3 tips for using the Social Engineering Toolkit

Dave Kennedy, author of social-engineer.org's social engineering toolkit offers advice for getting the most of using this pen testing program

By , Senior Editor

April 26, 2012CSO

Two years ago, Dave Kennedy, a penetration tester, social engineering expert and contributor to the website social-engineer.com, wanted to create a tool for pen testers to simulate social engineering attacks.

With this in mind, he built the first social-engineering toolkit, a free download on the sites companion, educational resource, social-engineer.org. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.


[Also read The Social Engineering Toolkit's evolution, goals]


Kennedy, now CSO at security systems vendor Diebold, says the popularity of the toolkit has been remarkable. It is considered by many to be the standard for companies using social-engineering-based attacks as part of their pen testing. The SET, which is added to and updated frequently, is downloaded approximately one million times after each new release, according to Kennedy.


[CSO's Ultimate Guide to Social Engineering]


Kennedy spoke with CSO about his advice for maximizing results when using the social engineering toolkit.

Learn more about social engineering tricks and tactics

Do your research and prep work
"As simulated adversaries for companies, as pen testers, we always to run the latest and greatest and sexiest software exploits out there. But now when I do a pen test, I don't even run exploits anymore. The techniques that are built within the social engineering toolkit dont leverage exploits. They utilize legitimate ways that Java works, legitimate ways that email works, to attack a victim," said Kennedy.

But the onus is on you, said Kennedy, to do the research into the company you are pen testing, first, in order to have the best chance for success. "Focus on learning the company you're going after for the pen test and building the attack off of that. We like to look at how the company does business, their subsidiaries, and the path of least resistance. A lot of times, browsing through the company website, looking through LinkedIn are valuable ways to understand the company and its structure. We'll also pull down PDF's, Word documents, Excel spread sheets and others from the website and extract the metadata which usually tells us which version of Adobe or Word they were using and operating system that was used."

Chris Hadnagy, founder of social-engineer.com, agrees.

"Information gathering is the most important part of any engagement. I suggest spending over 50 percent of the time on information gathering," said Hadnagy. "Quality information and valid names, emails, phone number makes the engagement have a higher chance of success. Sometimes during information gathering you can uncover serious security flaws without even having to test, testing then confirms them."


[Social engineering goes to the movies]

RESOURCE CENTER