Mastering Kali Linux for Advanced Penetration Testing
上QQ阅读APP看书,第一时间看更新

Open Source intelligence

Generally, the first step in a penetration test or an attack is the collection of open-source intelligence, or OSINT.

OSINT is information collected from public sources, particularly the Internet. The amount of available information is considerable—most intelligence and military organizations are actively engaged in OSINT activities to collect information about their targets, and to guard against data leakage about them.

The process of OSINT collection and analysis is complex and could constitute its own book; therefore, we will cover only the essential highlights.

Tip

The US Army manual ATP 2-22.9 (http://www.fas.org/irp/doddir/army/atp2-22-9.pdf) and the NATO OSINT manual (http://information-retrieval.info/docs/NATO-OSINT.html) are both available online, and provide excellent technical reviews of how to gather and assess OSINT.

The information that is targeted for collection is dependent on the initial goal of the penetration test. For example, if testers wants to access financial data, they will need the names and biographical information of relevant employees (CFO, accounts receivable and payable, and so on), their usernames, and passwords. If the route of an attack involves social engineering, they may supplement this information with details that give credibility to the requests for information.

OSINT gathering usually starts with a review of the target's official online presence (website, blogs, social-media pages, and third-party data repositories such as public financial records). Information of interest includes the following:

  • Geographical locations of offices, especially remote or satellite offices that share corporate information but may lack stringent security controls.
  • An overview of the parent company and any subsidiary companies, especially any new companies acquired by mergers or acquisitions (these companies are frequently not as secure as the parent company).
  • Employee names and contact information, especially names, e-mail addresses, and phone numbers.
  • Clues about the corporate culture and language; this will facilitate social engineering attacks.
  • Business partners or vendors that may connect into the target's network.
  • Technologies in use. For example, if the target issues a press release about adopting new devices or software, the attacker will review the vendor's website for bug reports, known or suspected vulnerabilities, and details that could be used to facilitate various attacks.

Other online information sources used by the attacker may include the following:

  • Search engines such as Google and Bing. Historically, these searches are highly manual; the attacker enters search terms that are specific for information of interest; for example, the search term "company name" + password filetype:xls may identify an Excel spreadsheet that contains employee passwords. These search terms are referred to as google dorks (www.exploit-db.com/google-dorks/). Most search engines have since released APIs to facilitate automated lookups, making tools such as Maltego particularly effective.

    Tip

    One of the most effective search engines is Yandex (www.yandex.com). This Russian language search engine, the fourth-largest search engine in the world, allows users to search in several languages, including English. It also supports very granular search expressions, making it more effective than Google when searching for specific information.

Other online sources that should be searched include:

  • Government, financial, or other regulatory sites that provide information on mergers and acquisitions, names of key persons, and supporting data
  • Usenet newsgroups, particularly postings from the target's employees looking for help with particular technologies
  • LinkedIn, Jigsaw, and other websites that provide employee information
  • Job search websites, especially ones for technical positions that provide a list of the technologies and services that must be supported by a successful applicant
  • Historic or cached content, retrieved by search engines (cache:url in Google, or WayBack Machine at www.archive.org)
  • Country- and language-specific social and business related sites (refer to http://searchenginecolossus.com)
  • Sites that aggregate and compare results from multiple search engines, such as Zuula (www.zuula.com)
  • Corporate and employee blogs, as well as personal blogs of key employees
  • Social networks (LinkedIn, Facebook, and Twitter)
  • Sites that provide lookups of DNS, route, and server information, especially, DNSstuff (www.dnsstuff.com), ServerSniff (www.serversniff.net), Netcraft (www.netcraft.com), and myIPneighbors.com
  • Shodan (www.shodanHQ.com), sometimes referred to as the "hacker's Google"; Shodan lists Internet-accessible devices and allows the tester to search for devices with known vulnerabilities
  • Password dumpsites (pastebin, search using site:pastebin.com "targetURL")

Managing findings can be difficult; however, Kali comes with KeepNote, which supports the rapid import and management of different types of data.