Solutions in this Chapter:
The Birds and the Bees Long Walks on the Beach Romantic Candlelit Dinners List of Sites 0 Summary
0 Solutions Fast Track
0 Frequently Asked Questions
Introduction
In this chapter, we'll discuss what's called pre-assessment information-gathering techniques. During this phase of an assessment, the security tester is most interested in obtaining preliminary information about the target.This does not include specific information such as IP addresses and DNS names (which we discuss in the next chapter) but rather information that could be used for social manipulation (talking a help desk operator into a password change), physical compromise of a target (gaining information about building structures or badge layouts), and general reconnaissance.
Throughout this chapter, we focus on methods to locate information about the target that will most likely be used in later phases of the assessment. In a twisted sort of way, pre-assessment work is a bit like preparing for the perfect date.You might do a bit of research about the person, get some information about them and their friends and family, spend quality time with them, and learn as much as you can about their interests. Although the stakes are much higher, courting your target can be like courting your mate. When things get rough, plan to spend some time sleeping in a chair or a couch instead of in a nice, warm bed where you belong!
Let's carry that analogy through the chapter and examine how the stages of pre-assessment mirror the stages of courtship.
The Birds and the Bees
One of the first steps you need to take is to try to understand the target company structure and environment. Visiting the company Web site can provide some information, but keep in mind that you're only seeing what they want you to see.To get behind the scenes, a simple st'te:somecompany.com search will often reveal information that wasn't meant to be seen by the public. This search has one major drawback, however: for a large company, it could return thousands of results, many of which are useless and a huge waste of your time.
In this section we look at techniques (grinding techniques, specifically) that you can use to weed through all this data, but for now it might be a better idea to target your searches to find the useful data.
Intranets and Human Resources
Where do you go if you want the inside scoop on a company? What better department to start with than Human Resources! Since just about anything intentionally viewable by the public tends to be watered down, we'll need to get behind the scenes. Many companies like to make company information available to their employees (and only their employees), and to do so they set up company intranets containing information for employee eyes only. Intranets are supposed to be private, but combining Human Resources and intranet into a search such as intitle:intranet inurl:intranet +intext:"human resources" shows that private sites sometimes aren't exactly private, as we can see in Figure 4.1.
Web Images Groups News Frocmls more *
W@b Results 1 - 10 of about 3.130 for intitJe. intranet inurhmtranst +intext:" human resources" (0.46 seconds)
Google Directory - Computers > Software > Intranet
... directories, and other human resources data graphically via web browser. Digger Solutions - http l/www d ggersolutions.com Open source ASP intranet solutions. ..►
directory.gocgle.comrTopyCoiTiputere/Software/lntranet/ - 19k - Cached - Similar page?
University of Illinois Extension Intranet
External Websites Select... U of I Extension Urban Programs Illinois 4-H Farmdoc En Espaftol. Regional Intranets Select... East Central...
web.exteflsion.uiuc.edu/intranet/intranel.cfm?s=hr -40k - Cached - Simitar paoes
Intranet: Office of Human Resources
Welcome to the Extension Human Resources intranet Page^ Your team ol dedicated Mountaineers is here Id provide you the highest quality ... intrBnet.ext.wvu.edu/orgsup/ohr/ - 6k - Cached - Similar pages
Intranet atSlUC
,.. Salukinet SlUC Intranet Athletics Public Events Calender Weather Search 8HXX Resources supports Civil Service and Paculty/AP staff, provides job listings „.
intranet.siu.edu/ - 22k - Cached - Similar pages
, Human
In addition to providing you with information about the company policies and procedures, most HR intranet sites provide the names of contact people for the department.These names can be very useful for future social engineering attacks.
A Wealth of Information Lies in the Company Intranet
Don't limit yourself to the Human Resources department. Companies put all sorts of information on their intranets, since they assume they are safe from public eyes. Replacing the human resources part of the query with computer services, IT department, or simply phone can provide amazing amounts of additional information that you can later use during the social engineering phase. Chapter 7 contains more information about using the company intranet to your advantage.
Help Desks
A simple search listed in Chapter 7's Top 10 searches is intranet | help.desk, or simply ("help.desk" | helpdesk). Combined with the site operator, this query is designed to locate intranets or help desk pages. Help desk references are extremely valuable because they often refer to documents and procedures an attacker could use to gather information about the target.
Self-Help and "How-To" Guides
These documents are designed to help an end user perform some sort of procedure. Used creatively, they can provide information about the target that could prove useful at some point during an assessment. For example, a kludgey search such as "how to" network setup dhcp ( "help desk" | helpdesk ) can reveal documents that include instructions for connecting to a network, as shown in Figure 4.2.
This page lists a virtual gold mine of information:
■ ■
■ Network information DHCP, No client ID's, AppleTalk, Ethernet.
■ Recommended browsers The download link lists recommended browsers and version information.
■ Help desk phone number X1705, an RCC comes to your room.
■ E-mail information ID can be generated by the IT department.
E-mail information Site uses Novell GroupWise.
E-mail information Web-based (!) e-mail server located online at http://gw5.XXX.edu.
■ E-mail information E-mail server is available from the Internet.
This in not an uncommon how-to document. Most are overly informative, supplying a great deal of information that an attacker can use.
Job Listings
Job listings can also reveal information about a target, including technologies in use, corporate structure, geography, and more. One of the easiest ways to locate job postings is with a simple query such as resume | employment combined with the site operator. Don't overlook job listings as an important source of information about an organization.
Public Polling Via Google
Google can be used to map the public opinion of a site over time. First, build two lists of Google queries. The first list combines the common name of a company with 100 common "good" phrases such as good experience, wise investment, well-managed, and so on. Next, create a second list that combines the company name with 100 "bad" phrases such as poor customer service, shady management, and beware. Feed these lists into Google every day for an extended period of time, mapping not only the numbers of hits but the page rank of each referring site. This kind of nonobvious statistical information can speak volumes about a company's image (as well as provide a decent financial investment road map!).
Long Walks on the Beach
During the courtship process, a couple often spends time getting to know one another. Similarly, during a penetration test, it's not a bad idea to get "personal" with your target, or specifically the people working for the organization. Digging up details about the people who make up an organization can pay off in big ways during later assessment phases. Usernames, employee numbers, or Social Security numbers can be used to social engineer a help desk technician. E-mail addresses can be targeted with e-mails containing malware. Information about an individual's circle of friends can be used to social engineer that individual. Any little tidbit of information can be used by a creative security tester to gain access
to more information, causing a snowball effect that often leads to system or network compromise. In this section, we'll take a look at some ways Google can be used to harvest this type of information.
Names, Names, Names
One way Google excels at helping the researcher dig up additional names and email addresses is through its Google Groups searches. Google Groups (formerly DejaNews) is simply a Usenet archive that keeps copies of all posts made to thousands of Usenet groups over the years. For example, performing a Google Groups search on somecompany.com returns some nice information, as shown in Figure 4.3.
Figure 4.3 Results of Google Groups Query for somecompany.com
Web Images Groups News Fropqle more i
'starch ^ *CV3"l=ej ErcuTia g
Groups
Kl/.,I:j 1 -10 of about 1.470 for rSsornecor-npany. com. (0/. 14 seconds) Sorted by relevance Sen by date
Related cfrrxjps1 mailino.postfix.users modrewrite with Apache also AuthExpire
r.. There is an indcx.htrnl page on the Apache web server accessed u.a tne internet as say eKtranet.bomecompany.com it wi-l have two links - one to www.intranet... comn.lang.Dai.modules - Dec 2B, by John Kirkman - ViawTnread (1 article}
Postfix on the DMI and Aliases
ll. Example: A mail sent '.o u-ix ad mirsiuisomecom pany.com s ioUd be stopped at the DMZ box recognized as a virtual user, passed lo the alias map. and expanded. ... mailing.postfix.usera - Sep 2fi, 2001 by James A. Mutter - View Thread I'3 articles]
Relaying deni&d?
... message similar to the following back from ISP^s postmaster The following message could not t)E delivered because the address doB@somiecompany.com was rejected ,,L
comp.mall.rnisc • Sep 26. 1999 by ew-oofortti@netmcr.com • View Threaa (2 articles)
Backup MX. aliases and LDAP maps question
Hero Is a question. According to does If I set up secondary MX Tor wmacampany.com all I need to do is add so-m ecomp any com to'neteyjJomsins'. Right. — mailing, postfix.us ate - Feb 6r 2004 by Vegar Gorshfcov - View Thread {A articled
Email Alert System - Database Design
... CONSTRAINT IpkAlartEmail] UNIQUE. CLUSTERED (Alertrrj. Email}) INSERT INTO SAIartEmail
(AlertlD, EmaH) VALUES {10O0 . loaglsomoccmpany.com') INSERT INTO...
microsoft.rx.hi r - 7.f-.-,f. - rronramminq - Apr 1&, 2003 by Steve Beach - View Thread M articlel
Display a meiiii
Notice that the returned results list the name of the poster at the bottom of each result listing. In some cases this information is faked, but depending on the number of results, you could end up with legitimate employee names. Remember that the Google Groups Advanced Search feature (http://groups.google.com/advanced_group_search) allows you to narrow your search by specifying several additional search parameters such as Subject, Author, Date, specific phrases, and more.
Browsing Google Groups results for information can be a daunting task, especially when it comes time to dig through all the pages to find the information you're after. Chapter 10 contains snippets of code that can be used to extract URLs, e-mail addresses, and more from scraped Google Groups result pages. Chapter 10 also goes into more detail on how to properly search for, locate, and extract e-mail addresses using regular expressions.
Automated E-Mail Trolling
It would be nice to have a utility to help automate the process of searching for e-mail addresses. Ask and you shall receive! The Perl code that follows, written by RoelofTemmingh of SensePost (www.sensepost.com), will search through Google Groups pages and Google Web pages, hunting for e-mail addresses.To use this tool, you must first obtain a Google API key from www.google.com/apis. Download the developer's kit, copying the GoogleSearch.wsdl file into the same directory as this script. Next, download and install the Expat package from sourceforge.net/projects/expat.This installation requires a ./configure and a make as is typical with most modern UNIX-based installers. This script also uses SOAP::Lite, which is easiest to install via CPAN. Simply run CPAN from your favorite flavor of UNIX and issue the following commands from the CPAN shell to install SOAP::Lite and various dependencies (some of which might not be absolutely necessary on your platform):
install LWP::UserAgent install XML::Parser install MIME::Parser force install SOAP::Lite
Although this might seem like a lot of work for one script, most Perl-based Google programs will have the same requirements, meaning that you only need to go through this process once to allow you to run this and other Google querying Perl scripts, some of which are included in later chapters of this book. Be sure to insert your Google API key into this script before running it. Now without further ado, here's the much-anticipated script:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment