When gathering initial information, penetration testers need to focus on an organization’s human element.
In the last article, we covered the technical aspects of Open Source Intelligence or OSINT. OSINT traditionally comes in two different forms, Technical and Human. For penetration tests, it is equally important to know the human aspect of the target network just as well as knowing the technical aspects.
Human error is one of the leading causes of cyber breaches
There are countless articles stating that humans are the weakest links when it comes to cyber security. Humans by their very nature are trusting, especially when it comes to trusting individuals in one’s own social circle, work center, business partnership, etc. Humans are also creatures of habit. The faults in human logic can allow an attacker access into a network or computer system by taking advantage of the habits and trusts in humans. If you recall in the last article, this series is modeled after the steps lined out by a Chinese Nation State hacking team called APT1.
The report, also called APT1, was released by Mandiant in 2013. The main initial compromise technique employed by APT1 was a spear phishing email. The example Mandiant used in their report was a real-world example compromise of the Mandiant computer network. The spear phishing email looked like it came from an executive within the company, Kevin Mandia. Most users would not think twice about opening an attachment or link from their boss or supervisor, especially if the email came from their boss’s exact email address.
Let’s discuss how to get to this point. This article will cover the different aspects of a target network from a human standpoint, a sample of ways to accomplish Human OSINT and why it is important to not skip out on this step. In a future article we will cover the attack vector with greater detail.
This article does not expose real information on a specific person or company.
Scenario: Suppose the target network was an IT firm based in a large city. Knowing how many employees, the email address schema, or how they may structure account names would be beneficial. Most of this can be found out easily through Human OSINT.
You will notice one of the tools highlighted in the last article talked about was Google Search. Google Search is an amazing tool for all aspects of OSINT. The last article also mentioned how to find documents hosted on a server. With a small tweak, a simple Google or DuckDuckGo search can assist in finding details about people who are connected to the target network.
Many years ago, most company web pages were rife with “mailto” links for the webmaster, support admins or links to an HR rep to submit a resume. Some of those mailto links even had the name of the administrator in the link itself leading the first clue to the pattern of email address schema. Now, most websites make the user fill out a form that will email support staff or the webmaster instead of emailing them directly from the user’s personal email account. However, that isn’t where email address information stops.
Using data from multiple sources can help refine and cross check information gained through different means. Tagging back to an earlier example using Google Search to find information, Google can be used to find other pieces of data as well. Some companies post reports in picture, pdf and word document forms. These files all contain metadata that can be viewed. Here is an example of a DuckDuckGo search for files hosted on a company’s website.
As you can see from the screenshot, FireEye hosts several .docx files. Now that we have found files hosted from their site, we can download these files and run a scan on them to check for metadata using a tool called “exifdata”.
Exifdata can search many different file types for metadata. It is worth taking the time to read the main page on exifdata to see its true capabilities. Below is a sample of what exifdata can show on a simple .docx file.
The screenshot above shows a collection of metadata. Notice how the creator’s name, title, description and how recently the file was edited are prominently shown. This data, coupled with simple Google/social media searches, can help solidify a picture of who might work at a company and potentially a username, email address or phone number.
Another note on exif data is that it isn’t just personal data that can be found in the metadata of a file but also time and location data. Take for instance a picture; it can house data that shows where the picture was taken, what camera was used and more. This data could be used in a scenario of a physical penetration test. For example, if a business had a picture of their main building on webpage, the metadata could contain the location from where the picture was taken. This is helpful if a business is in an industrial park where all buildings look the same.
There are many tools out there in the arsenal of Human OSINT. Google is just a starting point. Another “tool” is using social media to search for individuals who work at the target organization. Over a decade ago, a fictional person appeared on the popular networking site, LinkedIn. The persona was a female called “Robin Sage”. Robin Sage then “linked up” with many cyber security specialists in various companies and organizations. Had it not been revealed through the hackers who set it up, the Robin Sage campaign could have lasted longer and gained much more insight on a company, who works there, contact information for targets, etc.
Like LinkedIn, this same behavior can be done on other platforms like Facebook and Twitter. Both are a trove of information and many times reveal detailed and personal items in an individual’s life. By nature, humans like to talk about what’s going on in their lives. Some even like to share personal details with the whole world.