CompTIA Pentest+ PT0-002 – Section 4: Passive Reconnaissance Part 2

26. Open-Source Intelligence (OSINT) (OBJ 2.1)

There is a lot of great information available online for free that can help you understand how a business or organization is operating. This information is just sitting out there waiting for you to find it. This information is considered open source in the world of information and intelligence gathering if it comes from publicly available sources. Now, open source intelligence, also known as OSINT, is the collection and analysis of data gathered from publicly available sources to produce actionable intelligence. Open source intelligence tools are often used to collect and analyze information that’s already publicly available on the open web, such as social media, blogs, newspapers, governmental records, and academic and professional publications during your passive reconnaissance phase.

For example, if the company puts out a new press release about an upcoming merger between themselves and another company, this information could become actionable intelligence in the hands of a penetration tester, because they could use it to craft various social engineering attacks against those targeted organizations. Let’s pretend that a physical penetration test was part of our engagement. Knowing that a company named SodaCo is about to undergo a merger with DrinkCo, that means that SodaCo might be seeing a lot of new faces in the offices as DrinkCo starts sending over people to learn all about SodaCo’s operations.

If you happen to put on a suit and print up some business cards that say you work for DrinkCo, well, you could probably walk right in the front door of SodaCo and have some helpful employees walk you directly into the data center if you play your cards right. Now, similarly, this same press release might give you the names, phone numbers, emails, and positions of all the different people who are expecting to get questions from the press about this merger.

So, you could call up the person listed and start asking them questions about how SodaCo and DrinkCo’s merger might affect their technical infrastructure. Are you going to be using SodaCo’s network? DrinkCo’s network? Or a combination of both of these after the merger? Will there be any downsizing of redundant IT personnel? Are you already using the cloud, or you going to migrate your data centers into the cloud during the merger over the next few months?

Most companies that put up press releases will be able to answer questions about them and their future. So you can leverage this open source intelligence to your advantage during your reconnaissance phase. Now, other types of open source information include things like job listings, metadata, and website information. For example, simply reviewing the company’s About Us page on their website can give you some detailed information about executives at the company.

If you really want to grab some important names, numbers, and emails, though, you should also check out the website that a company creates for its investors. These websites or pages off their main website are usually termed the investor relations site or investor relations portal. Now, for example, let’s say you’re going to conduct a penetration test against Udemy, the online educational platform, and you might want to go and visit investors.udemy.com as part of your open source intelligence collection efforts.

Here, you’re going to see tabs with the latest press releases, event information, financial information, stock information, corporate governance, and shareholder resources. Now, going to the corporate governance tab, you’re going to find pages dedicated to their management team which consists of all of their executives, presidents, and vice presidents as well as their board of directors. For each of these people, you can click on their photos and get additional profile information about them, such as where they went to college, what degrees they earned, former companies they’ve worked for, and their focus area within the current organization. And in this case, that’s Udemy.

Now using this information, you can really craft some detailed whaling emails against these executives and board members if that’s within the engagement scope. Something I’ve learned over the years is that executives and board members tend to be extremely busy people. And because of this, they tend to fall for whaling, spear phishing, and phishing emails at a much higher rate than a normal or regular employee would. At least, that’s what I’ve seen in my own real world engagements. Your mileage may vary.

Now blogs and social media are another great source of information too, especially when you’re trying to understand the work place culture or tempo of an organization that you’re targeting. For example, is everyone working remotely from home? Or is everyone back in the office every single day? This is valuable information for a penetration tester, especially one who has to conduct a physical penetration test. Are the employees unhappy because they have a bad work-life balance? Do they hate their managers? And do they feel they’re dumb or incompetent?

Does the company focus on training and building up their employees? Or, do they overlook training in favor of additional work output? All of these things can give you valuable information that you’re going to be able to use during your engagement as well. Maybe you find out where people like to go to blow off steam after work, and you can find that the system administrators are at the local bar, right next to the office, every Friday at 5:00 PM. This could be a great opportunity to go clone one of their proximity badges as part of your physical penetration test, because they would be tired after a long week of work and distracted while they’re getting a drink at the bar. Or, maybe you start chatting up one of the technical team members at the bar, flirting and asking them what they do at their job, how they like it, what kind of tech they get to work on, and things like that.

This is a form of social engineering, where you’re up close and personal with some of the employees and trying to gather as much information as you can from them without raising their suspicions. I know. I know. This sounds kind of like a spy movie here. But again, if this was agreed upon in the rules of the engagement and it’s within scope of the engagement, then guess what? It’s fair game. Once you gather all this open source information, it’s going to be time to put that information to work as actionable intelligence. At this point, you should be able to identify a couple of key details about your target organization, such as the roles that different employees have in the organization, including their job titles, level in the organizational hierarchy, and their day-to-day tasks and responsibilities. You’ll also find out the different teams and departments that exist in the organization, as well as the phone numbers, email addresses, and office locations of these teams and the employees within them.

You might find out the technical aptitude of the organization, and if they have a good security training program. And finally, you can start to understand the mindset of the employees and the managers inside that organization, including how they perceive their coworkers, subordinates, and managers. Now, all of this data can be put to work in different ways. I’ve already talked about how we can use it to conduct social engineering, either by email or in person, but there’s other ways to leverage all of this data too. For example, if you’ve identified that Harriet over in the Human Resources Department has a dog named Yoda, graduated from Rutgers University in 2003, her birthday is August 5th, and her favorite singer is Celine Dion, and you can use all those names and dates to create a word list that you can use to conduct a hybrid password cracking attempt, because most people use their date of birth, names of people or animals they have a relationship with, interests and other things like that to create their passwords. So as you’re gathering this information, think about how can it be useful to you and how can you turn it into actionable intelligence.

27. Social Media Scraping (OBJ 2.1)

One of the best sources of open source intelligence these days is social media. Many people tend to let their guard down when they’re posting on social media, whether it’s Twitter, Facebook, LinkedIn, YouTube, Instagram, Reddit or even TikTok. By analyzing what the organization or its employees are posting on social media, you’re going to be able to find a lot of information that can really help in your engagements. When you’re using social media to search for information you should start with the organization’s own social media profiles and their accounts. The organization is usually going to post marketing information on their social media profiles but often companies are now providing some sort of behind the scenes type of pictures and videos. These more candid posts can often capture things in the background that the organization didn’t realize was there when they recorded that video or took that picture.

For example, I’ve seen an organization who had one of their employees making a post to their Instagram account showing what an average day looked like. And when the employee snapped that picture with their front facing camera, they didn’t realize that people could actually read the computer screen that was located behind them. By zooming in on that picture people were able to read the contents of a sensitive corporate document that was being drafted by the employee at the desk next to the posters. These days, it seems that everybody is on social media and that means you can scour and scrape social media sites for details about an organization’s employees, from the CEO, all the way down to the person working the proverbial mailroom. Now, some employees are going to have multiple social media accounts as well. And this is to divide their professional or work accounts from their personal account. For example, all of my employees have a personal Facebook account and a work Facebook account, and they’re going to use that work account whatever they’re posting on behalf of our company while their personal one is used for everything else they do on Facebook.

Now, that means that most employees will be proper and professional on their work accounts, but if you find their personal account you can find the real person behind that employee, including their interests, habits behaviors, friends, spouses, children, and much more. Now some employees even publish their own personally identifiable information online, including things like their full name, their birthdate, their address, their phone number and much more. When it comes to social media sites, my personal favorite for open source intelligence research is LinkedIn. And this is because I can find out so much about an organization by reviewing their pages there. First, you can find the company’s own page on LinkedIn. Let’s take, for example, Udemy, the massively popular E-learning company. From their LinkedIn page, I can see they have 5,562 employees that have claimed a relationship with Udemy on LinkedIn.

Now, if I go to the post tab, I’m going to find a lot of marketing things, and press releases and things like that. Now this could be helpful but usually it isn’t a really what I’m focused on when I’m looking at LinkedIn for open source intelligence. Instead, I like to focus on the insights tab, the life tab, the people tab, and the jobs tab. First let’s look at the insights tab. Under this tab, we can see some key data about the company including its total number of employees and the growth of that employee number over the past two years. Now, in this case I can see in the last two years that the company has grown 62% but in the last six months, they’ve only grown 5%. Now, why is that important to understand? Well, if the company is rapidly growing that’s usually a time when they have worse security especially due to the number of new users who aren’t fully or properly trained. Additionally, if they have a very high growth rate, that means it’s common that new people are joining the team all the time.

And this could be a good chance for you to conduct a social engineering campaign that relies on impersonation, where you might pretend to be a new hire at the company. As you continue to look through the insights tab, there’s other valuable information here for you to see too. For example, we can look at the distribution of their workforce, and I can see here that the majority of their employees are in education, and the next highest area is engineering. This could indicate that they’re spending a lot of money on their technical employees, who might be better trained and less likely to fall for like a phishing attempt. Next I’m going to move on to the life tab. Now this tab is used by the company to tell their own story about why somebody would want to work for them, what their culture is like, and even some of the employee testimonials and company photos. Next I’ll move over to the people tab. From here, I can find out the breakdown of where people live, what colleges they went to, and more importantly, a list of the people who are currently working for Udemy. This can be your springboard into a deeper dive on an individual that you might want to target as part of your engagement.

Or you might try to identify their system administrators, their engineers, and their security professionals and see if they regularly post to LinkedIn. Now many people in technical careers like to post to LinkedIn about the challenges they’re facing at work. And if they’re having a work related project that’s challenging or they overcame it, they may go ahead and post about that to celebrate how they overcame that challenge and maybe even detail the solution they used. This can be great information for a penetration tester to have, especially when it comes from the technical personnel of that targeted organization. Finally, I’m going to move into the jobs tab. And this is my favorite tab. As we look at the jobs tab, we can see every job posted by this organization. Currently there are 307 job openings available and I can search through all of them with a few keywords to find what I’m looking for.

For example, let’s say I want to determine which cloud service provider Udemy is relying on to provide their infrastructure. I can simply type in the word cloud and see that it filters down from 307 postings, down to a more reasonable number of 29 postings. Next, I want to start clicking through some of the positions. The first position is listed as a senior systems engineer. As I look at that job description, I don’t see anything that mentions whether they’re using AWS, Azure or Google Cloud, but I do see that they’re using Jamf and Intune for Windows OS patching and that they’re seeking somebody who has experience in macOSX device management. And this tells me they’re not just a windows only company, so we’re going to have to conduct some vulnerability scanning and exploitations against their mac systems too.

All right, let’s move on to another position. Let’s say for example, we look at the security architect position. In this position description, I can see they’re focused on programming and development experience, but they’re not very specific in which single language they’re using. And instead they list out things like Python Go, Ruby, Java, JavaScript, et cetera. Now this isn’t as helpful unfortunately because it’s really too vague for me to know exactly what they’re using in their system development. As we keep looking though, we’re also going to see they want experience with cloud service provider platforms, such as AWS, GCP, Azure and automation tools. Now again, this is really vague as well. So it’s not that helpful. Now there’s really two reasons a company would be this broad on their job description. The first is that they are very security conscious and they don’t want to let attackers and penetration testers know what type of tech stack they have and what all their different languages look like that they’re using in their software development. And so they’re trying to prevent us from gaining enough information by looking at these job postings. Now personally, I don’t think that’s the reason because most companies aren’t that smart. And so as we continue to look at other job postings, we can probably find one that tells us a little more about what we’re looking for.

Now, the second reason that they’re going to be this broad and vague, and this is probably the more accurate one in the case of Udemy, is that finding security architects and programmers in the San Francisco California area is really challenging. So the company is probably being very open to anybody who has the basic skillset needed. Since once you learn a language like Java or Ruby, you can pick up another one and it’s not too difficult. The same holds true for cloud platforms. Once you use AWS or Azure, learning the other one isn’t too bad. And I think that’s more likely why this post is being so vague. It’s because of a talent crunch and they’re having difficulty hiring for this position if they’re very specific on what their needs actually are. All right, so we’re going to go ahead and click around until we find one that helps us. I’m going to go and jump down to the Senior Cloud Engineer. This is probably a good one because we’re talking about cloud and that was what I was looking for.

Now I bet here we’re going to be a bit more specific in their requirements as well. Now, in this position we see some generic information about a cloud engineer. And then in the second paragraph it says, “Our primary environments and tools include AWS, GCP, VMware, Dell computer/ storage vSAN, Terraform, Cloud Formation Atlantic, Ansible, Datadog, and GitHub.” That’s a pretty good list of their tech stack and their different development tools. And one of the things I noticed in there that wasn’t listed is Microsoft Azure. So we know Azure is not one of the cloud tools they’re really focused on, and this tells me they are using a multi-cloud infrastructure though because I did see AWS and Google Cloud being listed. Now based on my reading of that, it seems that they are primarily on Amazon web services and they’re using Google Cloud for a backup. But that’s just my guess at this point.

Now, if we look down a little bit further the requirement section, you’re going to see that it states a good level of experience with AWS and cost management experience a plus. This confirms my suspicion that they’re probably using AWS primarily. So now that I gather this intelligence, what does it tell me? Well, I’m going to have to think about how I’m going to test things during the engagement and I’m going to want to make sure that I have someone on the team who’s familiar with AWS penetration testing, and we need to make sure to get AWS’s permission before we start doing those tests. Also, since they’re using AWS for their cloud that means I can use something like pacu which is an open source AWS exploitation framework during my engagement against their AWS technical stack. I think you can see now why I love job posting so much during the reconnaissance phase because you can find so much great information that’s open source within them. This includes things like the personnel who are making up the departments or teams, including the hiring managers. You might be able to find the lack of qualified personnel in critical positions.

For example, we saw this organization needs a new security architect and a cloud engineer, and that means they either lost those people and they’re looking for replacements or they’re growing rapidly, and either of those are things we could take advantage of. We can also find the level of technical capability they have. Again, this is based off those job postings. What level of education are they posting as requirements? We can also figure out what software architecture and services are used. We can figure out what programming languages are used. We can figure out the types of hardware they use. We can find out the types of security systems they’ve fielded. All of this is stuff we can find inside of these job postings, if we just go out and look for it. In addition to LinkedIn, there’s lots of other places to gather information about the people who work at that company and the positions they’re hiring for. Sites like Monster, ZipRecruiter, indeed, Glassdoor and many others are a great place for you to look as you’re looking for more information on your targeted organization.

• Category: Uncategorized