conducting-social-engineering-penetration-test

# Conducting Social Engineering Penetration Test ## Overview Social engineering penetration testing assesses an organization's human attack surface through controlled simulation of real-world deception techniques. According to Verizon DBIR 2024, the human element is involved in approximately 68% of all breaches, with phishing remaining the dominant initial access vector. This skill covers phishing, vishing (voice phishing), smishing (SMS phishing), and physical pretexting campaigns using tools like GoPhish, the Social Engineer Toolkit (SET), and Evilginx. ## When to Use - When conducting security assessments that involve conducting social engineering penetration test - When following incident response procedures for related security events - When performing scheduled security testing or auditing activities - When validating security controls through hands-on testing ## Prerequisites - Written authorization from senior management (CISO/CTO) - Legal review confirming compliance with local laws (CFAA, GDPR, etc.) - Defined scope: target employee groups, attack types, exclusions - GoPhish server, domain for phishing infrastructure, VPS - OSINT tools: Maltego, theHarvester, LinkedIn scraping tools - Coordination with HR and Legal for employee notification post-test ## Phase 1 — OSINT and Target Profiling ### Employee Reconnaissance ```bash # Email harvesting theHarvester -d targetcorp.com -b all -l 500 -f harvester_results # LinkedIn OSINT (manual + tools) # Gather: nam...