Many organizations tend to believe that having a single protection system on their network perimeter is enough to safeguard their assets. Having a single network firewall is simply a single-layer defense; there are many ways in which attacks can bypass the security systems and controls within a corporate network. One technique that is commonly used is to manipulate a person into doing something or revealing confidential information to the attacker. This is known as social engineering.
As a penetration tester, it's important to understand the essential concepts, techniques, and practical aspects of this topic as it will aid you in gaining user credentials, system and network access in a corporate network, and other sensitive details about an employee and the target network. During the course of this chapter, you will compare and contrast the different forms of social engineering attacks while using various tools and techniques to create a phishing website to gather victim credentials.
In this chapter, we will cover the following topics:
- Social engineering basics
- Types of social engineering
- Defending against social engineering
- Recon for social engineering (doxing)
- Planning for each type of social engineering attack
- Social engineering tools