By: B.J. Dinesh Kumar
October 2, 2020
Social Engineering Course Summary
By: B.J. Dinesh Kumar
October 2, 2020
Some people consider hacking to be all about the use of technical capabilities or software. Well, they are wrong - in part. Everyone can learn how to use individuals to get confidential information, which would help them in their tasks, called Social Engineering—wondering how this is useful? Most of them would have read this famous saying over the internet, stating, "it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is weak)." Now let's get into the review of the social engineering course.
The course is divided into four modules. Module 1 is an introduction to social engineering. Module 2 explains phishing and explains how to use it in a lab environment. Module 3 is a conclusion with a skills assessment test. The final module is a course assessment for this course, "Social Engineering."
In module 1, the first part of the introduction explains the three components of social engineering: elicitation, interrogation and pretexting. It also explains the different types of social engineerings, such as phishing, spear phishing, whaling, pharming, hoaxing, shoulder surfing, baiting, tailgating. The second part explains the different ways to protect against social engineering attacks focusing on the behavioral and technical type of control. Behavioral control is nothing more than the concept of "If you didn't request it, don't click on it." Some of the basic behavior controls are to validate links before clicking them, validate the sender, or scan the links, which would protect them from getting hacked. Technical control includes Sandbox, Endpoint protection, application/execution controls, whitelisting, and compartmentalization.
In module 2, they will learn about Social-Engineer Toolkit (SET), an open-source Python-based toolkit that can be used to perform social engineering attacks. SET is part of Kali Linux. Using SET, they can perform various attacks, such as email phishing or Web-based attacks. In this exercise, they will learn about using SET. After completing this exercise, they will be able to:
- Create a Malicious Payload
- Copy the File to the User's System
- Download the Payload
- Execute the Payload
- Collect Evidence of Compromise on User's System
- Conduct Social Engineering Using a Cloned Website
Lab 1 is a phishing lab where everyone will create a phishing email, observe how phishing emails can allow outside access, and generate a phishing awareness email. Everyone will be using SET in Kali Linux to launch a mass email attack using an Adobe pdf file as an attachment to the email. This exercise displays how a malicious email can be used to gain escalated privilege on a target system. Lab 2 will use social engineering to create a cloned website. A cloned website is a phishing website that resembles the original and steals user credentials. This tactic is also known as website spoofing. Our task is to set up a spoofed or cloned twitter website and capture user credentials using SET.
Module 3 concluded with the things covered in the previous modules and suggested courses after finishing this if they are interested in penetration testing. In this course, everyone has learned penetration testing and ethical hacking, phishing, advance, and offensive penetration testing. Finally, everybody is provided with a social engineering skill assessment, which is nothing but small testing of the skills learned in this course. There is also a course review in module 4, which is also a skill assessment test that can be taken to test their skills. By the end, everybody will understand different types of social engineering attacks, behavioral and technical controls that can be used to prevent attacks, and how to communicate basic security awareness to others. Overall this course provides a strong foundation on the topic of social engineering.