3.6 KiB
3.6 KiB
Intelligence Gathering
- More information gathered, more vectors of attack may be able to use
- Better knowledge of target, more likely to succeed
- Better target company knows what is common knowledge, better it can prepare.
Open-source Intelligence (OSINT)
- Gathers information from publicly available sources and analyses it, producing intelligence
- May not be up to date, accurate or complete.
- Could be deliberately manipulated to provide false intelligence.
- Many companies may fail to take into account public information, and how it could be gathered, organised and made searchable
- Physical (locations / relationships)
- Logical (business partners, job openings, meeting minutes, professional licenses)
- Org chart (important people)
- Electronic (document metadata, marketing information)
- Infrastructure (email addresses, technologies used)
- Many employees fail to realise information published on the public domain about themselves.
- Social Media
- GDPR gives right to ask to remove.
Limits
- Gathering information to identify entry points
- physical, electronic, human...
- and try to map out internal structure
- physical, network, organisational
- and external dependencies
- outsourcing, financial
- It does not involve trying to test or use entry points
- "potential vulnerability" more interesting
- cyclic lifecycle, we can do more recon later
Levels
- Level 1
- Automated tools to gather information
- Generally a simple list of what exists
- Level 2
- Combination of tools and manual searching / analysis
- Good understanding of physical locations, business relationships, organisation charts, naming policies, etc.
- Level 3
- Heavy use of manual techniques
- Deep understanding of business and how it operates
- Highly strategic and planned, time consuming
Considerations in Commercial Pentest
- Keep to RoE
- Avoid legal issues and avoid scope creep
- Avoid being sidetracked by interesting sideroads
- Have a Goal
- What is relevant to the target you have been engaged to attack
- Have a deadline
- Make sure time allocated to use intelligence
Passive vs Active Reconnaissance
Passive
- Collecting data using publicly available information without direct contact with target
- Open web resources, public company information
- How they operate, how large they are, contact info, etc.
Active
- Direct interaction with target by any means to gather information
- Port scanning, vulnerability scanning, etc
- Illegal without permission.
Semi-Passive
- Collecting data with methods that appear like normal internet traffic and behaviour.
- Looking at metadata in published documents and files. Not actively seeking hidden content.
Semester 1 Assignment
-
Choose company
- Should be small, but not too small
- Likely IT business
-
Passive recon using OSINT sources
-
Include some semi-passive recon
-
Write report, outlining what has been found and why company should be aware.
-
Look for:
- Corporate
- Personal
- Technical information
-
http://www.pentest-standard.org/index.php/Intelligence_Gathering
How to Obtain Information
- Google Dorking, search for information to see who else has it, and what else they have.
- Information Gathering tools built into Kali
- Google for OSINT sources.
- Google Hacking Database (GHDB)
- Maltego
- DMitry
- Dnmap
- Ike-scan (Discover IPsec VPNs)
- P0f (Passive traffic fingerprinting)
Note on Packet Sniffing
- Some tools rely on network inspection between you and target
- "Active Packet Sniffing" means specific things cause traffic to flow to you
- "Passive Packet Sniffing" means you inspect the traffic that happens to come past sniffer.