A penetration tester is performing a social engineering penetration test and was able to create a remote session. Which of the following social engineering techniques was most likely successful?
A penetration tester is performing a social engineering penetration test and was able to create a remote session. Which of the following social engineering techniques was most likely successful?
A social engineering technique that is most likely to result in the creation of a remote session is executive impersonation attack. This involves pretending to be a high-ranking executive, such as a CEO or CFO, to manipulate employees into performing actions such as installing remote access software or providing sensitive information. This method leverages authority and urgency, making it convincing and highly effective in gaining remote access.
This is worded badly. Executive impersonation should be the answer because if I think my boss is demanding my info, it narrows the attack, making it more likely for me to respond. However SMS phishing is exactly what this is describing. This is a phishing attack, but if I'm pentesting, it's against a company. Crowdstrike shows as the top ten social eng attacks: Phishing Whaling Baiting Diversion Theft Business Email Compromise (BEC) Smishing Quid Pro Quo Pretexting Honeytrap Tailgating/Piggybacking
There's a lot of assumptions in this question, not much context. SMS, phones might not be part of company network. Executive, no mention relative to remote session. The nearest assumption I can think of in real life is that - an executive in a meeting with client got locked out and needs password reset in order to login remotely. This have both authority and urgency.
SMS phishing (or smishing) involves sending deceptive messages to trick individuals into taking actions that compromise security, such as clicking on malicious links that lead to remote sessions being established. This technique directly targets the individual's actions through their mobile device, making it a plausible method for achieving remote access.
C. This technique involves pretending to be a high-ranking executive (e.g., CEO, CFO) to manipulate employees into performing actions such as installing remote access software or providing sensitive information. This is highly likely to lead to a remote session if employees are convinced of the impersonation. • A. SMS: This technique involves sending text messages to trick individuals into divulging sensitive information or clicking on malicious links. While effective, it does not directly indicate the creation of a remote session. • B. Dumpster: This involves searching through physical trash to find sensitive information. Although it can provide useful information, it does not directly lead to establishing a remote session. • D. BeEF: This involves exploiting browser vulnerabilities to gain remote access. While this can be part of a social engineering attack, it is more technical and typically involves exploiting a browser rather than relying on social manipulation alone.