In this part of our interview we asked David Kennedy about prospects of the Social-Engineer Toolkit, breakdown of attack vectors, and his plans for the future.
– Hopefully still the leader in social-engineering attacks :) I definitely don’t see these types of attacks going away anytime soon.
– With so many tools adding up like SET, Fast-Track, Artillery – is it difficult to keep them all updated and provide support?
– Naw.. Pretty easy once you have a similar structure in place. I may focus on one more than the other at times depending on the need, but still easy to manage.
– Are you still often questioned on the morality behind creating SET?
– Nope – never have actually. It’s a pretty simple argument: the bad guys are using these techniques everyday. How do we defend against them? We need to be able to test. Never had anyone question the morality of the tool.
– Have you heard of any big breaches which took advantage of SET?
– As a father of SET, would you like SET to have an even greater success rate or would like people to be able to defeat it?
– I think it’s important to show what is possible and what technologies really don’t work. SE comes down to the people and the defenses we put into place there. There is an over reliance in technology in the security industry and the majority of it is vaporware. I think when SET can be defeated and there’s no purpose, then awesome and I can move on to a different project. I still think SET will be around for a very long time :)
– Are phishing attacks still as successful as, say, 3 years ago? Is it easier or more difficult to prepare for a successful phishing attack now?
– Depends on the definition of phishing. If you are talking about standard PDF or document attacks, then yes, but more difficult. Targeted phish’s not using that method, I would say even easier than before.
– Is the attack utilizing Java applet still as effective as before? Are people still full of trust?
– Java applet is working out better now than before actually. The attack vectors have matured and the attacks have got more believable. Java also moving more towards code signing certs and making them more trustworthy has helped us out significantly. Never been easier to get a code signing certificate and use that for hacks.
– Out of 100 attacks, how often do you choose Java applet, credential harvester or browser exploits or other types of attacks?
– I almost always just use the Java Applet and Credential Harvester method.
– What methods of social engineering work best against a small company where everybody knows each other?
– Very good question. Impersonating individuals becomes much more challenging – have to come in as a partner or something they know but not that well. A lot of times we’ll come in as a vendor giving them free stuff because they do business with us.
– Are scareware/ransomware tactics effective in making people click what you need?
– Naw, don’t typically go that route. Scare tactics and inciting fear has a less probable chance of being successful in social engineering.
– Do you keep an eye on exploit kits darkmarket?
– I don’t typically, try to keep things I research inside SET.
– How soon will we see a new great tool from you?
– As I’m typing this actually… 5.1 is getting released in the next hour :)
– Have you considered making a closed source tool?
– Never – always like the open source community and giving back and sharing the learning that I do.
– What project do you want to run but constantly lack free time for it?
– Writing books.
– After a book on Metasploit, are you planning a new one?
– I’m currently working on a Python for penetration testers book. Something that teaches people from the ground up how to code hack jobs and get things working fast on a penetration test. I’m excited because when I was coming up in the industry, I felt like there wasn’t anything out there for me. I had to pick up Python by myself and no real rhyme or reason. This book teaches you why and how.
– You started your career working for government, what do you think of government’s approach to security?
– Not so good. At least not yet. I think it’s getting a lot of recognition from the people that it needs in order to be successful, but I think they really need to look at the private sector and some companies that are doing a great job on the security front for ideas. They are going into this far behind the game.
– Little can be found about your role in Operation Iraqi Freedom, could you please speak about it?
– That’s intentional :) I worked for the intelligence community and spent about two years in Iraq.
– Your tools are popular, your experience grows, do gov guys invite you back?
– I’m pretty much out of that sector, focus primarily on the private sector. My buddies are still in and some great folks that use tools like Artillery and SET and get to hear about it. Otherwise – not really anymore at all.
– And have you ever been contacted by black hat / bad guys with offerings?
– Contacted – yeah, don’t really respond to that side of the house. Very focus on the white hat side and nothing else.