giuliacassara/awesome-social-engineering

# Awesome 社会工程学 [](https://github.com/sindresorhus/awesome)

一份精选的出色社会工程学资源列表，灵感来源于 GitHub 上的 awesome-* 趋势。 这些资源和工具仅供网络安全专业人员、渗透测试人员以及在受控环境中进行教育使用。 **在制作此列表的过程中，没有人类被操纵！** # 目录 1. [在线课程](#online-courses) 2. [夺旗赛 (Capture the Flag)](#capture-the-flag) 3. [心理学书籍](#psychology-books) 4. [书籍](#social-engineering-books) 5. [文档](#documentation) 6. [工具](#tools) 7. [其他资源](#miscellaneous) 8. [OSINT](#osint) 9. [贡献](#contribution) 10. [许可证](#license) # 在线课程 - [Udemy - 从零开始学习社会工程学](https://www.udemy.com/learn-social-engineering-from-scratch) - [PacktPub - 跟着 Zaid Sabih 从零开始学习社会工程学](https://www.packtpub.com/application-development/learn-social-engineering-scratch-video) - [Cybrary - 社会工程学与操纵](https://www.cybrary.it/course/social-engineering/) - 免费课程 # 夺旗赛 (Capture the Flag) #### Social-Engineer.com - SECTF, DEFCON - [Social-Engineer.com - DEFCON SECTF](https://www.social-engineer.org/sevillage-def-con/the-sectf/) # 心理学书籍 这些书中的大多数涵盖了社会工程学有用的基础心理学知识。 - [Artful Persuasion – How to command attention, Change minds and influence People – Harry Mills](https://www.amazon.com/Artful-Persuasion-Command-Attention-Influence/dp/0814470637) - [What is every BODY saying – Joe Navarro](https://www.amazon.com/What-Every-BODY-Saying-Speed-Reading-ebook/dp/B0010SKSTO/ref=sr_1_1?dchild=1&keywords=what+is+everybody+saying+%E2%80%93+joe+navarro&qid=1614256945&s=books&sr=1-1) - [Conflict, power and persuasion – Ben Hoffman](https://www.amazon.com/Conflict-Power-Persuasion-Negotiating-Effectively/dp/B0015E4JMK/ref=sr_1_1?dchild=1&keywords=Conflict%2C+power+and+persuasion+%E2%80%93+Ben+Hoffman&qid=1614256960&s=books&sr=1-1) - [Dealing with difficult people – McGraw Hill](https://www.amazon.com/Dealing-Difficult-People-McGraw-Hill-Professional-ebook/dp/B000P2A3R8/ref=sr_1_4?dchild=1&keywords=Dealing+with+difficult+people+%E2%80%93+McGraw+Hill&qid=1614256977&s=books&sr=1-4) - [Get anyone to do anything – David J Lieberman](https://www.amazon.com/Get-Anyone-Anything-Again-Psychological/dp/B01NH07LGD/ref=sr_1_2?dchild=1&keywords=Get+anyone+to+do+anything+%E2%80%93+David+J+Lieberman&qid=1614257001&s=books&sr=1-2) - [How to start a conversation and make friends - Don Gabor](https://www.amazon.com/How-Start-Conversation-Make-Friends/dp/1451610998/ref=sr_1_1?dchild=1&keywords=How+to+start+a+conversation+and+make+friends+-+Don+Gabor%5D&qid=1614257018&s=books&sr=1-1) - [The art of Psychological Warfare – Michael T Stevens](https://www.amazon.com/Art-Psychological-Warfare-Skillfully-Undetected/dp/1530719151/ref=sr_1_1?dchild=1&keywords=The+art+of+Psychological+Warfare+%E2%80%93+Michael+T+Stevens&qid=1614257033&s=books&sr=1-1) - [How to Win Friends and Influence People - Dale Carnegie](https://www.amazon.co.uk/d/Books/How-Win-Friends-Influence-People-Dale-Carnegie/0091906814/ref=sr_1_1?ie=UTF8&qid=1494621059&sr=8-1&keywords=how+to+win+friends+and+influence+people) - [The 48 Laws of Power - Robert Greene](https://www.amazon.co.uk/d/Books/48-Laws-Power-Robert-Greene-Collection/1861972784/ref=sr_1_1?ie=UTF8&qid=1494621512&sr=8-1&keywords=the+48+laws+of+power) - [The Psychology Book](https://www.amazon.co.uk/d/Books/Psychology-Book-Nigel-Benson/1405391243/ref=sr_1_1?ie=UTF8&qid=1494621589&sr=8-1&keywords=psychology) - [The Power of Habit: Why We Do What We Do, and How to Change - Charles Duhigg](https://www.amazon.co.uk/Power-Habit-Why-What-Change/dp/1847946240/ref=sr_1_1?ie=UTF8&qid=1494621842&sr=8-1&keywords=the+power+of+habit) - [Influence: The Psychology of Persuasion Paperback – Robert B., PhD Cialdini](https://www.amazon.co.uk/d/cka/Influence-Psychology-Persuasion-Robert-B-PhD-Cialdini/006124189X/ref=sr_1_1?ie=UTF8&qid=1494621912&sr=8-1&keywords=influence) - [Emotions Revealed: Understanding Faces and Feelings - Prof Paul Ekman](https://www.amazon.co.uk/Emotions-Revealed-Understanding-Faces-Feelings/dp/0753817659/ref=sr_1_1?ie=UTF8&qid=1494622003&sr=8-1&keywords=paul+ekman) - [The Psychology of Interrogations and Confessions: A Handbook - Gisli H. Gudjonsson](https://www.amazon.co.uk/Psychology-Interrogations-Confessions-Handbook-Policing-x/dp/0470844612/ref=sr_1_1?s=books&ie=UTF8&qid=1494624501&sr=1-1&keywords=psychology+of+interrogation) - [Mindfucking: A Critique of Mental Manipulation - Colin McGinn](https://www.goodreads.com/book/show/4049997-mindfucking) # 社会工程学书籍 - [Human Hacking – Chris Hadnagy](https://humanhackingbook.com/) - [Learn Social Engineering – Dr. Erdal Ozkaya](https://www.amazon.com/Learn-Social-Engineering-internationally-renowned-ebook/dp/B079HYPC27/ref=sr_1_1?dchild=1&keywords=Learn+Social+Engineering+%E2%80%93+Dr.+Erdal+Ozkaya&qid=1614257055&s=books&sr=1-1) - [Social Engineering: The Art of Human Hacking - Chris Hadnagy](https://www.amazon.co.uk/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_1?ie=UTF8&qid=1494622911&sr=8-1&keywords=chris+hadnagy) - [Social Engineering: The Science of Human Hacking](https://www.amazon.com/gp/product/111943338X/ref=dbs_a_def_rwt_bibl_vppi_i0) - [Unmasking the Social Engineer: The Human Element of Security - Christopher Hadnagy, Dr. Ekman Paul](https://www.amazon.com/Unmasking-Social-Engineer-Element-Security/dp/1118608577) - [Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails - Christopher Hadnagy, Michele Fincher, Robin Dreeke ](https://www.amazon.co.uk/Phishing-Dark-Waters-Offensive-Defensive-x/dp/1118958470/ref=sr_1_fkmr0_1?ie=UTF8&qid=1494622911&sr=8-1-fkmr0&keywords=chris+hadnagy) - [Social Engineering in IT Security: Tools, Tactics, and Techniques, Sharon Conheady](https://www.amazon.com/Social-Engineering-Security-Techniques-Networking/dp/0071818464) - [No Tech Hacking - Johnny Long, Kevin D. Mitnick](https://www.amazon.co.uk/No-Tech-Hacking-Engineering-Dumpster/dp/1597492159/ref=sr_1_1?ie=UTF8&qid=1494624109&sr=8-1&keywords=no+tech+hacking) - [Low Tech Hacking: Street Smarts for Security Professionals - Jack Wiles, Terry Gudaitis, Jennifer Jabbusch, Russ Rogers](https://www.amazon.it/Low-Tech-Hacking-Security-Professionals/dp/1597496650) - [The Art of Deception: Controlling the Human Element of Security, Kevin D. Mitnick, William L. Simon](https://www.amazon.co.uk/Art-Deception-Controlling-Element-Security/dp/076454280X/ref=pd_sim_14_1?_encoding=UTF8&psc=1&refRID=37KD2B6G2Q981MB8D2GM) - [Ghost in the Wires: My Adventures as the World's Most Wanted Hacker - Kevin D. Mitnick, William L. Simon, Steve Wozniak](https://www.amazon.com/Ghost-Wires-Adventures-Worlds-Wanted/dp/0316037729/ref=sr_1_1?s=books&ie=UTF8&qid=1494769979&sr=1-1&keywords=ghost+in+the+wires) - [The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data - Kevin Mitnick, Robert Vamosi](https://www.amazon.com/Art-Invisibility-Worlds-Teaches-Brother/dp/0316380520/ref=tmm_pap_swatch_0?_encoding=UTF8&qid=1494770268&sr=1-1) - [The Social Engineer's Playbook: A Practical Guide to Pretexting - Jeremiah Talamantes](https://www.amazon.com/Social-Engineers-Playbook-Practical-Pretexting/dp/0692306617/ref=sr_1_1?s=books&ie=UTF8&qid=1494770673&sr=1-1&keywords=The+Social+Engineer%27s+Playbook%3A+A+Practical+Guide+to+Pretexting) - [Learn Social Engineering - Erdal Ozkaya](https://www.packtpub.com/networking-and-servers/learn-social-engineering) # 社区 [Abstract Security](https://discord.gg/zn3wsrr) - 一个 Discord 上的社区，专注于物理安全，拥有许多从事物理安全行业的成员。 # 文档 #### 社会工程学资源 * [The Social-Engineer 门户](https://www.social-engineer.org/) - 作为社会工程学人员所需了解的一切都在这个网站上。你将找到播客、资源、框架、关于即将到来的活动的信息、博客等…… * [Layer 8 会议与播客](https://layer8conference.com/) - 专注于 OSINT 和社会工程学的会议和播客。 # 工具 #### 实用工具 * [Tor](https://www.torproject.org/) - 用于启用洋葱路由在线匿名的免费软件 * [SET](https://github.com/trustedsec/social-engineer-toolkit) - 来自 TrustedSec 的 Social-Engineer Toolkit #### 钓鱼 (Phishing) 工具 * [Gophish](https://getgophish.com/) - 开源网络钓鱼框架 * [King Phisher](https://github.com/securestate/king-phisher) - 钓鱼活动工具包，用于创建和管理多个同时进行的网络钓鱼攻击，并带有自定义电子邮件和服务器内容。 * [wifiphisher](https://github.com/sophron/wifiphisher) - 针对 Wi-Fi 网络的自动化网络钓鱼攻击 * [PhishingFrenzy](https://www.phishingfrenzy.com/) - Phishing Frenzy 是一个开源的 Ruby on Rails 应用程序，被渗透测试人员用来管理电子邮件网络钓鱼活动。 * [Evilginx2](https://github.com/kgretzky/evilginx2) - 中间人攻击 (MITM) 框架，用于从任何 Web 服务中网络钓鱼凭证和 session cookies * [Lucy Phishing Server](https://www.lucysecurity.com/) - （商业）工具，用于为员工执行安全意识培训，包括自定义网络钓鱼活动、恶意软件攻击等。包含许多有用的攻击模板以及用于提高安全意识的培训材料。 # 其他资源 ### 幻灯片 * [OWASP 社会工程学演示](https://www.owasp.org/images/5/54/Presentation_Social_Engineering.pdf) - OWASP * [Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Seymour-Tully-Weaponizing-Data-Science-For-Social-Engineering-WP.pdf) - Defcon 23 * [Using Social Engineering Tactics For Big Data Espionage](https://www.rsaconference.com/writable/presentations/file_upload/das-301_williams_rader.pdf) - RSA Conference Europe 2012 ### 视频 * [Chris Hadnagy - 7 Jedi Mind Tricks Influence Your Target without a Word](https://www.youtube.com/watch?v=OOQGsFlTHMQ) * [Robert Anderson - US Interrogation Techniques and Social Engineering](https://www.youtube.com/watch?v=nQqp6yqf4Ao) * [Ian Harris - Understanding Social Engineering Attacks with Natural Language Processing](https://www.youtube.com/watch?v=H3gfMkvw76o) * [Chris Hadnagy - Social Engineering for Fun and Profit](https://www.youtube.com/watch?v=cI9xOR7xEi0) * [Chris Hadnagy - Decoding humans live](https://www.youtube.com/watch?v=DoDWBe9atIo) - DerbyCon 2015 * [这就是黑客如何利用简单的社交工程学入侵你的](https://www.youtube.com/watch?v=lc7scxvKQOo) ### 文章 * [The Limits of Social Engineering](https://www.technologyreview.com/s/526561/the-limits-of-social-engineering/) - MIT, Technology Review * [The 7 Best Social Engineering Attacks Ever](http://www.darkreading.com/the-7-best-social-engineering-attacks-ever/d/d-id/1319411) - DarkReading * [Social Engineering: Compromising Users with an Office Document](http://resources.infosecinstitute.com/social-engineering-compromising-users-using-office-document/) - Infosec Institute * [The Persuasion Reading List](http://blog.dilbert.com/post/129784168866/the-persuasion-reading-list) - Scott Adams' Blog * [How I Socially Engineer Myself Into High Security Facilities](https://motherboard.vice.com/en_us/article/qv34zb/how-i-socially-engineer-myself-into-high-security-facilities) - Sophie Daniel ### 电影 * [Tiger Team (TV series)](https://en.wikipedia.org/wiki/Tiger_Team_) * [Catch Me If You Can](http://www.imdb.com/title/tt0264464/) * [Inception](http://www.imdb.com/title/tt1375666/) * [The Sting](https://www.imdb.com/title/tt0070735/) * [Sneakers](https://www.imdb.com/title/tt0105435/) # OSINT #### OSINT 资源 * [Awesome OSINT](https://github.com/jivoi/awesome-osint) - 出色的 OSINT 列表 * [OSINT Framework](http://osintframework.com/) - 按类别细分收集的各种 OSINT 工具。 * [NetBootcamp OSINT Tools](http://netbootcamp.org/osinttools/) - 一个 OSINT 链接集合以及 [Facebook Graph Search](http://netbootcamp.org/facebook.html) 和 [各种 paste 站点](http://netbootcamp.org/pastesearch.html) 等其他服务的自定义 Web 接口。 * [Automating OSINT blog](http://www.automatingosint.com/blog/) - 由 Justin Seitz（也是 BHP 的作者）策划的关于 OSINT 的博客。 #### OSINT 工具 * [XRay](https://github.com/evilsocket/xray) - XRay 是一个用于从公共网络进行侦察、映射和 OSINT 收集的工具。 * [Buscador](https://inteltechniques.com/buscador/) - 为在线调查人员预先配置的 Linux 虚拟机 * [Maltego](http://www.paterva.com/web7/) - 来自 Paterva 的开源情报和取证专有软件。 * [theHarvester](https://github.com/laramies/theHarvester) - 电子邮件、子域名和人名收集器 * [creepy](https://github.com/ilektrojohn/creepy) - 地理定位 OSINT 工具 * [exiftool.rb](https://github.com/mceachen/exiftool.rb) - exiftool 的 Ruby 封装，exiftool 是一个用于从文件中提取元数据的开源工具。 * [metagoofil](https://github.com/laramies/metagoofil) - 元数据收集器 * [Google Hacking Database](https://www.exploit-db.com/google-hacking-database/) - Google dorks 数据库；可用于侦察 * [Google-Dorks](https://github.com/arimogi/Google-Dorks) - 常见的 Google dorks 以及其他你可能不知道的用法 * [GooDork](https://github.com/k3170makan/GooDork) - 命令行 Google dorking 工具 * [dork-cli](https://github.com/jgor/dork-cli) - 命令行 Google dork 工具。 * [Shodan](https://www.shodan.io/) - Shodan 是世界上第一个针对互联网连接设备的搜索引擎 * [recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng) - 用 Python 编写的功能齐全的 Web 侦察框架 * [github-dorks](https://github.com/techgaun/github-dorks) - 用于扫描 github 存储库/组织以查找潜在敏感信息泄露的 CLI 工具 * [vcsmap](https://github.com/melvinsh/vcsmap) - 基于插件的工具，用于扫描公共版本控制系统以查找敏感信息 * [Spiderfoot](http://www.spiderfoot.net/) - 具有 Web UI 和报告可视化功能的多源 OSINT 自动化工具 * [DataSploit](https://github.com/upgoingstar/datasploit) - 在后台利用 Shodan、Censys、Clearbit、EmailHunter、FullContact 和 Zoomeye 的 OSINT 可视化工具。 * [snitch](https://github.com/Smaash/snitch) - 通过 dorks 进行信息收集 * [Geotweet_GUI](https://github.com/Pinperepette/Geotweet_GUI) - 追踪推文的地理位置，然后导出到谷歌地图。 # 许可证 ### 许可证 [](https://creativecommons.org/licenses/by/4.0/) 本作品采用 [Creative Commons Attribution 4.0 International License](http://creativecommons.org/licenses/by/4.0/) 进行授权

标签：ESC4, ESC8, Object Callbacks, OSINT, 内核模块, 反取证, 安全培训, 安全意识教育, 安全评估, 安全资源, 心理学, 搜索语句（dork）, 社会工程学, 网络安全, 网络安全资源, 网络钓鱼, 防御加固, 隐私保护