# Social Engineering

## Phishing

### Email Phishing

#### Infrastructure Setup

```bash
# Domain setup
# 1. Purchase lookalike domain (typosquatting)
# 2. Configure SPF, DKIM, DMARC
# 3. Set up mail server (postfix, gophish)

# SPF record example
v=spf1 include:_spf.google.com ~all

# DKIM setup
# Generate keys and add TXT record

# Check domain reputation
# https://mxtoolbox.com/
# https://www.mail-tester.com/
```

#### GoPhish Setup

```bash
# https://github.com/gophish/gophish
# Download and run
./gophish

# Access admin panel: https://localhost:3333
# Default creds: admin / gophish (change immediately)

# Key configuration:
# 1. Sending Profile - SMTP settings
# 2. Email Template - Phishing email content
# 3. Landing Page - Credential harvesting page
# 4. Users & Groups - Target list
# 5. Campaign - Combine all elements
```

#### Email Templates

```html
<!-- Password Reset Template -->
<html>
<body>
<p>Dear {{.FirstName}},</p>
<p>We detected unusual activity on your account. Please verify your identity by clicking the link below:</p>
<p><a href="{{.URL}}">Verify Account</a></p>
<p>If you did not request this, please ignore this email.</p>
<p>IT Security Team</p>
</body>
</html>
```

#### Bypassing Email Filters

```bash
# Techniques:
# - Use legitimate services (SendGrid, Mailchimp)
# - Warm up new domains before campaigns
# - Avoid spam trigger words
# - Use HTML tables instead of divs
# - Include unsubscribe link
# - Maintain low bounce rate

# Link obfuscation
# - Use URL shorteners (bit.ly, tinyurl)
# - Redirect through Google/Bing
# - Use legitimate-looking subdomains
# - Encode URLs

# Attachment tricks
# - Password-protected archives
# - HTML smuggling
# - ISO/VHD containers (bypass Mark of the Web)
```

### Credential Harvesting

#### Evilginx2

```bash
# https://github.com/kgretzky/evilginx2
# MITM phishing framework - bypasses 2FA

# Install
go install github.com/kgretzky/evilginx2@latest

# Configure phishlet
evilginx2> config domain yourdomain.com
evilginx2> config ip <your_ip>
evilginx2> phishlets hostname o365 login.yourdomain.com
evilginx2> phishlets enable o365

# Create lure
evilginx2> lures create o365
evilginx2> lures get-url 0
```

#### Modlishka

```bash
# https://github.com/drk1wi/Modlishka
# Another MITM proxy for credential harvesting

./Modlishka -config config.json

# Key features:
# - Automatic certificate generation
# - Session hijacking
# - 2FA bypass
# - Pattern-based credential extraction
```

### Spear Phishing

```bash
# Reconnaissance for targeted attacks
# 1. LinkedIn profiling
# 2. Company org chart
# 3. Recent news/events
# 4. Technology stack (job postings)
# 5. Business relationships

# Craft personalized pretext:
# - Reference specific projects
# - Mention colleagues by name
# - Use internal terminology
# - Align with current events
```

## Vishing (Voice Phishing)

### Caller ID Spoofing

```bash
# Services:
# - Twilio (programmable)
# - SpoofCard
# - Various VoIP providers

# Python with Twilio
from twilio.rest import Client
client = Client(account_sid, auth_token)
call = client.calls.create(
    to="+1target",
    from_="+1spoofed_number",
    url="http://yourserver.com/voice.xml"
)
```

### Pretexts

```
# IT Support
"Hi, this is [name] from IT. We're seeing some unusual activity on your account 
and need to verify your identity before we can proceed with the investigation."

# HR/Payroll
"Hi, this is [name] from HR. We're updating our records and noticed some 
discrepancies with your direct deposit information. Can you verify your details?"

# Vendor/Partner
"Hi, this is [name] from [vendor]. We're experiencing some issues with your 
account and need to verify the login credentials your team is using."

# Executive Impersonation
"Hi, this is [executive name]'s assistant. They need you to process an urgent 
wire transfer and asked me to coordinate the details with you."
```

### VoIP Setup

```bash
# Asterisk PBX for call routing
apt install asterisk

# Basic configuration for outbound calls
# Edit /etc/asterisk/extensions.conf and sip.conf

# Use for:
# - IVR (Interactive Voice Response) attacks
# - Conference call impersonation
# - Callback verification bypass
```

## Smishing (SMS Phishing)

### SMS Spoofing

```bash
# Services:
# - Twilio
# - Nexmo/Vonage
# - SMSGlobal

# Python with Twilio
from twilio.rest import Client
client = Client(account_sid, auth_token)
message = client.messages.create(
    body="[BankName] Alert: Unusual activity detected. Verify: https://evil.link",
    from_="+1spoofed_or_shortcode",
    to="+1target"
)
```

### Common Pretexts

```
# Banking
"[Bank] ALERT: Suspicious transaction of $2,500. If not you, verify: [link]"

# Delivery
"USPS: Your package cannot be delivered. Update delivery preferences: [link]"

# Account Verification
"[Company] Your account will be suspended. Verify now: [link]"

# Prize/Reward
"Congratulations! You've won a $500 gift card. Claim here: [link]"
```

## Physical Social Engineering

### Tailgating/Piggybacking

```
# Techniques:
# - Carry boxes/equipment (hands full)
# - Arrive with delivery/maintenance uniform
# - Follow smokers back inside
# - Wait for group entry
# - Use "forgot badge" excuse

# Props:
# - Clipboard with papers
# - Boxes/packages
# - Laptop bag
# - Hard hat/safety vest
# - Tool belt
```

### Impersonation Pretexts

```
# IT Support
"Hi, I'm from IT. We had a ticket about printer issues on this floor."

# Facilities/Maintenance
"Building maintenance. We need to check the HVAC units."

# Vendor
"I'm here to service the [equipment]. Should be on your schedule."

# New Employee
"First day here, still waiting for my badge. HR said to come up."

# Delivery
"Package delivery for [department]. Need a signature."
```

### Badge Cloning

```bash
# See Wireless Testing section for RFID cloning

# Long-range badge readers
# ESPKey - https://redteamtools.com/espkey
# BLEKey - BLE badge capture

# Badge creation
# Blank cards + printer
# Or professional duplicator services
```

### USB Drop Attacks

```bash
# Rubber Ducky payloads
# https://github.com/hak5/usbrubberducky-payloads

# BadUSB with Arduino
# https://github.com/krakrukra/BadUSB-Killer

# Bash Bunny
# https://docs.hak5.org/bash-bunny/

# O.MG Cable
# https://o.mg.lol/

# USB Drop scenarios:
# - Parking lot
# - Reception desk
# - Conference rooms
# - Common areas
# - Labeled "Confidential" or "Salary Info"
```

## OSINT for Social Engineering

### Target Research

```bash
# LinkedIn Intelligence
# - Employee names and roles
# - Organizational structure
# - Technology stack (job postings)
# - Recent news/changes

# Email format discovery
# https://hunter.io
# https://phonebook.cz
# https://www.email-format.com

# Social media
# - Facebook for personal info
# - Twitter for company updates
# - Instagram for location data
# - GitHub for technical details

# Company research
# - Annual reports
# - Press releases
# - SEC filings (if public)
# - WHOIS records
# - Job postings
```

### Email Verification

```bash
# Verify email exists
# https://github.com/reacherhq/check-if-email-exists
check-if-email-exists test@company.com

# SMTP verification (may be blocked)
nc -vn mail.company.com 25
HELO attacker.com
MAIL FROM:<test@test.com>
RCPT TO:<target@company.com>
```

## Reporting & Metrics

### Campaign Metrics

```
# Track:
# - Emails sent vs delivered
# - Open rate
# - Click rate
# - Submission rate (creds entered)
# - Report rate (user reported phishing)
# - Time to first click
# - Department breakdown
```

### Evidence Collection

```bash
# Screenshot all pages/emails
# Log all interactions
# Capture credentials (securely, delete after)
# Record phone calls (with consent)
# Photograph physical access
# Document timeline of events
```

## Tools Summary

| Tool         | Purpose                    |
| ------------ | -------------------------- |
| GoPhish      | Phishing campaigns         |
| Evilginx2    | 2FA bypass phishing        |
| King Phisher | Phishing framework         |
| SET          | Social Engineering Toolkit |
| BeEF         | Browser exploitation       |
| Twilio       | SMS/Voice spoofing         |

## Legal & Ethical Considerations

```
IMPORTANT:
- Always have written authorization
- Define scope clearly
- Protect captured credentials
- Don't cause unnecessary harm
- Brief affected users post-campaign
- Provide security awareness training
- Delete all captured data after reporting
```

## Resources

* [Social Engineering: The Science of Human Hacking](https://www.amazon.com/Social-Engineering-Science-Human-Hacking/dp/111943338X)
* [The Art of Deception](https://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454280X)
* [GoPhish Documentation](https://docs.getgophish.com/)
* [Evilginx2 Wiki](https://github.com/kgretzky/evilginx2/wiki)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/others/social-engineering.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.