Full Scope Social Engineering and Physical Security
Overview
Social Engineering is becoming more prevalent in security assessments as it provides considerable value in penetration testing. Not only are clients requesting this type of testing, some compliance frameworks also requiring it. There are multiple ways that both attackers and pentesters utilize Social Engineering. This course will cover the following topics: Social Engineering, Open-Source Intelligence (OSINT) gathering, Vishing (Voice-Phishing), Phishing, and Physical Security. Each phase will include labs and challenges, giving students hands on experience. At the end of this training students will feel confident from the early stages of scoping a Social Engineering engagement all the way through performing multiple types of Social Engineering assessments.
Course Outline
Phase One: Social Engineering
- Terminology
- Ethics
- Legality
- Building Rapport
- Influence Techniques
- Rapport and Influence Challenge
- Body Language
- Body Language Lab
Phase Two: Vishing
- Scoping Vishing Assessments
- Vishing OSINT
- Vishing OSINT Challenge
- Caller ID Spoofing
- Vishing Goals
- Vishing Techniques
- Vishing Challenge
Phase Three: Phishing
- Scoping Phishing Assessments
- Phishing vs Spear Phishing
- Phishing OSINT
- Phishing OSINT Challenge
- Setting up a phishing web server
- Cloning websites
- Creating email templates
- Phishing campaign logistics
- Phishing Lab
Phase Four: Physical Security
- Scoping Physical Security Assessments
- Physical Security OSINT
- Physical OSINT Challenge
- Pretext Development
- Pretext Support Items
- On-site Reconnaissance
- Physical Security Assessment Goals
- Non-Destructive Entry Tools
- USB Drops
- RFID Cloning
- RFID Lab
- Pentesting Automation Devices
- Physical Security Kit
- Physical Security assessment logistics
Who Should Take this Course
This course is designed for anyone who would like to learn how to perform Open-Source Intelligence Gathering, Vishing, Phishing, and Physical Security assessments. Additionally, this course would be beneficial to pentesters who are interested in expanding their Social Engineering skill set.
Student Requirements
This course is designed for beginners. However, basic Windows and Linux knowledge will help with the more technical areas (OSINT tools and phishing).
The willingness to participate in challenges and utilize hands-on lab time will greatly benefit the student.
What Students Should Bring
Windows laptop with administrative rights, WiFi connectivity, 16gb RAM, and 40gb of free hard drive space. The ability to completely disable AV. An installed copy of VMware (Workstation or Workstation Player).
What Students Will Be Provided With
Students will be provided with:
- A copy of all training material
- Multiple cheat sheets
- A USB Flash Drive with VM
- A Proxmark3
Trainers
Stephanie Carruthers is a social engineering professional. At DEF CON 22 she won a black badge for the Social Engineering Capture the Flag (SECTF). Stephanie also was on the winning team for SAINTCON'S Vault Physical Security challenge, which won the team a black badge. Over the last five years Stephanie has presented and taught trainings at multiple InfoSec conferences. Stephanie has performed a variety of Social Engineering assessments for clients ranging from start-ups to Fortune 100 companies, as well as assisted consultancies build out their Social Engineering services. Stephanie is on the DEF CON CFP review board as a specialist for Social Engineering submissions. In her free time she enjoys trips to Disneyland with her family and resides in Utah. You can find her on Twitter: @_sn0ww
Davis' experience with Information Security started in the USMC in 1995 where he managed network operations for 1st Supply Battalion and shortly after migrated into ASP Web & SQL Server DB Development. Since then he has focused on areas of risk and vulnerability management, endpoint security, incident response and forensics. He also volunteers at many security conferences, to include BSidesSLC, HackWest, DEFCON (HackerWarehouse), and Blackhat (NOC Team). Davis holds an OSCP and GCIH certificates. He is also a Black Badge winner for Saint Con 2017. Currently Davis resides in Utah with his family where he enjoys mountain biking and martial arts training in Krav Maga & Tae Kwon Do with his wife and 2 kids.
Jayme is a penetration tester and former systems administrator with a strong interest in network security, physical security, and active defense. He holds the OSCP, CISSP, GCED, and CEH certifications. Jayme resides in Southern California and spends his free time off-roading, camping, traveling, and failing at astrophotography.