April 28, 2012, 7:54 AM — Two years ago, Dave Kennedy, a penetration tester, social engineering expert and contributor to the website social-engineer.com, wanted to create a tool for pen testers to simulate social engineering attacks.
Slideshow: Big-Screen Con Artists: 7 Great Movies About Social Engineering
With this in mind, he built the first social-engineering toolkit, a free download on the sites companion, educational resource, social-engineer.org. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
Kennedy, now CSO at security systems vendor Diebold, says the popularity of the toolkit has been remarkable. It is considered by many to be the standard for companies using social-engineering-based attacks as part of their pen testing. The SET, which is added to and updated frequently, is downloaded approximately one million times after each new release, according to Kennedy.
Kennedy spoke with CSO about his advice for maximizing results when using the social engineering toolkit.
Learn more about social engineering tricks and tactics
Do your research and prep work
"As simulated adversaries for companies, as pen testers, we always to run the latest and greatest and sexiest software exploits out there. But now when I do a pen test, I don't even run exploits anymore. The techniques that are built within the social engineering toolkit dont leverage exploits. They utilize legitimate ways that Java works, legitimate ways that email works, to attack a victim," said Kennedy.