Social Engineering Pentesting - Chrono's Cyber Chronicles

| Title | Author | Created | Published | Tags | | ----------------------------- | ---------------------------- | ------------ | ------------ | -------------------------------------------------- | | Social Engineering Pentesting | <ul><li>Jon Marien</li></ul> | May 26, 2025 | May 26, 2025 | [[#classes\|#classes]], [[#INFO40587\|#INFO40587]] | # Social Engineering Pentesting ## Testing Process ![[image-339.png]] ### Step 1: Test Planning and Scoping - The pen tester needs to conduct a meeting between the management of the client organization and the pen testing team to define the scope of pen testing and decide how to perform it. - The scoping document must contain all the techniques and methods to be used in the pen test. - Test planning and scoping help you create a clear contract that is agreed upon and signed by all parties involved before the pen testing is undertaken. ![[image-340.png]] #### Scoping Sample Template ![[image-341.png]] ![[image-342.png]] ![[image-344.png]] ![[image-343.png]] ### Step 2: Target Identification - Based on the scoping document and pen testing contract, you need to identify the victim. - Choose victims or groups of victims who can be easily tricked. #### Common Targets - Users/Clients. - Receptionists/Help-desk personnel. - Vendors of the organization. - Technical support executives. - System administrator. - Disgruntled/Mistreated Employee. - Employees who are less aware. - Recently fired employees. #### Gathering Information on Targets - Search for names, phone numbers, designation, and other details of employees on the company’s website. - Search through online platforms, phone, and email. - Search using social networking sites. - Search on job sites such as LinkedIn and Glassdoor. ### Step 3: Pentesting Attempts - Off-Site Testing - Vishing (Voice Phishing) - Phishing - Spear Phishing - Whaling - Pharming - Spimming - Clone Phishing - E-wallet Phishing - Tabnabbing and Reverse Tabnabbing - Consent Phishing - Search Engine Phishing - Impersonation (Deepfake Attack) - Impersonation (Voice Cloning) - Impersonation (Angler Phishing) - Publishing Malicious Apps - Repackaging Legitimate Apps - Fake Security Applications - SMiShing - [QRLJacking](https://owasp.org/www-community/attacks/Qrljacking) ### Step 3: Pentesting Attempts - On-Site Testing - Impersonation - Eavesdropping - Shoulder surfing - Dumpster Diving - Pretexting - Piggybacking/Tailgating - Baiting/Media Dropping - Reverse Social Engineering - Elicitation and Motivation Techniques - Diversion Theft