We discussed last week that open source intelligence, or OSINT, is one of the most important phases of an assessment for a penetration tester. It is this part of a test where an engineer is gathering background information about an organization that is publicly available, ranging from the business they are in, to the types of technical assets in use, to the names of employees. All of this is crucial for better preparing future attacks launched as part of the test and data gathered through OSINT can be a huge difference between a well-rounded assessment and more simplistic review. Today, we’ll go a step further as we look at OSINT and cover some of the most popular tools and techniques to gather information for an assessment.
I hate being cliche, but it is very true in this case that Google (and other search engines) is your friend. Simply reading through information associated with your target company that you can get from a Google search is very helpful. Look through their corporate website, news articles, info collected by aggregation websites, etc. You should be keeping an eye out for things like:
- Physical Locations – Helpful for social engineering campaigns, physical penetration testing, red teaming, or creating password lists.
- Subdomains – Throughout OSINT, you should be looking to confirm the target scope you’ve been provided for an assessment or identify anything outside of the target scope that the company may not know about.
- Company Culture – Getting an idea about what is most important to the company, what causes they support, employee dress and conduct, etc.
- Job Postings – These can be a gold mine of information related to technology and software in use within a company. If they are looking for an ASP.NET Developer and a MS SQL Server DBA, you just identified their full website development stack.
- Employee Names and Email Formats – Names of the leadership team, employee directories, and contact information are great things to keep handy during an engagement. Additionally, noting the email formats for employees allows you to improve your username enumeration for password attacks.
This is just the beginning with information obtained through OSINT. Besides this type of data, using specially crafted searches, often known as Google Hacking or Google Dorking, can be fantastic for further improving this process. SANS has a great cheat sheet for this to help get you started, but a couple of my favorite uses are:
- inurl:<root domain> – this can quickly discover popular subdomains before you do something like prefix brute forcing.
- inurl:<target domain> filetype:<pdf,docx,xlsx,txt,etc.> – this query will quickly search for documents hosted and indexed through search engines on a target site, based on the extension you supply. You can use this to find sensitive data or scrape meta data, as we’ll discuss in a minute.
Transitioning from open searching and reading about a company, it’s time to add some horsepower to this process. In comes PowerMeta, an open source PowerShell tool developed by @dafthack that can be used to automatically scrape metadata from documents that are indexed on a target domain. This tool is really great to add information to what you’ve already gathered, as it can extract metadata from files and dump it all into a CSV for review. Within that metadata, you can almost always find usernames, employee names, versions of software, third-party companies used for marketing, etc.
3. Recon-ng Framework
Another one of the tools for OSINT is Recon-ng, which comes built-in on Kali Linux and is available on Github. Created by Tim Tomes (@lanmaster53), this toolkit is a one-stop-shop for all of your automated OSINT processes and aggregates all the information collected into a central repository that you can use to search and stay organized. The navigation and database functionality looks and feels very similar to metasploit, making it really easy to use. Inside, you can use a wide set of modules to do things like collect subdomains of a target from search engines, perform all the DNS lookups and reverse lookups for you, gather netblock information or contact information from ARIN, brute force subdomain prefixes or additional TLDs, etc. Extremely powerful.
Developed as an open source project supported by OWASP, Amass is designed as an “In-depth Attack Surface Mapping and Asset Discovery” tool. It can provide a visualization of an organization’s external perimeter that includes everything from IP addresses to domain names to netblocks, all laid out in a spider web-style interactive image. To gather this information, a number of different techniques are available including certificate enumeration, DNS querying/brute forcing, scraping, and interacting with third-party APIs.
Using these tools for OSINT can help take an assessment to the next level, improving the overall results and sophistication of an assessment. A good penetration tester will leverage these techniques to help increase the quality of their intrusion attempts at later parts of an assessment. If you’ve got any further questions on how we perform this part of an assessment or how this phase can play into each type of assessment we offer, please feel free to reach out!