Query
Description
filetype:eml eml +intext: "Subject" +intext:"From"
intitle:index.of inbox dbx
filetype:wab wab
filetype:pst inurl:"outlook.pst"
filetype:mbx mbx intext:Subject
inurl:cgi-bin/printenv
inurl:forward filetype:forward -cvs
(filetype:mail | filetype:eml | filetype:mbox | filetype:mbx) intext:password|subject
"Most Submitted Forms and Scripts" "this section"
filetype:reg reg +intext: "internet account manager"
"This summary was generated by wwwstat"
Outlook express e-mail files contain e-mails with full headers
Outlook Express e-mail folder
Outlook Mail address books contain sensitive e-mail information
Outlook PST files can contain e-mails, calendaring, and address information
Outlook versions 1-4 or Eudora mailbox files contain sensitive e-mail information
Printenv script can reveal lots of information, including e-mail addresses and server information
UNIX user e-mail forward files can list email addresses
Various generic e-mail files
WebTrends statistics pages reveal directory information, client access statistics, e-mail addresses, and more
Windows registry files can reveal information such as usernames, POP3 passwords, e-mail addresses, and more
Wwwstat statistics information can reveal directory info, client access statistics, email addresses, and more
In most cases, it's fairly rare to uncover these "gifts" of information during an assessment, but it's often surprising what will turn up. In most cases, you'll be better off trolling for addresses using less "direct" techniques, but if you happen to get a hit on one of these queries during an assessment, the payoff can be huge. Consider a query for filetype:eml eml +intext:"Subject" +intext:"From", shown in Figure 4.9.This query can reveal full e-mail messages, including all header infor-mation.This much information can be very useful during a security audit.
Figure 4.9 Full E-Mails Are a Rare Treasure
R n Google Search: Filetype: em I eml +intext "Subject" + in text: "From"
| -4 > j | C 1 | + | [G] http://www.gooole.com/se, * Q.w filetype:eml eml +lrLtext:"Subject" +jncext:HFromH
Gougle
Web Images Groups News Froogle more ■
filetype:eml eml +intext:"5ubj«t" +intejtt;*FronV* (je3fCjQ pf^mn^3^ "From" Is a very common word and was not Included In your search. |details 1
Wfib Results 1 -10 of about 13,000 for filetype: em I eml +intext:',Sub)ecf' +intext:"From". (0.20 seconds)
X-Message-Info: SsSXyD95QpWJALILJRJ/7Lcu8rroYb+Wnq Received: from ... ... reply-to: OK ADIGB0 OL!SA-:okad igbojr@hofmail.com> Message-ID: 10B907735Bbeng(§tat3nova. com Date:Tue. 6 Jul 2004 06:59:18 +0530 Subject: FROM OKADIGBO FAMILY Return ...
tiaylSJ
X-Messarje-lnfo: 9P4r4dq6Pdtoz7oX6KYBQ7XiC5K3SDWW Received: from... ... 3217.81.199.6.17.1085762248. sun urn a il@'a href="http://www\sunumail.sn">wY™.sunumail. sn-=/a» Dale: Frl, 28 May 2004 16:37:28 -0000 (GMT) Subject: FROM MR DAN ...
travis com/419/ FROM % 20M R% 20DA N%20E GB UNA UBN.eml - 3k -
Cached - Similar pages
[ Vl^rj u->aii:~ li.in :fdv ^ .com ]
Return-Path:
,.. Bounua^y-0fl=_OILNG6GC>0XK>0OO0OO0O0,, X-Mailer IncrediMail (30014S7) From: "KING_TZB"
try."" " com/identily^book/chrisbianchi/hi eml - 26k - Cached - Similar pages
Received:from smtpin'IOI-y.bryant.webtv.net (209.240.198.41) by „.
... From Boogie Subject: I want this back . you'll understand why PLEASE READ TO THE END—Yrjull understand 'Near to the door* 1 he paused to stand* *as he took
www or.us/newporthsyslaff/ hannabr/FWJwanlthisbackyou llseewhy%5B1%5D..eml -
Nonobvious E-Mail Relationships
It's one thing to search for e-mail addresses based on a company's common domain name. It's quite another to determine e-mail addresses that are subtly connected to a target. Google can be used to determine these often critical relationships that frequently reveal personal addresses and relationships between addresses and individuals.
First, start with a "dirty" list of e-mail addresses grabbed with the basic e-mail location techniques discussed here.This dirty list can consist of every e-mail address found on the same page as an "obvious" e-mail address belonging to your target. For scraped newsgroup messages, this will often include quite a few "fringe" addresses. Using the dirty list, automate queries for each and every combination of e-mails in the list. For each combination of e-mails that results in more than one hit, there is some relationship between the addresses. The higher the number of hits for the combination, the stronger the relationship.
To determine less obvious relationships, split address hits into collections. For example, scrape e-mail addresses from every Web page that lists EmailA. We'll call this list CollectionA. Next, scrape e-mail addresses from every Web page that lists EmailB. We'll call this CollectionB. Automate Google queries that combine EmailA
with each and every e-mail address in CollectionB. If there's a hit (any query that results in at least one hit), there's a loose relationship between EmailA and EmailB. Next, reverse the search, combining EmailB with each and every address in CollectionA. Again, a hit indicates a loose relationship between EmailB and EmailA. The researchers at SensePost (www.sensepost.com) have coded a prototype of this technique, and the resultant list of associations can be very revealing. When tested, nonobvious relationships are often revealed in relatively short order.
Personal Web Pages and Blogs
In addition to the business side of the Internet, there is a more human side—one that is frequently driven by a person's vanity and sense of self-importance. One of the factors fueling the massive growth and popularity of the Internet is personal Web sites and blogs, or Web logs—personal journals of the Internet-connected masses. Blogging has recently experienced a huge boom in users all rushing to put up their personal thoughts and opinions on various matters. Often, locating an individual's personal Web page or blog can provide insight into that person, which might help you gain access to him or her as an employee via a bit of creative social engineering. Searching for a person's name and e-mail address combined with terms such as homepage, blog, or family can quickly and easily locate these types of pages for you. From personal likes and dislikes to home phone numbers and pets' names, people slap this potentially devastating information up on the Internet without giving it a second thought.
Instant Messaging
In addition to using e-mail, thousands of people use one of the instant-messaging programs to stay in touch with their friends and associates. These programs use buddy lists, usually a list of an individual's "inner circle," so getting hold of a person's buddy list can be very useful at later stages of the game. So how do you find a person's buddy list? Once again, Google comes to the rescue with a simple search such as
Web-Based Mailing Lists
Many people participate in mailing lists that match their interests, and these days you can find a mailing list for just about any subject. Often, however, these lists require you to join before you can read the messages. Once you do, though, you are often granted access to that group's message archive, which can potentially contain insightful and useful information because people frequently reveal far too much information about themselves when they feel comfortable with a group of people, even people they've never met face to face.
One simple technique for locating an individual in a "members-only" Web-based message group is by signing up for an account with a popular Web-based message group provider, such as Yahoo! or http://groups-beta.google.com. In many cases, once you're signed up as a member, you can search for other members by screen name. Once you locate members, you can examine their profiles to get an idea of the groups they most likely belong to. Even without access to these groups, simply grabbing the name and description of the group can give you an idea about the content of that group, keying you into the interests of that individual.
Resumes and Other Personal Information
Yet another place to dig up information on a person is his or her resume, or curriculum vitae In addition to providing a (usually) current address and phone number, these searches reveal a person's prior employer, which provides yet another angle from which to approach them during the social engineering phase. Obviously, a search such as
Keeping in mind that an attacker can never have too much information when embarking on a social engineering quest, these are but a few of the ways to gather data about company employees. eBay, Amazon, and other online stores or message boards are all good places to grab information about a person's interests. Amazon "wish lists" are great ways to learn about a target's interests, although we certainly don't condone "buying off" employees during an assess-ment.That's just bad form. If you even thought about doing that, refer to Appendix A to help get your feet back on a solid pen-test professional's ground.
Romantic Candlelit Dinners
Gathering information about a company's employees is a vital part of preparing for a successful social engineering job. However, unless you intend to carry out your entire scam over the phone, you're going to need more than just information on paper. Phone scams work great, but to really test your company's security, you need to actually get through the front door. Breaking into a facility is part of what's been referred to as a physical assessment. A physical assessment requires a distinct set of skills and is often not performed adequately by most technical types, but in more and more cases, pen testers are being called on to give the "doorknob a turn" in the world of physical security. If you are called on to perform a basic physical assessment, Google can help in quite a few ways. Most of these assessments involve getting up close and personal with employees of the target company.
Badges? We Don't Need No Steenkin' Badges!
Google's image search can be used to troll for corporate logos that can be used to create everything from corporate letterhead to access badges. Creating a bogus (but realistic-looking) access badge often requires a glimpse of a real badge, which is certainly never found online. Getting a glimpse of a real badge is as simple as locating a few good employee hangouts and hanging out there yourself, but when it comes time to create an access badge, Google's image search is a terrific way to find a nice, clean logo to use for your artistic endeavors. A word of caution: Once you sweet-talk your way into a facility, never, ever make the mistake of getting caught by security on your way out of the facility, even if you get a really strong hankerin' to visit the hot dog guy out front.Your coworkers will never let you live it down, and your story will inevitably end up in a really public place—a Google hacking book, for example.
What's Nearby?
Nonconfrontational contact with your target employees is an essential part of your preparation. By nonconfrontational, we mean people watching, eavesdropping on conversations, and possibly even striking up friendly but underhanded conversations. Once again, Google comes to the rescue with Google Local (http://local.google.com/). Google Local allows you to search by business type and location, allowing you to locate any type of business near your target, as shown in Figure 4.12.
By simply entering a ZIP code and some key phrases, you can use Google Local to locate places to hang out to soak up corporate gossip. Let's take a look at a few examples.
Coffee Shops
Coffee shops are a great place to start the day, no matter where you work (unless you work for a coffee shop, of course). Employees frequently gather at their local coffee shop to get their morning dose of caffeine before beginning their long, drudging day at the office. Hitting Google Local and searching for coffee shop within the target area will tell you the closest (and most likely) places for these not-yet-awake workers to be gathering. Grab your laptop and a large coffee and take a spot at the table closest to the line (usually the last table people want). If you haven't spent much time in these kinds of places, you probably don't realize how much gossip people engage in while in line.This could be company-related gossip or gossip about other employees—but whichever type it is, it is information that often can't be gathered anywhere else and is as good as gold.
Diners and Delis
So you've finished your morning eavesdropping and gotten loads of good infor-mation.That still isn't going to get you in the door. For that you need to look official. Again, Google Local can help out. Search for diners or delicatessens near
your target. What is so great about these places? Often the busy employee will rush out for a quick meal to take back to the office.These employees rarely remove their access badges for such a quick jaunt, and a digital camera with a zoom lens can help when it's time to create your own badge. Grab a comfortable seat with a good view of people's fronts as they herd through the chow line. Digital cameras may be obvious for this type of work, but laptops with built-in cams (such as the Sony VAIO) can be positioned to look perfectly natural as they record those juicy shots of employee badges.
Gas Stations
Gas stations are perfect spots to troll for badge sightings. The quick in-and-out nature makes for a constant wave of employees, especially during rush hours and lunch breaks. In most cases you won't be able to set up shop inside the station without drawing undue attention, but you can almost certainly hole up in your car for a while or hang out across the street. This is the perfect excuse to buy that super-spy lens you always wanted for your camera.
Bars and Nightclubs
So you were browsing John Q. Employee's blog and you noticed he's a big pool player. Using Google Local to help you pinpoint his probable favorite hangouts near work or home is quick and easy. Knowing what you know about John, you can use that information to "buddy up" to him while extracting gossip about his company and its employees. Alcohol makes for loose lips and a lowered defense, and getting John to trust you will give you yet another "in" if he sees you wandering the halls at his workplace.
Google Local provides you with an almost infinite supply of places to bump into your target employees. The examples provided here were just a few ideas to get your creative juices flowing—but don't stop at these. Gas stations, hair salons, and grocery stores are other places where you can catch a glimpse of a badge or chat up your target.
Pre-assessment Checklist
■ Make sure your intranet is just that—an intranet. Communications meant for internal use only should never be available on the Internet.
■ Keep up with what is being said, both good and bad, about your company on the Internet. To be forewarned is to be forearmed.
■ Keep on top of what is being posted to Usenets.You can't control what your employees do on their off time, but you have every right to keep them from posting while they're at work or disclosing potentially devastating information about your company or network.
■ Educate your users on proper use of e-mail and instant-messaging programs. Frequently browse the Internet to make sure that they haven't accidentally (or on purpose, perhaps for easier retrieval) placed something on the Internet that they shouldn't have.
■ Have proper procedures in place to safeguard employee ID badges or cards. Again, education is key to prevent leakage of company secrets or other information that could be useful to an attacker.
■ You can't expect to fully prevent a savvy attacker using human nature against your company, but you can minimize the potential damage through user training and education.
Summary
The phrase "You never get a second chance to make a first impression" is critical to remember when preparing for a date; it also rings true during a physical assessment or social engineering exercise. Proper preparation can make or break the success of your test and, unlike the actual testing itself, could take weeks to do properly. Learning the ins and outs of the company, learning about the people, and getting to know the environment are all crucial to your success. The bad guys know this and will take advantage of it.You owe it to your customers to use similar tactics in testing their defenses.
Solutions Fast Track
The Birds and the Bees
0 Intranet and Human Resource pages are a great way to learn details about your target. Browse the company intranet for the company's policies and procedures.
0 Help desk procedures and "how-to" documents contain details about an environment that might be difficult to determine using more traditional techniques.
0 Job listings reveal specific information about company structure and technologies that might be in use.
0 Scrape the Internet for company logos and images using Google Images.
0 Follow the links behind vanity photos provided on Google Images for more information about your target.
Long Walks on the Beach
0 Getting more personal with the individuals who make up the target organization can bring big payoffs.
0 Use Google Groups to harvest employee names.
0 Vanity is key—use Google to locate personal Web sites and blogs.
0 Use the included Perl script to harvest e-mail addresses from the target domain.
0 E-mails, resumes, and instant-messaging programs can all provide intimate details about your target.
Romantic Candlelit Dinners
0 Utilize Google Local to find businesses in the area for people watching and eavesdropping.
0 Stake out the area around your target and be where employees congregate. Consider restaurants, delicatessens, and gas stations for badge-sighting opportunities.
0 Go where the employees go—bars, pool halls, nightclubs. All present opportunity to gain trust and gossip.
Links to Sites
■ http://groups.google.com/
■ http://images.google.com/
■ http://www.sensepost.com/
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the "Ask the Author" form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: I know my company Intranet isn't in Google—is there any reason to check again?
A: Just because Google hasn't found sensitive information yet, there is no guarantee that your company's web development team won't slip up and expose your network. Just as you keep on top of security patches and exploits, so should you remain aware of potential liability via Google.
Q: How often should I check for sensitive company information in Google?
A: Obviously, checking Google daily would take precious time away from your other duties. However, checking once every six months may be too late. There is no one interval that can apply to every network, but a good rule of thumb is the larger your network and the more often you should run your site through Google. Later in this book you will find some tools to automate the process for you.
Q: How can I keep my users from outing sensitive information about themselves?
A: Simply put: you can't.You can educate your users and warn them about the dangers of exposing personal information about themselves on the Internet, but you can't prevent them from doing it.Your best course of action then, is to hold regular 'education' sessions with your users. Besides, if you have enough time to regularly spend tracking down the online activities of all your users, you probably should find another job that gives you something to do.
Q: Should a company have a paragraph in the security policy about Google?
A: Every company should think of the risk of information leakage, including leaking to Google.The effect of search engines can be just as bad as dumps-terdiving, comprised teleworking equipment (laptops, pc's at home), etc.This existing guide could easily be expanded to include rules about the usage of public usenet groups for questions and putting sensitive Office documents on the webserver.
No comments:
Post a Comment