Conducting Social Engineering Penetration Test

Overview

Social engineering penetration testing assesses an organization's human attack surface through controlled simulation of real-world deception techniques. According to Verizon DBIR 2024, the human element is involved in approximately 68% of all breaches, with phishing remaining the dominant initial access vector. This skill covers phishing, vishing (voice phishing), smishing (SMS phishing), and physical pretexting campaigns using tools like GoPhish, the Social Engineer Toolkit (SET), and Evilginx.

When to Use

• When conducting security assessments that involve conducting social engineering penetration test
• When following incident response procedures for related security events
• When performing scheduled security testing or auditing activities
• When validating security controls through hands-on testing

Prerequisites

• Written authorization from senior management (CISO/CTO)
• Legal review confirming compliance with local laws (CFAA, GDPR, etc.)
• Defined scope: target employee groups, attack types, exclusions
• GoPhish server, domain for phishing infrastructure, VPS
• OSINT tools: Maltego, theHarvester, LinkedIn scraping tools
• Coordination with HR and Legal for employee notification post-test

Phase 1 — OSINT and Target Profiling

Employee Reconnaissance

# Email harvesting
theHarvester -d targetcorp.com -b all -l 500 -f harvester_results

# LinkedIn OSINT (manual + tools)
# Gather: names, roles, departments, email format
# Identify: new hires, IT admins, finance team, executives

# Email format discovery
# Check: first.last@, flast@, firstl@
# Verify with: hunter.io, phonebook.cz, email-checker.net

# Social media OSINT
# Twitter/X: employees posting about work tools/frustrations
# Facebook: corporate event photos, office layout
# GitHub: employee repos with corporate email addresses

# Domain intelligence
dig targetcorp.com MX +short
dig targetcorp.com TXT +short
# Check for SPF, DKIM, DMARC records
# Weak DMARC = easier email spoofing

# Check breach databases (authorized)
# HaveIBeenPwned API for corporate emails
# Identify employees with compromised credentials

Target Selection Matrix

Phase 2 — Phishing Campaign

Infrastructure Setup

# Register lookalike domain
# targetcorp.com -> targetc0rp.com, targetcorp-secure.com, targetcorp.net

# Set up GoPhish server
sudo apt install gophish
# Edit config.json for admin and phishing server ports
gophish

# Configure sending profile in GoPhish
# SMTP server: mail.attackdomain.com
# From: [email protected]
# Headers: proper DKIM/SPF for attack domain

# Create landing page (credential harvesting)
# Clone legitimate login page (Office 365, Okta, etc.)
# GoPhish: Import Site -> https://login.microsoftonline.com
# Enable: Capture Credentials, Capture Passwords
# Redirect to real site after capture

# Set up Evilginx for MFA bypass (authorized testing only)
evilginx2
: config domain attackdomain.com
: config ipv4 <server_ip>
: phishlets hostname o365 login.targetcorp-secure.com
: phishlets enable o365
: lures create o365
: lures get-url 0

GoPhish Campaign Configuration

{
  "campaign": {
    "name": "IT Security Update - Q1 2025",
    "template": {
      "name": "Mandatory Security Training",
      "subject": "Action Required: Complete Security Awareness Training by Friday",
      "html": "<html>...[branded email with urgency]...</html>",
      "from": "IT Security Team <[email protected]>"
    },
    "landing_page": "Office 365 Login Clone",
    "sending_profile": "Phishing SMTP",
    "groups": ["All Employees - Batch 1"],
    "launch_date": "2025-03-10T09:00:00Z",
    "send_by_date": "2025-03-10T12:00:00Z"
  }
}

Phishing Email Templates by Pretext

Template 1 — IT Security Update:

Subject: [Action Required] Mandatory Password Reset - Security Incident
From: IT Security <[email protected]>

Dear {FirstName},

Our security team has detected unauthorized access attempts on our systems.
As a precautionary measure, all employees must reset their passwords immediately.

Please click below to reset your password within the next 24 hours:

[Reset Password Now] -> {phishing_url}

Failure to comply may result in temporary account suspension.

Thank you,
IT Security Team

Template 2 — Finance Invoice:

Subject: Invoice #INV-2025-4821 - Approval Required
From: Accounts Payable <[email protected]>

Hi {FirstName},

Please review and approve the attached invoice from our vendor.
Amount: $47,250.00 | Due: March 15, 2025

[View Invoice] -> {phishing_url}

Best regards,
Accounts Payable

Phase 3 — Vishing Campaign

Call Script Template

Pretext: IT Help Desk calling about suspicious login

Caller: "Hi, this is [Name] from the IT Help Desk. Am I speaking with [Target Name]?"

[Wait for confirmation]

Caller: "We've detected some unusual login activity on your account from an
unrecognized location. For your protection, I need to verify your identity
before we can investigate further."

Caller: "Can you confirm your employee ID and the email address associated
with your account?"

[Record responses]

Caller: "Thank you. I'm going to send you a verification link to confirm
it's really you. Can you click on it and enter your credentials so we can
secure your account?"

[Send phishing link via email/SMS during call]

Caller: "Great, I can see you've been verified. Your account is now secured.
If you notice any further issues, please call the help desk at [real number]."

Vishing Metrics to Track

Phase 4 — Physical Social Engineering

Physical Pretexting Scenarios

Scenario 1: Delivery Person
- Arrive with package labeled for executive
- Request access to deliver personally
- Attempt to tailgate through secure doors
- Drop USB drives in common areas

Scenario 2: IT Vendor
- Arrive with vendor badge (printed)
- Claim scheduled maintenance on network closet
- Attempt to access server rooms
- Install rogue wireless AP if access gained

Scenario 3: New Employee
- Arrive claiming first day orientation
- Request temporary badge
- Attempt to access restricted areas
- Photograph sensitive screens/documents

Evidence Collection:
- Body camera (if legally permitted and authorized)
- Photographs of accessed areas
- WiFi probe from rogue AP
- Notes on which doors/checkpoints bypassed

Phase 5 — Metrics and Analysis

Campaign Results Dashboard

Phishing Campaign Results:
├── Emails Sent: 200
├── Emails Delivered: 195 (97.5%)
├── Emails Opened: 142 (72.8%)
├── Links Clicked: 68 (34.9%)
├── Credentials Submitted: 31 (15.9%)
├── MFA Bypassed: 8 (4.1%)  [Evilginx]
├── Reported to SOC: 12 (6.2%)
└── No Action: 53 (27.2%)

Vishing Campaign Results:
├── Calls Made: 23
├── Calls Answered: 18 (78.3%)
├── Engaged in Conversation: 15 (65.2%)
├── Information Disclosed: 9 (39.1%)
├── Credentials Provided: 4 (17.4%)
└── Reported to Security: 2 (8.7%)

Physical Assessment:
├── Tailgating Successful: 3/5 attempts
├── USB Drives Plugged In: 2/10 dropped
├── Restricted Areas Accessed: 2/4 attempted
└── Challenged by Employee: 1 time

Risk Scoring

Phase 6 — Reporting and Recommendations

Remediation Priorities

Tools Reference

References

• GoPhish: https://getgophish.com/
• Evilginx2: https://github.com/kgretzky/evilginx2
• Social Engineer Toolkit: https://github.com/trustedsec/social-engineer-toolkit
• Verizon DBIR: https://www.verizon.com/business/resources/reports/dbir/
• NIST SP 800-61: Computer Security Incident Handling Guide