PenTest, like forensics, is almost as much an art as it is a science – you can only be taught so far, technical techniques and tools are all very well, but you really need a mind that can think sideways and approach a task from as many angles as possible. The ex-LE forensicators have this skill in spades – the data that is potentially available during an investigation includes interviews, statements, crime scene photos and all matter of collected evidence – in the commercial world there is less available, but still I’m confident that you’ll all have your sources. PenTest is much the same, the more that we can know about a potential target before we even fire up NMap1, the further we will get.
The title of this segment is “Passive Reconnaissance” – that’s not to say that you don’t have to do anything during this phase and that it all comes to you – it’s about obtaining information which is already in the public domain – not necessarily deliberately – and is related to the target.2
There isn’t really anything, at this stage, that we aren’t interested in – collect all the information you can – we can whittle it down to pertinent facts as we go along3.
Right then – where to start ? Well, let’s start to build a picture of our target. Let’s have a look at their domain:
si$ whois google.co.uk
1600 Amphitheatre Parkway
Markmonitor Inc. t/a Markmonitor [Tag = MARKMONITOR]
Registered on: 14-Feb-1999
Expiry date: 14-Feb-2013
Last updated: 10-Feb-2011
Registered until expiry date.
WHOIS lookup made at 23:20:53 03-Jul-2012
Ok, so we have a home address for our company – this example isn’t the most detailed, but you can often glean names, e-mail addresses and phone numbers from a
whois lookup. It’s good if you can get an e-mail address – these will start to give you an idea of what the common format is that is used within the company – e.g. first initial last name (sbiles) or first name.last name (simon.biles) or if there is a complicator (simon.biles100) [incidentally these are all real addresses at various organisations I've worked at]. Remember this, it will come in useful later.
If we have a look at the website of our target itself, it is most likely that there will be good information there too – names, addresses, phone-numbers and e-mails are all good. Also, look out for support contact details, FTP site details and logins for example, social networking links etc. All of this is grist to the mill – potential routes of later attack, sources for social engineering, logins to systems that will get you past the first line of defence. Take a note of product names as well, these are often used as “guest” login details for FTP sites too – “producttrial” as both the username and password for example – for sales staff to use with customers. If you are planning a social engineering phase, it can be beneficial to take copies of web-pages ( faking a login page ), logos ( faking business cards and documents ) and other official looking documents and marketing material – I personally dislike performing social engineering, it’s often the easiest way to get into somewhere – if you are going to do it, make sure that you agree with your client in advance that there will be no repercussions for any member of staff that you succeed in manipulating, and that anonymity will be preserved – it could be an unlucky ring of the phone that costs someone their job otherwise.
Where next ? Google. Google is your friend – it is one of the most amazing tools available, not only having a huge index of things that are current, but also cached copies of things that might not be so current. Googling well is a skill, not unlike that of writing search queries for Forensic searches – just Google is a lot faster than EnCase or FTK over a much bigger data set.4
We’ve collected some useful information so far, lets put some of that to use. Try searching for names that you have found – this is likely to elicit at least some hits with the social networking sites – have a look – odds are that one of these people will have used the name of his or her cat as their password. ( The more they appear to love their cat – the more likely this will be ! ) Look though their Facebook or LinkedIn profiles – you may get their job titles – and also the names of colleagues who are linked to them, but may not necessarily have come up in your searches so far ( for that matter – search for the organisation as a whole on LinkedIn – that’s another source ). It might say what they are working on, or if they are open to job offers ( social engineering again – “Hi, I’m recruiting for a role – tell me about what you do now ? You use Windows you say ? What do you know about patching ? …” ) Search for e-mail addresses – people ask questions on mailing lists and forums when they have a problem – this could reveal their firewall type, their software and details of their configuration ( and if they are not good at redaction – quite a lot more than they intend ! ). Search within their domain for different types of document – .XLS & .DOC for example are obvious, try .conf as well. Have a look at the metadata within Office documents – you can extract all sorts of information, previous versions, file paths, software versions etc. ( I can personally recommend the DeMontfort Course on Document Forensics )
All the time, keep building the model that you have of the target – get an idea of how the organisation is arranged, who is in charge where, what their job title, e-mail address and phone number is, link the individuals that you identify to their social networking profiles – their accounts to login to VPNs, Wikis or other internet resources are fair game, keep a list of any system information that you identify – questions from IT staff about given software in forums or on mailing lists ( “Help, I’m having trouble replicating LotusNotes across our 50 servers, they’re all connected by ISDN lines from our main data centre.” )
This really is only the tip of the iceberg – following chains of information to create a picture, and discarding the worthless is an art, one that requires practice to get good at – unfortunately as I’ve both a deadline on this piece of work and it’s only a blog, nigh on 1500 words is starting to get a little excessive ! I’m going to hope that I’ve given you an appetite to find out more and to try some things out for yourself – I’m happy to answer questions – but please, unless they are classified, direct them through the comments.
As we go through the next stages, I’ll try and remember to reference back to this stage and point out any information that you might have gathered that could be useful.
As per an earlier request, I have to recommend the following to all those who want further reading:
are both very good books. But play with Google yourselves, have a look around at the syntax and the advanced searches, oh, and while you are at it, have a look and see if you can find the search strings for security cameras with webservers – these can be quite enlightening !
About the Author Si Biles ( @si_biles ) is a consultant for Thinking Security in deepest darkest Oxfordshire, ‘cos he’s a CLAS consultant he spends quite a lot of time doing things for the Government, outside of that he has a particular interest in network security, vulnerability analysis, penetration testing and incident response & forensics. You can read more of his blogging on his own site and occasionally other places such as : Josetteorama
1. We’ll get to that next week …
2. Carrying out this phase of testing is something that isn’t only useful in PenTesting – I’d also recommend this as a pre-interview activity if you are looking to join a company – this information is in the public domain after all and is just a little more in depth than the research that I would hope that you’d carry out anyway !
3. Managing the sheer amount of data that you might find on a large organisation is a problem in itself, but I think, for now, I’d rather consider that beyond the scope of this episode – I’ll re-address that when we come to look at managing the whole process, preparation, tools and the like towards the end.