Social engineering remains the most reliable initial access vector in penetration testing. This article covers the three key tools tested in CompTIA PenTest+ PT0-003: the Social Engineering Toolkit (SET) for credential harvesting and spear phishing, Gophish for running structured phishing campaigns with full metrics tracking, and Evilginx for bypassing TOTP-based MFA by capturing authenticated session tokens.
Social Engineering Is Still the Master Key
Despite advances in security technology, human psychology remains the weakest link. Attackers exploit trust, urgency, and authority to trick users into revealing credentials or executing malicious actions. The PenTest+ exam emphasizes understanding and simulating these attacks.
The Social Engineering Toolkit (SET)
SET is a powerful framework for automating social engineering attacks. It includes modules for credential harvesting, spear phishing, and website cloning. Testers can quickly create convincing fake login pages or email templates to gather credentials from unsuspecting targets.
Gophish: Running Authorized Phishing Campaigns
Gophish is an open-source phishing framework designed for security teams. It allows testers to design, launch, and track phishing campaigns. With built-in metrics and reporting, organizations can measure employee awareness and improve training.
Evilginx: Bypassing MFA with Reverse Proxy
Evilginx takes phishing to the next level by acting as a reverse proxy. It captures not only usernames and passwords but also session cookies, effectively bypassing TOTP-based multi-factor authentication. This technique shows why MFA alone may not be enough.
Pretexting, Vishing, and In-Person Techniques
Phishing is not limited to email. Pretexting (creating a fabricated scenario), vishing (voice phishing), and in-person techniques like tailgating or badge cloning are also critical attack vectors. PenTest+ covers these social engineering methods beyond electronic channels.
Measuring and Reporting Phishing Campaign Results
A key component of penetration testing is reporting. Tools like Gophish provide data on click-through rates, credential submission rates, and time-to-report. This information helps organizations prioritize security awareness training and policy improvements.