Many different sources exist for information gathering. The following list cannot possibly cover every source out there, but it does outline the major choices you have.
Gathering Information from Websites
Corporate and/or personal websites can provide a bounty of information. The first thing a good social engineer will often do is gather as much data as he can from the company’s or person’s website. Spending some quality time with the site can lead to clearly understanding:
- What they do
- The products and services they provide
- Physical locations
- Job openings
- Contract numbers
- Biographies on the executives or board of directors
- Support forum
- Email naming conventions
- Special words or phrases that can help in password profiling
Seeing people’s personal website is also amazing because they will link to almost every intimate detail about their lives—kids, houses, jobs and more. This information should be cataloged into sections because it will often be something from this list that is used in the attack.
Many times company employees will be part of the same forums, hobby lists, or social media sites. If you find one employee on LinkedIn or Facebook, chances are that many are there as well. Trying to gather all that data can really help a social engineer profile the company as well as the employees. Trying to gather all that data can really help a social engineer profile the company as well as the employees. Many employees will talk about their job title in their social media outlets. This can help a social engineer to profile how many people may be in a department and how the departments are structured.
Johny Long wrote a famous book called Google Hacking for Penetration Testers and really opened up many people’s eyes to the amazing amount of information that Google holds.
Google forgives but it never forgets, and it has been compared to the Oracle. As long as you know how to ask, it can tell you most anything you want to know.
Johnny developed a list of what he called “Google Dorks,” or a string that can be used to search in Google to find out information about a company.
For example if you were to type in: site:microsoft.com filetype:pdf you would be given a list of every file with the extension of PDF that is on the microsoft.com domain.
Being familiar with search terms that can help you located files on your target is a very important part of information gathering. I make a habit of searching for filetype:pdf, filetype:doc, filetype:xls, and filetype:txt. It is also a good idea to see if employees actually leave files like DAT, CFG, or other database or configuration file open on their servers to be harvested.
Entire articles is dedicated to the topic of using Google to find data, but the main thing to remember is learning about Google’s operands will help you develop your own.
A website like www.googleguide.com/advanced_operators.html has a very nice list of both the operands and how to use them.
Google is not the only search engine that reveals amazing information. A researcher named John Matherly created a search engine he called Shodan (www.shodanhq.com).
Shodan is unique in that it searchers the net for servers, routers, specific software, and so much more. For example, a search of microsoft-iis os:”windows 2003” reveals the following number of servers running Windows 2003 with Microsoft IIS:
- United States 59,140
- China 5,361
- Canada 4,424
- United Kingdom 3,406
- Taiwan 3,027
This search is not target-specific, but it does demonstrate one vital lesson: the web contains an amazing wealth of information that needs to be tapped by a social engineer seeking to become proficient at information gathering.
Whois is a name for a service and a database. Whois database contain a wealth of information that in some cases can even contain full contact information of the website administrators.
Using a Linux command prompt or using a website like www.whois.net can lead you to surprising specific results like such as a person’s email address, telephone number, or even DNS server IP address.
Whois information can be very helpful in profiling a company and finding out details about their servers. All of this information can be used for further information gathering or to launch social engineering attacks.
A company’s publicly reachable servers are also great sources for what its websites don’t say. Fingerprinting a server for its OS, installed applications, and IP information can say a great deal about a company’s infrastructure. After you determine the platform and applications in use, you could combine this data with a search on the corporate domain name to find entries on public support forums.
IP addresses may tell you whether the servers are hosted locally or with a provider; with DNS records you can determine server names and functions, as well as IPs.
In one audit after searching the web using the tool called Maltego, I was able to uncover a publicly facing server that housed literally hundreds of documents with key pieces of information about projects, clients, and the creators of those documents. This information was devastating to the company.
An important note to keep in mind is that performing a port scan—using a tool like NMAP or another scanner to locate open ports, software, and operating systems used on a public server—can lead to problems with the law in some areas.
For example, in June 2003, an Israeli, Avi Mizrahi, was accused by the Israeli police of the offense of attempting the unauthorized access of computer material. He had port scanned the Mossad website. About eight months later, he was acquitted of all charges. The judge even ruled that these kinds of actions should not be discouraged when they are performed in a positive way (www.law.co.il/media/computer-law/mizrachi_en.pdf).
In December 1999, Scott Moulton was arrested by the FBI and accused of attempted computer trespassing under Georgia’s Computer System Protection Act and Computer Fraud and Abuse Act of America. At the time, his IT services company had an ongoing contract with the Cherokee Country of Georgia to maintain and upgrade the 911 center security (www.securityfocus.com/news/126).
As part of his work, Moulton performed several port scans on Cherokee Country servers to check their security and eventually port scanned a web server monitored by another IT company. This provoked a lawsuit, although he was acquitted in 2000. The judge ruled that no damage occurred that would impair the integrity and availability of the network.
In 2007 and 2008, England, France, and Germany passed laws that make unlawful the creation, distribution, and possession of material that allow someone to break any compute law. Port scanners fall under this description.
Of course, if you are involved in a paid audit of a company most of this will be in the contract, but it is important to state that it is up to the social engineer auditor to be aware of the local laws and make sure you are not breaking them.
Many companies have recently embraced social media. Its cheap marketing that touches a large number of potential customers. It’s also another stream of information from a company that can provide breadcrumbs of viable information.
Companies publish news on events, new products, press releases, and stories that may relate them to current events.
Lately, social networks have taken on a mind of their own. When one becomes successful it seems that a few more pop up that utilize similar technology. With sites like Twitter, Blippy, PleaseRobMe, ICanStalkU, Facebook, LinkedIn, MySpace, and others, you can find information about people’s lives and whereabouts in the wide open. Later, this book will discuss this topic in much more depth and you will see that social networks are amazing sources of information.
User Sites, Blogs, and So On
User sites such as blogs, wikis, and online videos may provide not only information about the Target Company, but also offer a more personal connection through the user(s) posting the content. A disgruntled employee whose blogging about his company’s problems may be susceptible to a sympathetic ear from someone with similar opinions or problems. Either way, users are always posting amazing amounts of data on the web for anyone to see and read.
Case in point: Take a look at a new site that has popped up—www.icanstalku.com. Contrary to its name, it does not encourage people to actually stalk others. This site points to the complete thoughtlessness of many Twitter users.
It scrapes the Twitter site and looks for users who are silly enough to post pictures using their smart phones. Many people do not realize that most smart phones embed GPS location data in their photos. When a user posts a picture to the web with this data embedded it can lead a person right to their location.
Displaying location-based information is a scary aspect of social media website. Not only do they allow you to post pictures of yourself, they also implicitly reveal your location—possibly without your knowledge.
Site like ICanStalkU underscore the danger of this information. Check out a story (one of many) that shows how this data is used for home break-ins, robberies, and sometimes more at www.social-engineer.org/wiki/archives/BlogPosts/TwitterHomeRobbery.html.
This type of information can give you a very detailed profile of your target. People love to tweet about where they are, what they are doing, and who they are with. Blippy allows a person to connect their bank accounts and in essence it will “tweet” with each purchase, where it was from, and how much it costs. With pictures including embedded location data and then sites like Facebook, which many use to put personal pictures, stores, and other related info, it is a social engineer’s dream. In a short while a whole profile can be developed with a person’s address, job, pictures, hobbies, and more.
Another aspect of social media sites that makes them excellent sources of information gathering is the ability to be anonymous. If the target is recently divorced middle-aged man who loves his Facebook page, you can be a young woman who is looking for a new friend.
Many times, while flirting, people divulge valuable pieces of information. Combine the ability to be anyone or anything you want on the web with the fact that most people believe everything they read as gospel fact and what you have is one of the greatest risks to security.
Public data may be generated by entities inside and outside the target company. This data can consist of quarterly reports, government reports, analyst reports, earnings posted for publicly traded companies, and so on. An example of these is Dunn and Bradstreet reports or other sales reports that are sold for very little money and contain a lot of details on the target company.
These sites, along with many other, can offer background check services for as little as $1 for one limited report to a $49 per month for free using search engines, but some of the detailed financial data and personal information can only be obtained easily and legally through a paid-for service. Perhaps most shocking is that many of these companies may even provide data like a person’s Social Security Number to some customers.