book

Practical Social Engineering

Name: Practical Social Engineering
Author: Joe Gray
ISBN: 9781718500983

by Joe Gray

June 2022

Intermediate to advanced

430 pages

5h 46m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
Dedication
About the Author
Acknowledgments
Introduction
Who This Book Is ForWhat You’ll Find in This BookSummary
Part I: The Basics
Chapter 1: What Is Social Engineering?
Important Concepts in Social EngineeringPretextingOpen Source Intelligence PhishingSpear PhishingWhalingVishingBaitingDumpster DivingPsychological Concepts in Social EngineeringInfluenceManipulationRapportDr. Cialdini’s Six Principles of PersuasionSympathy vs. EmpathyConclusion
Chapter 2: Ethical Considerations in Social Engineering
Ethical Social EngineeringEstablishing BoundariesUnderstanding Legal ConsiderationsUnderstanding Service ConsiderationsDebriefing After the EngagementCase Study: Social Engineering Taken Too FarEthical OSINT Collection Protecting DataFollowing Laws and RegulationsCase Study: Ethical Limits of Social EngineeringConclusion
Part II: Offensive Social Engineering

Chapter 3: Preparing for an Attack
Coordinating with the ClientScopingDefining ObjectivesDefining MethodsBuilding Successful PretextsUsing Specialized Operating Systems for Social EngineeringFollowing the Attack PhasesCase Study: Why Scoping MattersConclusion
Chapter 4: Gathering Business OSINT
Case Study: Why OSINT MattersUnderstanding Types of OSINTBusiness OSINTGetting Basic Business Information from CrunchbaseIdentifying Website Owners with WHOISCollecting OSINT from the Command Line with Recon-ngUsing Other Tools: theHarvester and OSINT FrameworkFinding Email Addresses with HunterExploiting Mapping and Geolocation ToolsConclusion
Chapter 5: Social Media and Public Documents
Analyzing Social Media for OSINTLinkedInJob Boards and Career SitesFacebookInstagramLeveraging Shodan for OSINTUsing Shodan Search ParametersSearching IP Addresses Searching Domain Names Searching Hostnames and Subdomains Taking Automatic Screenshots with HunchlyPilfering SEC FormsConclusion
Chapter 6: Gathering OSINT About People
Using OSINT Tools for Analyzing Email AddressesFinding Out If a User Has Been Breached with Have I Been Pwned Enumerating Social Media Accounts with SherlockEnumerating Website Accounts with WhatsMyNameAnalyzing Passwords with PwdlogyAnalyzing a Target’s ImagesManually Analyzing EXIF DataAnalyzing Images by Using ExifToolAnalyzing Social Media Without ToolsLinkedInInstagramFacebookTwitterCase Study: The Dinner That Gave All the Gold AwayConclusion
Chapter 7: Phishing
Setting Up a Phishing AttackSetting Up a Secure VPS Instance for Phishing Landing PagesChoosing an Email Platform Purchasing Sending and Landing Page DomainsSetting Up the Phishing and Infrastructure Web ServerAdditional Steps for PhishingUsing Tracking Pixels to Measure How Often Your Email Is OpenedAutomating Phishing with GophishAdding HTTPS Support for Phishing Landing PagesUsing URL Shorteners in PhishingUsing SpoofCard for Call Spoofing Timing and Delivery ConsiderationsCase Study: The $25 Advanced Persistent PhishConclusion
Chapter 8: Cloning a Landing Page
An Example of a Cloned WebsiteThe Login PageThe Sensitive Questions PageThe Error PageHarvesting the InformationCloning a WebsiteFinding the Login and User Pages Cloning the Pages by Using HTTrackAltering the Login Field CodeAdding the Web Pages to the Apache ServerConclusion
Chapter 9: Detection, Measurement, and Reporting
DetectionMeasurementSelection of MetricsRatios, Medians, Means, and Standard DeviationsThe Number of Times an Email Is OpenedThe Number of ClicksInformation Input into FormsActions Taken by the VictimDetection TimeThe Timeliness of Corrective ActionsThe Success of Corrective ActionsRisk RatingsReportingKnowing When to Make a Phone CallWriting the ReportConclusion
Part III: Defending Against Social Engineering
Chapter 10: Proactive Defense Techniques
Awareness ProgramsHow and When to TrainNonpunitive PoliciesIncentives for Good BehaviorRunning Phishing CampaignsReputation and OSINT MonitoringImplementing a Monitoring ProgramOutsourcingIncident ResponseThe SANS Incident Response ProcessResponding to PhishingResponding to VishingResponding to OSINT CollectionHandling Media AttentionHow Users Should Report IncidentsTechnical Controls and ContainmentConclusion
Chapter 11: Technical Email Controls
Standards“From” FieldsDomain Keys Identified MailSender Policy FrameworkDomain-Based Message Authentication, Reporting, and ConformanceOpportunistic TLS MTA-STSTLS-RPTEmail Filtering TechnologiesOther ProtectionsConclusion
Chapter 12: Producing Threat Intelligence
Using Alien Labs OTXAnalyzing a Phishing Email in OTXCreating a PulseAnalyzing the Email SourceInputting IndicatorsTesting a Potentially Malicious Domain in BurpAnalyzing Downloadable FilesConducting OSINT for Threat IntelligenceSearching VirusTotalIdentifying Malicious Sites on WHOISDiscovering Phishes with PhishTankBrowsing ThreatCrowdConsolidating Information in ThreatMinerConclusion
Appendix A: Scoping Worksheet
Appendix B: Reporting Template
Appendix C: Information-Gathering Worksheet
Appendix D: Pretexting Sample
Confused EmployeeIT InventoryTransparency Survey
Appendix E: Exercises to Improve Your Social Engineering
Help a Random Stranger and Then Prompt for “Flags”ImprovStandup ComedyPublic Speaking/ToastmastersDo OSINT Operations on Family and FriendsCompete in Social Engineering and OSINT CTFs
Index

Content preview from Practical Social Engineering

2 Ethical Considerations in Social Engineering

Unlike network and web application penetration testing, the impact of social engineering can extend beyond the confines of a laptop or server. When you’re interacting with real people, you have to take special precautions to avoid hurting them.

You must also make sure you abide by the laws in your area, as well as the location of any potential people or businesses you’ll be targeting. While there may not be a legal precedent that directs you to collect OSINT in a specific way—or restricts you from collecting OSINT at all—some laws, like the European Union (EU) General Data Protection Regulation ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098130213

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical Social Engineering

by Joe Gray

2 Ethical Considerations in Social Engineering

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.