1

Going to do our first social engineering pen test. We're setting up a general plan and we'll call for a meeting with a company next week. Any tips?

Comments
  • 1
    *tactical pin*
  • 0
    Hey i do this for a living! Whats your vector, and what are the Rules of Engagement?
  • 0
    @arcsector I'm going to be honest here. I don't know what you mean by vector. And I'm also unsure about the rules of engagement. I've only done 1 pentest before.
    We're still setting things up so I don't think we have any of that yet.
  • 1
    @Charmesal all good; vector just means MO or the way you're gonna attempt to penetrate or otherwise compromise the network/box/target.

    And i would deifnitely set RoE before starting; makes everyone less nervous knowing what you can and cannot do.
  • 0
    @arcsector oh okay. We still need to discuss that with the company but we made a list of the things we are able to do (or at least we think) and we'll present them to the company so they can choose what to allow.
    We are also making an PoE and NDA, but I believe they will provide one also.

    In general we want to be able to get inside using social engineering, place a package there that will try some default WiFi and network pentests and send the results back over cellular so we can remotely get into the network. Or maybe even hook something up to the network with Ethernet.
    Then we want to test some company specific security, I'm not sure how much I should talk about that, but they work for the government and we want to test what information we can get without proper paperwork, credentials, and the like.

    We're still making a more concrete list. It should be finished next week.
Add Comment