Social Engineering as Part of Penetration testing

Social Engineering in term of information security means the use of deception to manipulate individuals to share their personal information. Social engineering can also deceive people to think that they are doing the right thing but in reality they are not. Why we should be aware of social engineering? Development of technology like web application depends on people, process, and technology. Among those three, it can be said that people are the weakest link to break into the system.

One way to do social engineering is to get a person’s personal information such as password and username. This can be done by duplicating the web page and send email to the web application users. Below is the example of how it could be done.

First, open your terminal in kali linux and type down setoolkit

Then, choose the option by sequentially typing: type number 1 – press enter, type number 2 – press enter, type number 3 – press enter, type number 2 – press enter.

Below is the guide of the option

The propose of choosing those option is because we wanted to clone a certain website’s login page so that we could deceive the user of the certain web application to fill in their user name and password.

Below is the picture where we could see the new ip address for the cloned website. In this case the ip address is To make the user sure that that is the real website, usually the attackers buy a domain name that is similar to the website for the ip address. 

Here I clone a random website login page.

This is how the real website looks like

This is the clone of the login page

Once the user is deceived and input their information about the username and password like the picture below,

we could immediately see the result as below where the username and the password are exposed.

Here I would also like to share how people usually do social engineering in daily life aside from getting personal information. One of the most common is by using messaging system. Here is one of the example where people try to deceive me using messaging system so that they could gain money.

This is the sender that tells me that I am a winner of something. It gives me the code to claim my reward.

Then, I check whether the website contains malware or not using Sucuri Sitecheck. It says that this website does not contain malware.

Then, I open the web and insert the pin

Then, it asked me for administration fee before I could claim my reward.

We, as application user have to be smart and check for the truth of the news or any offer that we get.

This is the news that stated that the company has never held a lottery. So basically, the message that I got is a fraud.