OSINT Tools: The Foundation for Social-engineering and Phishing Attacks

PhishingHave you ever wondered how someone sitting 7,300 miles away is able to easily penetrate an organization’s network? How someone who has never had legitimate access to a network can learn more about that organization than most of its own employees? It’s actually pretty easy, given the right skill set and a lot of patience. I know cyberwarfare isn’t a new thing, but it’s still impressive to think that someone on the other side of the globe, a few continents away, is able to wreak so much havoc.

I recently gave a presentation to a group on the topic of open-source intelligence (OSINT). I have given this as a hands-on presentation at conferences and workshops in the past. In those workshops, my audience is usually made up of IT admins, company legal departments, and a handful of individuals from across the law enforcement community. In the weeks leading up to each workshop I always request a list of attendees from the conference sponsor, which I use to gather OSINT on the attendees. On the day of the workshop, before everyone arrives, I go around and put nametags at their seats along with a notecard that is specific for each person. When the session starts, I ask everyone to flip over the notecard and read it – to see if it’s accurate. On that notecard is a complete bio and profile comprised of information that I was able to get using various publically available resources. I try to keep the notecards at a G to PG level, so they usually just include first/last name, DOB/place of birth, maiden names, parents names, kids names, schools attended, address history, phone numbers, job history, associates, affiliations, hobbies, etc. Although this isn’t your typical icebreaker, it does set the mood for the day as well as elicit a few awkward stares. But if you’ve signed up for a class entitled “OSINT and the Internet as an investigative tool” then it’s all fair game. Anyway, the point of the exercise is to illustrate to anyone who may have been naïve just how easy it is for someone like me, who doesn’t work for a three-letter intel agency, to obtain this level and amount of information.

What is OSINT?

Open-source intelligence refers to finding and analyzing information from any source that is publically available. OSINT has been used for decades by the intelligence community. Only in the last 10 to 12 years has there been a methodology change. Prior to the Internet age, OSINT consisted of analyzing newspapers, magazines, radio and TV from across the globe. It wasn’t until the Internet was accessible to everyone that OSINT became popular and used by all sectors. As companies evolved and technology advanced so did the competition to be the best in the market. What followed was a variety of companies that started conducting competitive intelligence against one another – or cyberespionage as its known today. During this time, as more companies joined the online community, they began to realize the efficiency of using the Internet as a tool for obtaining “competitive intelligence.” It was then discovered that a lot of nation-states were also using OSINT for their own nefarious purposes. We now know that certain nation-states have entire teams devoted to conducting reconnaissance using the Internet to acquire as much intel on U.S. companies, the government and our interests aboard. To put it bluntly, China and Russia figured out long before we did that OSINT was a key to the success of their subsequent hacking operations that have become commonplace over the last decade.

The Eye-opener

During my presentation last week, I was fortunate enough to have a few C-level executives in the audience. This is always great because I get to show them first hand how easily they can become a target of a phishing email or another social-engineering attack. I started off my presentation with infrastructural reconnaissance, which focuses on gathering information on an organization such as email addresses, DNS records, IP addresses, MX servers, files, and anything else that would be useful to an attacker. Infrastructural recon differs from personal reconnaissance in that personal recon is exactly what it sounds like: gathering info on a person or individual. The two types of recon are all part of the overall objective anyway, especially if you plan to use a social-engineering attack. Before my presentation, I received permission from the executives to use them and the company as the target for my demo. The demo was split into two parts: Part 1 illustrating how much material on them and the company I could uncover using only their domain name. Part 2 was me using the results from Part 1 to obtain additional info that could be used in any number of subsequent attacks.

Part 1

I used Maltego to search for the domain. In under a minute the canvas was filled with a striking display of DNS names, domains, MX Records, IP addresses, phone numbers, URLs, email addresses, first and last names, NS Records, locations, documents, and social media affiliations. It’s worth mentioning that since Maltego aggregates data from across the Internet and identifies everything that your search term is related to, many results can and will be irrelevant. For example, since this particular company also hosts a blog, there were many email addresses and names associated with user comments on the company blog, which weren’t helpful in my objective. Nonetheless, Maltego, as The Ethical Hacker Network describes it, is: “an open source intelligence and forensics application that allows for the mining and gathering of information as well as the representation of this information in a meaningful way. Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them.”

After completing the search using Maltego, I started explaining the results to the audience and zeroed in on one of the several email addresses returned. The email address I chose just happened to belong to an exec sitting in the front row. Now that I had his email address, as well as the naming convention used for their email (e.g., firstname_lastname@company.com or lastname@company.com), and I had the actual email server, I was more than halfway there. I next logged into LinkedIn using an unassuming account I already created specifically for this type of work and searched for the company. As expected, the LinkedIn search returned a list of people identifying themselves as employees of this company. In that list was a familiar name, it was the same executive and now I had his full name, title, complete description of his position, and a list of his coworkers and information about their positions. Since I only had an hour, I stopped Part 1 and explained how the rest of the process might play out in a real-world malicious scenario with an attacker using this information for a phishing email.

Part 2

The second part of the demo consisted of me taking a lot of the data I obtained in Part 1 (IP address, domain names, etc.) and enumerating the network. For this I used FOCA 3.2, a free fingerprinting and information-gathering tool that can search for servers, domains, URLs and public documents and which outputs everything into a network tree. Another useful feature of FOCA is it searches for data leaks such as metadata, directory listing, unsecure HTTP methods, robot.txt files, detection and processing of svn repositories, and much more. I think this part of my demo was even more eye-opening because it showed the audience that several of their assets were exposed. Within three minutes I managed to obtain a comprehensive listing of their systems complete with IP net blocks, DNS servers, exchanges server, webmail, Microsoft Lync server, customer-facing portals, and a lot more.

The End

I barely scratched the surface in this OSINT presentation, but in less than 20 minutes I was able to gather enough information for a mass spear-phishing attack or network intrusion. Along the way I also uncovered information that, although not applicable to this particular objective, could have been useful had I decided to use another attack vector as a way in. For example, I uncovered information about the company’s customers, business partners, email communications between employees and prospects, as well as vendors they used. Like many things, these tools and techniques can be used for good or evil. Unfortunately, most of the time, OSINT is used for malicious behavior. However, as security professionals we can leverage the same TTPs as the bad guys to identify weaknesses before someone exploits them. OSINT can also be very useful for IR and forensics consultants, especially when investigating advanced threats. Having information on the attacker, such as an IP address, C2 servers, moniker, etc., I can then leverage it to my advantage in gathering additional info during forensics. Just like we tell our customers “there is no one right or all-encompassing security solution, but rather a security stack.” Think of OSINT as just another layer in your overall security stack.

via Bit9 Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: