technology or through individuals.

Research and pen testing provide evidence as to why social engineering proves highly effective and hard to stop. Last week, we pointed out different ways on how to prevent social engineering attacks.