Social Engineering


Guides and Reference
General Tools
Attack Vectors
Attack Phases
  • Social Engineers Toolkit - The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly
  • BeeLogger - Generate Gmail Emailing Keyloggers to Windows.
  • evilgrade - Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
  • Phishing - “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.” (Hadnagy, Fincher. Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails. Wiley, 2015).
  • SMiShing - “the act of using mobile phone text messages, SMS (Short Message Service), to lure victims into immediate action. This action may include downloading mobile malware, visiting a malicious website, or calling a fraudulent phone number.”
  • Vishing - "practice of eliciting information or attempting to influence action via the telephone."
  • Impersonation - “practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.”
  • OSINT - The research performed on the target using Open-Source Intelligence tools. This phase does not interact with the target in anyway.
    • Social Engineering: Christopher Hadnagy - pg.17
  • Pretext Development - This is where an attacker develops their reason for initial interaction.
  • Attack Plan - Planning out the Who, What, When, Where, Why, and How of the attack.
  • Attack Launch
  • Reporting - The full details of the attack. This is crucial for a client to understand all that was done and what they need to improve their defenses.


Guides and Methodology
Persona Creation
User Tracking
  • squarephish - SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.
  • PhishInSuits - OAuth Device Code Phishing with Verified Apps
  • Muraena - Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.
    • NecroBrowser - Necrobrowser is a browser instrumentation microservice written in NodeJS: it uses the Puppeteer library to control instances of Chrome or Firefox in headless and GUI mode.
  • catphish - Generate similar-looking domains for phishing attacks. Check expired domains and their categorized domain status to evade proxy categorization. Whitelisted domains are perfect for your C2 servers. Perfect for Red Team engagements.
  • king-phisher - Advanced Phishing Campaign toolkit
  • evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
  • FiercePhish - FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.
  • CredSniper - CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens.
  • TigerShark - Bilingual PhishingKit. TigerShark integrates a vast array of various phishing tools and frameworks, from C2 servers, backdoors and delivery methods in multiple scripting languages in order to suit whatever your deployment needs may be.
  • Zphisher - An automated phishing tool with 30+ templates.
  • SharpPhish - Using outlook COM objects to create convincing phishing emails without the user noticing. This project is meant for internal phishing.
  • SocialFish - Educational Phishing Tool & Information Collector
  • shellphish - Phishing Tool for Instagram, Facebook, Twitter, Snapchat, Github
  • saycheese - Take webcam shots from target just sending a malicious link


Guides and Resources
  • General
    • Remember to change .docm extensions to .doc
    • Give the end user a compelling reason to enable macros.
    • Tailor the attack to the client. Gather information with a mass email and get an OOTO response to get a template for the interna email style
  • Embeded macros in Microsoft office documents
    • Run test file against VirusTotal to check for ease of detection
    • Review “Tags” section for offending tags that set off signature matches
    • Often AV will only scan the main body of the code and NOT the declaration section.
      • Use an alias for a function import to get around this.
    • Avoid Obvious use of shellcode
    • Functions that will most assuredly get flagged: VirtualAlloc, RtlMoveMemory, Shell, URLDownloadToFile, and CreateThread
    • Automatic execution in macros
      • Three deifferent methods depending on which format you are using: word, excel spreadsheet, or excel workbook
      • Often all three are enabled when auto code execution is enabled.
      • Reduce to 1 or 0 depending on what you need to reduce chance of detection.
    • Using a VBA/VBS Dual Stager
      • While VBA is used exclusively in Office products, VBS is used to perform other tasks outside of office, therefore it is given more freedom of execution.
      • Deploy a VBA macro containing VBS code
      • Two separate scripts, one VBA and one VBS
  • Code obfuscation
    • Encoding script with possibilities such as Base64 and XOR and have it decrypted at run-time