Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

3 tips for using the Social Engineering Toolkit

Joan Goodchild | April 27, 2012
Two years ago, Dave Kennedy, a penetration tester, social engineering expert and contributor to the website social-engineer.com, wanted to create a tool for pen testers to simulate social engineering attacks.

Two years ago, Dave Kennedy, a penetration tester, social engineering expert and contributor to the website social-engineer.com, wanted to create a tool for pen testers to simulate social engineering attacks.

With this in mind, he built the first social-engineering toolkit, a free download on the sites companion, educational resource, social-engineer.org. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

Kennedy, now CSO at security systems vendor Diebold, says the popularity of the toolkit has been remarkable. It is considered by many to be the standard for companies using social-engineering-based attacks as part of their pen testing. The SET, which is added to and updated frequently, is downloaded approximately one million times after each new release, according to Kennedy.

[http://www.csoonline.com/article/print/www.social-engineer.org]

Kennedy spoke with CSO about his advice for maximizing results when using the social engineering toolkit.

Learn more about social engineering tricks and tactics

4 ways criminal outsiders get inside

3 examples of 'human hacking'

Exploiting 5 security holes at the office (includes video)

Do your research and prep work

"As simulated adversaries for companies, as pen testers, we always to run the latest and greatest and sexiest software exploits out there. But now when I do a pen test, I don't even run exploits anymore. The techniques that are built within the social engineering toolkit dont leverage exploits. They utilize legitimate ways that Java works, legitimate ways that email works, to attack a victim," said Kennedy.

But the onus is on you, said Kennedy, to do the research into the company you are pen testing, first, in order to have the best chance for success. "Focus on learning the company you're going after for the pen test and building the attack off of that. We like to look at how the company does business, their subsidiaries, and the path of least resistance. A lot of times, browsing through the company website, looking through LinkedIn are valuable ways to understand the company and its structure. We'll also pull down PDF's, Word documents, Excel spread sheets and others from the website and extract the metadata which usually tells us which version of Adobe or Word they were using and operating system that was used."

Chris Hadnagy, founder of social-engineer.com, agrees.

"Information gathering is the most important part of any engagement. I suggest spending over 50 percent of the time on information gathering," said Hadnagy. "Quality information and valid names, emails, phone number makes the engagement have a higher chance of success. Sometimes during information gathering you can uncover serious security flaws without even having to test, testing then confirms them."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.

COMMENTS
blog comments powered by Disqus