April 13th, 2012Social Engineering for Penetration Testers – Day 5
As the final day of the historic, ground breaking course, Social Engineering for Penetration Testers, was upon us, the mood in the class was much different. What seemed like the final showdown in Fear Factor to a lot of the students was now looking like a morning jog. We watched with great happiness as the student shared their experiences from the evening before. We were pleased to see every team had accomplished their goals! What an amazing difference four days made! The last four days were a hardcore look at social psychology. After the students received the information and skills necessary to be a professional social engineer, it was time to put that skill to use. Day Five was all about the sexy side of social engineering.
After debrief we jumped right into Neuro Linguistic Hacking or NLH. NLH is a new area of research by Chris Hadnagy that combines some of the key aspects of Neuro Linguistic Programming (NLP) with nonverbal communication. We learned how, as social engineers, we can use language of the body, mouth, and mind to consistently achieve, modify, and alter the desired outcomes of a situation involving our target. We finished this section with a few group exercises illustrating how NLH can be used in your social engineering engagement.
Next we looked at attack vectors. Using the information we gathered previously over the last four days, we began to develop real world attack vectors. Once developed, we discussed what it takes to execute your vector. We ran mock scenarios and discussed phone attacks as well as phishing attacks.
Since phishing is still an excellent way to gain access to remote systems, we spent quite a bit of time on this area. Using everything we had previously learned about individuals, communication, and personality types, we, as a class, and developed and fine tuned a few different phishing scenarios. As a class we came up with the optimal types of emails to send out while phishing. Validation came a few weeks after class ended when we were contacted by a student who, while using the exact phishing email developed in class, achieved a 100% click rate on his latest phishing penetration test. This is a rate higher than he has ever achieved previously and he attributed the success solely on the quality of the phishing message we constructed as a class.
As the class was drawing to a close, information about the certification was given out and explained. We can’t go into much detail here in this blog about the cert, but we can say it will challenge even the most seasoned social engineer. The certification is a 48-hour challenge where real companies must be infiltrated. The certification is not for the feint of heart and we recommend each student study diligently for a few weeks before even attempting the certification. To date, only one individual has passed the certification.
History is being made. Will you be a part of it?