The Social-Engineer Toolkit v1.4 “YAY DerbyCon” Edition has been released. The main new feature with this is the new addition into the web attack menu. SET now has the ability to help aid in steps needed in creating a code signing certificate. You still need to purchase the code signing certificate, but it will not be directly imported into SET and into the Java Applet attack making the attack much more believable and make the attack much more reliable. Overall, through doing the steps myself, it will cost you around $300-350 to get everything setup. You’ll need to register a business with the state (which takes 5 mins), wait for your papers, then purchase a code signing certificate and sign the applet with whatever you made your business name. Sounds like a bit of a process I know, but when doing consulting engagements, should be easy to purchase a code signing certificate based on your company name or just register a quick LLC to get it.
Amongst this addition are a number of bug fixes and additions. Full change log can be found below:
* Java changed how self signed certificates work. It shows a big UNKNOWN now, modified self sign a bit.
* Added the ability to purchase a code signing certificate and sign it automatically. You can either import or create a request.
* Fixed a bug in the wifi attack vector where it would not recognize /usr/local/sbin/dnsspoof as a valid path
* Fixed a bug in the new backtrack5 to recognize airmon-ng
* Added the ability to import your own code signed certificate without having to generate it through SET
* Fixed an issue where the web templates would load two java applets on mistake, it now is correct and only loads one
* Fixed a bounds exception issue when using the SET interactive shell, it was using pexpect.spawn and was changed to subprocess.Popen instead
* Added better import detection and error handling around the python module readline. Older versions of python may not have, if it detects that python-readline is not installed it will disable tab completion
* Added a new menu to the main SET interface that is the new verified codesigning certificate menu
* Fixed a bug with the SET interactive shell that if you selected a number that was out of the range of shells listed, it would hang. It now throws a proper exception if an invalid number or non-numeric instance is given for input
* Added more documentation around the core modules in the SET User_Manual
* Updated the SET_User manual to reflect version 1.4