Social engineering penetration testing assesses the human element in protecting systems. These security assessments aim to discover if an organization’s employees will reveal sensitive information or perform actions they wouldn’t usually perform if an attacker tries to manipulate them.
In this article, you will discover how to perform social engineering pentesting. You will learn what social engineering is, the tools used, and the phases of a social engineering penetration test. This will reveal the human element of security and how attackers exploit it.
Get ready to use your powers of influence and persuasion as we learn how to perform social engineering and deceive others into doing our bidding!
Understanding Social Engineering
Social engineering is the art of manipulating individuals to do your bidding. Using the powers of influence and persuasion, you can deceive others into revealing sensitive data or performing a certain action they would not normally perform.
Unlike typical penetration testing, social engineering penetration testing is about exploiting human psychology and social interaction rather than technical security controls or system vulnerabilities. Your aim is to trick another human into giving you access to a target’s environment.
Social Engineering Tactics
During a social engineering engagement, there are several tactics you can use to achieve your goal of gaining access. These include:
- Phishing: Sending emails, leaving messages, or phoning a victim to deliver a credible request that tricks them into revealing sensitive information or performing an action.
- Pretexting: Creating a story (pretext) that gains a victim’s trust before you ask them to perform an action. For example, posing as a trusted authority figure, getting the victim to sympathize with your situation, or using a topical event.
- Baiting: Making an offer to a victim that entices them into performing an action you want them to do. For instance, offering them free software bundled with malware you want them to run unknowingly.
- Elicitation: Obtaining information from a target without directly asking for it.
- Tailgating: Gaining unauthorized access to a restricted area by following an authorized employee into the area or impersonating a legitimate employee.
- Dumpster diving: Physically rummaging through the trash of an individual or organization to find revealing or sensitive data you can use in an attack.
- Media Dropping: Scattering CD-ROMs, USB drives, or other forms of digital media that contain malware around a target organization with the hope that an employee will insert this media into a company system and unknowingly trigger the malware.
Exploiting the Human Element
Social engineering is about exploiting the human factor. All security systems rely on humans to implement them. Physical security systems like CCTV cameras, access control systems, and alarms rely on security guards to monitor them and employees to protect their access cards.
Technical security controls like firewalls and Endpoint Detection and Response (EDR) solutions rely on the Security Operations Center (SOC) to monitor them and employees to protect their credentials.
Social engineering aims to exploit this human element in security by making an organization’s employees the target rather than the technical security controls. This human element is often significantly easier to exploit as opposed to security systems that have been designed to withstand an attack. The common adage is that humans are the weakest link in cyber security.
Humans are usually naturally trusting. They assume someone’s intentions are legitimate and are often keen to help that person. Unfortunately, social engineering takes advantage of human nature. It looks for vulnerabilities in humans; those who are too trusting, those who overshare, and those who are emotionally sensitive to a certain pretext. It then exploits these vulnerabilities for personal gain.
To protect against this, organizations must assess and strengthen potential human vulnerabilities using various methods:
- Security Awareness Training: Regular training and education on common social engineering tactics using quizzes, simulations, or case studies.
- Phishing Simulations: A simulated phishing campaign that sends targeted emails to employees and asks them to click on a link, download a file, or reveal sensitive information to see how they respond.
- Social Engineering Penetration Tests: Hiring a penetration tester to perform social engineering attacks against an organization to reveal vulnerabilities.
- Red Team Exercises: Simulating an attack that emulates the real-world tactics, techniques, and procedures attackers use to target organizations. This includes exploiting technical security controls and people. You can learn the difference between red teaming and penetration testing in Red Teaming vs Penetration Testing: What Is Best for Me?
Tools used during a social engineering engagement:
- Maltego: A versatile open-source intelligence (OSINT) tool for gathering and analyzing data about individuals or organizations. Learn how to use this tool in our article How to Use Maltego: A Beginner’s Guide to OSINT Analysis.
- GoPhish: An open-source phishing framework that lets you simulate a phishing campaign against an organization.
- Social Engineering Toolkit (SET): A collection of tools designed for social engineering engagements, such as spear phishing, malicious payloads, infectious media generation, and website cloning. Learn how to use SET in Unlock SET: How to Use The Social Engineer Toolkit Effectively.
- The Browser Exploitation Framework (BeEF): A web-based tool that lets you control a victim’s web browser using a “hook” usually delivered through a phishing link. Learn how to use BeEF in How to Use the BeEF Hacking Tool: Hook Browsers Like a Pro.
- Wifiphiser: A tool for conducting wireless network phishing attacks. It lets you simulate rogue WiFi access points and trick victims into connecting to them by impersonating legitimate networks.
Phases of Social Engineering Penetration Testing
Now that you know what social engineering is, let’s look at the phases of a penetration test. A social engineering penetration test can be broken into five phases (similar to how a penetration test has steps). Each phase has key objectives that must be met to progress onto the next phase. However, this is not a linear process. You will often revisit steps as you discover more information about a target’s environment and the employees you are targeting.
The additional information you uncover allows you to build new pretexts to execute and reveals more systems to exploit or higher privileged accounts to compromise. The cycle continues until you reach the objective of the engagement, such as; dropping a backdoor on a sensitive system, compromising a highly privileged account, or something else.
The five phases of social engineering penetration testing are:
You can see how each phase is performed in Social Engineering Example. This article describes how a professional penetration tester performed social engineering to compromise a company in a real-world engagement.
Planning and Reconnaissance
The first phase of a social engineering penetration test is planning and reconnaissance. Here you work with the client to clearly define the objective and scope of the test. You need to know what areas or departments of the organization the client wants to test, the acceptable social engineering tactics that can be used, and get written consent from the client to perform any tests.
During this phase, you also need to prepare for the testing. This includes:
- Resource gathering: Acquiring and setting up all the necessary resources required to perform the social engineering testing (e.g., phishing simulation frameworks, cloud infrastructure, etc.).
- Information gathering: Collecting information about the target organization, its employees, infrastructure, and security policies. This background information is valuable for building profiles of individuals you want to target and creating believable pretexts. You can use open-source intelligence (OSINT) to gather this information or go dumpster diving.
- Define the scope of testing and gain authorization.
- Gather the resources required to perform testing.
- Gather detailed information about the target.
- Choose what social engineering tactics you will use.
Planning and reconnaissance may involve visiting LinkedIn to find a company’s new hires and their interests, skills, and contact details. They may not be aware of internal company policies and are more susceptible to phishing.
Once you have a scope to target, authorization to do so, and detailed information about your target, you can develop pretexts for your social engineering tests. A pretext is a fabricated story that convinces a target to trust you and gives them a credible reason to follow along with your requests.
An effective pretext will often contain an emotionally heightened scenario designed to manipulate the target, such as a time-sensitive issue, a request from an authority figure, or a fictitious emergency. The scenario must be believable. Use the information gathered from the previous phase to craft a compelling, plausible narrative.
Developing a pretext can involve:
- Creating fake websites: Websites can be used to perform technical attacks (e.g., host a watering hole attack) or to add credibility to your story (e.g., a website for a fictitious charity you represent).
- Creating fake personas: To make your story believable, you may need to create fake online personas (e.g., social media profiles, email addresses, etc.) or print off fake access badges and name cards to appear legitimate.
- Crafting phishing emails and messages: Most social engineering campaigns will involve phishing. To get a user to click a link, provide you with sensitive information, or download a file, you need to include a compelling pretext in the emails or other messages you send to a target.
- Scripting phone calls and in-person interactions: To reliably manipulate a target, you must create a script to follow when interacting with them. This is similar to how a salesperson will follow a script when trying to sell you a product.
- Create a believable pretext for your social engineering campaign using the information you gathered.
- Develop specific pretexts for your chosen social engineering tactics (e.g., phishing emails/messages, phone calls, and in-person interactions).
Pretext development could be crafting a webpage with company branding that requires employees to log in with their username and password to access mandatory company training.
Armed with a believable pretext, you can now execute your chosen social engineering tactics be it phishing emails, phone calls, or in-person interactions. This is where your skill as a social engineer is tested.
You must be convincing and charismatic to deliver the pretext you created in the previous phase effectively. You must monitor the responses of your targets and adapt to the evolving situation to ensure you get the required information or have the target perform the required action. Finally, you must thoroughly document all your interactions and responses so you can later provide the client with meaningful information about how they can better protect themselves.
- Effectively perform your chosen social engineering tactics.
- Adapt to evolving situations to fulfill required objectives.
- Document all interactions to produce a meaningful report.
Execution would be sending an email to all the new hires asking them to log in with the company credentials to the fake company training website you created and stealing their credentials.
Once you have executed your chosen social engineering tactics and the target has fulfilled your required objectives (e.g., supplying sensitive information or performing an action), you can begin the exploitation phase.
This phase uses the information provided or action performed to gain unauthorized access to the target’s systems. For example, if you managed to get an employee to divulge their login credentials, you could use these to log in to systems remotely. Whereas, if you convinced an employee to download a phishing document to their system and execute it, you can use the malware you installed to control their system from your C2 server.
Once you gain access, you can try to identify vulnerabilities and weak security controls within the organization’s internal network to compromise other systems. This may involve performing further social engineering attacks, such as impersonating an employee to send more credible internal phishing emails to higher-level executives. This will increase the likelihood of successfully social engineering a higher-level target and gaining more privileged access.
How you exploit a target’s systems will depend on the information you gain. A social engineering penetration test will often follow a cyclical process where you begin by gathering information, develop a pretext, execute a social engineering tactic, and exploit the information you gained. This provides new access or information you use to start the process again to gain higher privileged access.
- Exploit the information or access you gained from social engineering.
- Look for vulnerabilities or weak security controls you can exploit.
- Restart the process to gain higher privileged access.
Exploitation would be using the stolen credentials to remotely log in as a company employee to access their emails and other confidential information. You could then use this access and information to create further pretexts and target higher-ranking employees or executives.
Analysis and Reporting
When you meet the objective of your social engineering penetration test or time expires, you need to analyze what social engineering tactics were effective and report these findings to the client. This is the most important phase during your engagement as it provides the client with actionable information that will improve their organization's security posture, the ultimate goal of any penetration test.
To ensure this phase is successful, you must continually document the entire process, from planning to exploitation. This documentation ensures you can highlight all the vulnerabilities you found throughout the engagement, detail the successful social engineering tactics, and provide actionable recommendations to mitigate these attacks.
- Provide the client with a detailed report on all testing activity and the found vulnerabilities.
- Deliver actionable recommendations to mitigate future attacks.
Social engineering is the art of manipulating individuals to do your bidding through influence and persuasion. Using a five-phase process, a social engineering penetration test assesses an organization’s ability to defend against social engineering attacks.
In this article, you have learned about social engineering tactics, the tools you can use, and the phases you must complete to perform a comprehensive social engineering penetration test. However, it is important also to consider the ethical implications of social engineering and the legal boundaries of this testing.
To ensure you conduct your social engineering penetration tests ethically and legally, here are several guidelines to follow:
- Ensure you follow an ethical framework agreed upon by you, your team, and the client organization. This may include defining topics deemed off-limits (e.g., COVID-19) and liaising with a client representative when developing your pretext.
- Obtain the proper authorization before conducting tests. This authorization usually comes from the client; however, you may need third-party authorization from contractors or suppliers, depending on the scope of the test.
- Respect the human beings you are targeting. You are not trying to humiliate someone, get them fired, or cause them undue distress. They should feel positive about the experience and see it as a learning opportunity.
- Stick within the legal boundaries of the jurisdiction where you are testing. Legality can change between states and countries, so ensure you know the law for where you are operating and follow it.
- Conduct your test in a controlled environment that ensures appropriate protections are in place for client data.
To learn more about social engineering and how you can master these skills, try out one of the courses below.