The Social Engineer's Playbook Page 5
Page(s) about the services or products the company provides
Company leadership and management names and bios
Any email addresses published on the site
Naming conventions for email addresses
Office locations
Extranets, portals or support sites
External links (LinkedIn, Facebook, Twitter)
Make good use of Dradis or KeepNote to document any findings as a result of scouring the organization’s website. There really is no detail too small or insignificant to document. It may find itself to be very useful in the end.
Search Engines
Google, Bing, Yahoo, DuckDuckGo, Dogpile. There are so many search engines available to use. You may be wondering which would produce fruitful results without having to spend gobs of time researching. Each and every search engine has its pros and cons. At the time of this writing, I recommend using Google and Shodan for social engineering purposes. These two engines are an excellent place to start. But by all means, do not limit yourself to my recommendations alone. There is constant progress and innovation in this field.
Google (aka Google Hacking)
First of all, Google indexes everything! Nowadays that is more common knowledge than it was 10 years ago. But, I digress. Google hacking has been around for quite some time. Back in 2005, a security expert by the name of Johnny Long wrote a great book titled, Google Hacking for Penetration Testers. It was 448 pages of pure hacker bliss and Johnny set the stage for Google hacking for years to come.
Google hacking does not mean hacking Google itself. It amounts to using advanced Google search operators, called “Google dorks,” to tease out a near limitless set of fruitful information. To be more specific, fruitful information that is probably sensitive and not deliberately meant to be publicly available. The dataset includes all sorts of fruitful information, including but not limited to: usernames, passwords, financial information, personal information, credit card numbers and so on. How did it get there? Well, certain ill-informed people put it there unaware that it might be indexed for the entire world to see. And it continues to happen all the time, everyday.
There are entire books dedicated to the study of Google Dorks. The content is far too rich and expansive to be adequately covered here. However, to maximize efforts and not waste time, making heavy use of Google Dorks to find information about the target must be carried out. Thankfully, there is a shortcut. The fine folks at Exploit-DB have taken Johnny Long’s work, and the work of others, and made it available online.
This is by no means an exhaustive list, but this shows the standard dorks I initiate as a part of every social engineering test.
•PDF files with text “confidential” inside
“
•Text with “password” for the target domain
ext:sql intext:@
• Word files linked to the target’s domain name
site:
•Visio files linked to the target’s domain name
site:
•Find network information
(“DMZ” | “Public IP” | “Private IP”) filetype:xls
The Google Hacking Database can be found online at the following address: http://www.exploit-db/google-dorks/.
Screenshot of the Google Hacking Database by Exploit-DB.
The best approach toward using Google Dorks, especially if you’re a beginner, is to first become familiar with the nomenclature. After a few minutes, the syntax will become clearer. There is a great online resource for making advanced Google searching easier to comprehend. GoogleGuide’s advanced operators reference page is a great start.
The Google guide page can be found by navigating here: http://www.googleguide.com/advanced_operators_reference.html
GoogleGuide.com is designed to be an online interactive tutorial for Google’s search capabilities and features. Although it is not an advertised Google Hacking website, it is your one-stop shop reference for learning more about leveraging Google’s powerful search parameters.
Shodan Search Engine
According to Wikipedia, Shodan is a search engine that lets you find specific types of computers (routers, servers, etc.) on the Internet using a variety of filters. Some have also described it as a search engine of service banners that are metadata the server sends back to the client when a connection to it is initiated. Essentially, Shodan collects data including, but not limited to: HTTP, FTP, SSH, SNMP, Telnet, MySQL, VNC, etc. The information Shodan indexes consists primarily of information that could be leveraged to exploit those systems. For example, a search for “default password” would yield a number of results for hosts/systems using the default password to gain access to them. The systems vary greatly and include security camera systems, traffic lights, home automation, power plants and more.
Since Shodan’s inception in 2009, it has raised some eyebrows in the security industry as well as within mainstream news outlets. CNN Money called it the scariest search engine on the Internet (http://money.cnn.com/2013/04/08/technology/security/shodan/).
Penetration testers abound make heavy use of it, as I’m sure malicious actors do as well.
Screenshot of the Shodan search engine.
Shodan has some very practical uses, especially for penetration testers. But of course, it does lend itself well toward social engineering. This can manifest itself by using Shodan’s advanced operators and filters to hone in on target based off specific information.
See here: http://www.shodanhq.com/help/filters
Refine your Shodan search with advanced filters: geo, city, country, hostname and net. See: http://www.shodanhq.com/help/filters
Shodan will, no doubt, be a great resource for information gathering purposes during a social engineering test. One key aspect to remember is that Shodan is more like casting a wide net for information. In social engineering, we need to be more specific. Thus, in order to gain value from it, you must first normalize and hone in on your target through advanced filters. Information you obtain through refined searches will ultimately be what you’re looking for. Some Google dorks are not all that different either. They tend to be broad in nature and without focus toward a specific target. Once again, it is important to refine search parameters so that they’re directed toward a specific target in order to gain valuable information.
A decent portion of the information indexed by Shodan is great information for penetration testers as well. Whatever the objectives are, my advice is to ensure the plan and action complies with the Rules of Engagement without stepping out of bounds and into something that resembles a penetration test. Having said that, Shodan will not disappoint as a great resource for information gathering.
Shodan’s help page is a great place to become acquainted with it. See:
http://www.shodanhq.com/help Be advised, at the time of this writing, Shodan is in the process of updating their page.
WHOIS
The WHOIS database is a free online resource that provides details about domain names. It’s actually a query and response protocol used to search the data warehouse containing registered users/assignees of a domain name, IP address block or autonomous system. A WHOIS query can be initiated from the command line in a number of different operating systems. There are websites devoted to performing WHOIS queries as well. See here: http://www.whois.net/
Information contained in WHOIS queries can be very helpful during the initial stages of information gathering. This is especially useful in determining the target’s technical contact, email naming convention, physical location and DNS name servers. The information gathered from WHOIS queries can be used to launch a more targeted information gathering expedition.
Screenshot of WHOIS query of GOOGLE.COM
Social Media, Job Boards & Blogs
A cultural shift has occurred in the last three to five years for many companies. That shift was tow
ard corporate transparency and the adoption of social media as a widely used marketing tool. As I stated earlier in this book, companies use social networks to develop an affinity toward the masses. Nowhere else in history has there been a more direct line of communication between consumer and conglomerate. Companies use Twitter, Facebook, LinkedIn and YouTube to spread their brand in a much more personal way than ever done before. By opening their windows to the world, social engineers have an opportunity to gain better insight into a target with little effort.
Job boards, blogs, wikis and videos also contribute toward creating a closer connection with consumers. Often times, a company website will have the personal email address, Twitter link and LinkedIn account of many of its team members published. Online job postings tend to divulge lots of information about the company’s technology stack and sometimes hiring manager information. Social media connections are ideal for social engineers since they tend to be user-centric versus company-centric. There is greater chance of finding out likes, dislikes, schedules and other personal information about targets.
Mining social media for valuable information is and can be very time intensive. Thus, I won’t get into the specifics of exploring them individually. Thankfully there is a tool called Maltego that makes the information gathering process far more efficient. We will discuss Maltego in greater detail in the next chapter.
Public Sources
Public sources for collecting information on targets can be acquired through a number of public providers. Public data providers include Intelius, PeopleFinders and US Search. These data providers perform background checks and deliver reports about their subjects for nominal one-time fees or via subscriptions. Although most of the information they provide can be found using search engines, using their services may cut down on manual hours spent trying to dig up the information alone.
Intelius – http://www.intelius.com
US Search – http://www.ussearch.com
PeopleFinders – http://www.peoplefinders.com
Surveillance
Online resources are widely used to gather information for social engineering. In fact, sometimes too much reliance is placed on online information gathering alone. It is important to use a varied approach toward gathering information and not rely on a single data source. Much can be learned about a target through physical surveillance. Of course, if the scope of the test and distance is too great this may not be possible. However, physical surveillance should be mandatory for each and every social engineering test, provided physical distance to the target site is not somehow a hindrance.
Photographic Intelligence
Ideally, a social engineering test should involve as many elements of physical information gathering as possible. The purpose of this is to gather as much intelligence from non-overlapping sources. For example, online information gathering will have some overlapping data between sources. It is best to have a varied background of information versus relying on a single approach.
Photographic intelligence gathering is one effective way of capturing valuable information not likely to be found online. There are many ways of actually acquiring photographic evidence, but here are some of the photos you should obtain from the target:
Target Location(s) – Take as many photos from different angles as possible. This is used to obtain a mental picture of the building, its exits/entrances, approximate size, etc.
Point of Entry/Exit – You should know where every entry point and exit point is located. Take special note of smoking areas, seating areas and other public areas situated near the building. Photograph any security controls used to protect points of entry/exit (cameras, turnstiles).
Location of Dumpsters – Know where the dumpsters are located and any security controls around them. It’s likely they won’t be under surveillance, but do take note of any bright lights, nearby entrances, foot traffic and proximity to vehicle traffic.
Guards – Take photos of the guards, their tours and their badges. Determine if they’re employed by a security guard agency or if they are employees of the building’s management company.
Access Control Points – Determine what access controls are required to access the building, such as: proximity cards, ID cards, PIN entry, turnstiles, mantraps, security cameras, motion detectors, lobbies, etc. Most security controls are placed in the front entrances while other entrances are equipped with far less security protection. But the goal here is to learn what security authorization points you should be going through. Later on, you can figure out how to bypass them.
Badges – Take as many close up pictures of visitor badges and employee badges. It can sometimes be tricky to pull off. But having high-resolution images will do wonders for forging logos and bar codes.
Google Earth aerial view of RedTeam Security’s office building
Google Earth and Google Streetview are very useful tools for several reasons. They can be extremely valuable during the planning stages, from pretext planning to dumpster diving. Maps that Google Earth provides are also to scale, which simply adds even greater value. I personally make heavy use of Google Earth maps for planning purpose and through the pretexting phase.
Google Earth provides a social engineer with the capability to gain intelligence about the physical layout with little effort. The information captured from Google Earth will prove to be invaluable resource for social engineers during planning and execution. It also adds a layer of anonymity. The social engineer can leverage the data without having to covertly photograph them and potentially raise suspicion.
Covert photography is an important aspect of surveillance and information gathering. It is not your traditional photography, however. It involves going at it at a much different approach. First of all it is important to configure and use your camera in a way that won’t let others on to what you’re doing. I use a Canon Rebel XTI to shoot from my vehicle. It is an older digital SLR but it gets the job done in those situations. Personally, I recommend going with a digital camera with a smaller body but good zoom and auto focus features.
Taking covert photos doesn’t give you much time to setup a shot. This is due to having to blend in or covertly sneak photos. Again, a camera that has good auto focus is paramount. Here are some key configurations for your digital camera:
Auto Focus – The camera should support point and click use allowing for quick but clear snapshots
Flash – This should be disabled for obvious reasons.
Auto ISO – The camera should support automatic ISO mode so that it changes quickly relative to what is in focus.
Shutter Sounds / Beeps – Configure the camera to be silent. In some cases this is not possible for some cameras. In situations where I need to be up close and quiet, I use a compact camera that doesn’t click or beep.
One of my personal favorite cameras is the shirt button video recorder. The video camera’s lens is situated in the center of the button and slips into your shirt in place of a button. The application for this camera is ideal for videotaping the inside of lobbies, shared office spaces, parking lots, etc. It can be used extensively to covertly identify where motion detectors and security cameras are placed without raising attention. With any luck, sometimes you can grab decent footage of badges.
Covert video recorder disguised as a shirt button
There are several adaptations of this camera for sale online and just about anyone will do. There are models that come with different styled and colored buttons to match your shirt. Other variations come inside backpacks, brief cases, watches and the list goes on. The video quality is not fantastic, but that’s not the objective. It provides a more discreet way of obtaining information. The captured footage can then be reviewed and used to develop a more strategic social engineering plan.
Dumpster Diving
Now onto the least glamorous part of information gathering, dumpster diving. Dumpster diving is simply the process of going through the target’s trash in an effort to uncover information, electronic media, or d
iscarded documents that might be helpful in a social engineering test. Yes, it is a dirty and stinky job. But it’s a dirty job that will reward you for your bravery. It is amazing what people throw away. Everything from computers, media storage equipment, USB drives and a treasure trove of paper documents. I like to call it, “dirty data.”
It is the media storage devices and paper documents that social engineers are most interested in. And not necessarily the confidential paper documents either. Dirty data could simply be discarded invoices from the organization’s IT services vendor or a discarded printout of telephone extensions. It may even be an old vacation schedule. Whatever it might be, these bits of dirty data should be snatched up and held onto as information.
More often than not, neither time nor the location will allow you to perform analysis on the trash onsite. So, what exactly should you take with you? Unless you have super powers that let you see through garbage bags, there is no great answer for that. The best advice is to take the lightest bags first. The trash in these bags usually comes from office waste paper baskets, so you’re more likely to fair better in terms of gaining intelligence. But unfortunately, it tends to also be somewhat messy. Discarded coffee cups, napkins, wrappers and take out boxes will be mixed in.
Office cleaning staff usually makes their rounds of office/cubicle trash pickup all at the same time. This is advantageous since it means that trash similar in nature (paper documents) will likely be in the same bag. The contents may be somewhat evident as well (light, yet bulgy). Grab these bags first.
Dumpster diving is best performed in the late evening, so as not to stir up any suspicion from potential onlookers. And of course, before any dumpster diving begins, it should be well within the scope of the Rules of Engagement and legal in the state it’s being performed.