Introduction
The most fortified network in the world can be compromised with a single convincing email. The most complex password policy is useless if an employee types their credentials into a fake login page. Social engineering — the art of manipulating people into compromising security — is the most effective attack vector in cybersecurity, and the Social Engineering Toolkit (SET) automates it.
Created by David Kennedy (TrustedSec) and first released in 2009, SET is an open-source Python framework designed specifically for social engineering attacks. It's included in Kali Linux by default and is used by penetration testers to simulate real-world social engineering scenarios during authorized security assessments.
How It Works
SET organizes social engineering attacks into structured categories. The most commonly used is the Credential Harvester attack, which clones a legitimate website — Gmail, Office 365, a corporate portal — and hosts it on the attacker's machine. When the target visits the cloned site and enters their credentials, SET captures them and can optionally redirect the victim to the real site, making the attack nearly invisible.
The Spear-Phishing attack module creates targeted emails with malicious attachments — PDFs, Office documents, or executables — that exploit known vulnerabilities or use social engineering to convince the target to enable macros or run the file. SET integrates with Metasploit, so payloads can establish reverse shells, deploy Meterpreter sessions, or execute custom code.
Other attack vectors include the Infectious Media Generator (creates autorun payloads for USB drives), the Website Attack vectors (browser exploitation, Java applet attacks, HTA attacks), and the QRCode Generator (creates QR codes that point to malicious URLs). The Arduino-Based attack vector even supports creating malicious HID (Human Interface Device) payloads for programmable USB devices.
Why It Matters
Social engineering consistently ranks as the most effective initial access technique in real-world breaches. Verizon's DBIR reports that phishing is involved in over 30% of all data breaches, and that number climbs when you include other social engineering techniques like pretexting and baiting.
For penetration testers and red teams, SET provides a realistic, controlled way to test an organization's human defenses. A phishing simulation that captures 40% of employees' credentials tells the security team more about their actual risk posture than any number of firewall rules or vulnerability scans.
Key Takeaways
The Credential Harvester is the most practical attack to learn first. Start SET (setoolkit), choose Social-Engineering Attacks → Website Attack Vectors → Credential Harvester Attack Method → Site Cloner. Enter the URL to clone (e.g., a login page) and the attacker IP. SET creates a pixel-perfect copy and waits for credentials.
For effective phishing simulations: craft realistic pretexts (password reset notices, IT policy updates, package delivery notifications), register convincing domain names, and time your attacks for maximum effect (early morning, right after a company announcement, during busy periods).
To defend against social engineering: implement regular phishing awareness training, deploy email filtering with link and attachment sandboxing, use FIDO2/WebAuthn hardware keys (which are immune to credential harvesting), enable email authentication (SPF, DKIM, DMARC), and create a culture where reporting suspicious emails is encouraged and rewarded.
The Bigger Picture
SET exists because the most sophisticated security technology in the world is only as strong as the person using it. Firewalls don't block convincing emails. Antivirus doesn't stop someone from entering their password on a fake website. IDS doesn't alert when an employee willingly runs a malicious attachment because they think it's from their boss. The human element is the permanent vulnerability — it can't be patched, only educated. SET makes that lesson tangible and measurable.
