8.6 Penetration Testing
Social Engineering Pen Testing
- The objective of social engineering pen testing is to test the strength of human factors in a security chain within the organization.
- Social engineering pen testing is often used to raise level of security awareness among employees.
- Tester should demonstrate extreme care and professionalism for social engineering pen test as it might involve legal issues.
- Obtain management's explicit authorization and details that will help in defining scope of pen-test such as list of departments, employees that need to be tested, or level of physical intrusion allowed.
- Collect email addresses and contact details of target organization and its human resources (if not provided) using techniques such as dumpster diving, email guessing, USENET and web search, and email spiders.
- Try to extract as much information as possible about the identified targets using footprinting techniques.
- Create a script based on the collected information considering both positive and negative results of an attempt.
Social Engineering Pen Testing: Using Emails
- Email employees asking for personal information such as their user names and passwords by disguising as network administrator, senior manager, tech support, or anyone from a different department on pretext of an emergency.
- Send emails to targets with malicious attachments and monitor their treatment with attachments using tools such as ReadNotify.
- Send phishing emails to targets as if from a bank asking about their sensitive information (you should have requisite permission for this).
Social Engineering Pen Testing: Using Phone
- Call a target posing as a colleague and ask for the sensitive information.
- Call a target user posing as an important user.
- Call a target posing as technical support and ask for the sensitive information.
- Refer to an important person in the organization and try to collect data.
- Call a target and offer them rewards in lieu of personal information.
- Threaten the target with dire consequences (for example account will be disabled) to get information.
- Use reverse social engineering techniques so that the targets yield information themselves.
Social Engineering Pen Testing: In Person
- Success of any social engineering technique depends on how well a tester can enact the testing script and his interpersonal skills.
- There could be countless other social engineering techniques based on available information and scope of test. Always scrutinize your testing steps for legal issues.
- The Social-Engineer Toolkit (SET) is an opensource Python-driven tool aimed at penetration testing around social engineering.