Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BruCON] Opensource Information Gathering

Chris Gate – Open-source Information Gathering

Collect as much information about the target which may be valuable later.

OSINT – Open Source INTelligence

Penetration Testing – Focus is currently on scanning and exploitation
Real life hacking – Focus on gathering the information required to attack

Information gathering phases

  • Passive – No traffic to the target
  • Semi-Passive – Only traffic that looks normal and expected
  • Active – Full searches and enumeration

Infrastructure – Every online source has an infrastructure to be examined.
People/Organisation – Looking at the human side of information gathering

Every company is now online. The companies want you to know everything about them. Some information is voluntary, some is legally required to be made available.

Infrastructure information gathering – Goal is to build an infrastructure diagram with publicly discoverable information.

Maltego can be used to find systems connected to the enterprise by using one piece of information to connect the dots. Maltego transforms offer the ability to find other connected domains, DNS entries, MX servers and more. Find the weakest link in the infrastructure to target your attack.

Tools to use .:

  • Maltego
  • Serversniff.net
  • Robotex.com
  • clez.net
  • CentralOps.net
  • Rsnake’s fierce.pl
  • PassiveRecon Firefox plugin

People/Organisation – Create a profile of people in charge and discover the corporate culture.

Some companies put all of this information on their website. Others prefer to hide this from the public eye.

By pulling down email chains using Google or other email harvester tools you can gain information about staff and connections. Remember to check other TLDs and not just .com. Using Maltego this information can be expanded upon to find social networking links and a stream of other information. With this information you can take it to the next level to Socially Engineer the target prior to the engagement.

Tools to use .:

  • Maltego
  • TheHarvester
  • PassiveRecon Firefox plugin

Document Metadata – Lots of information on people, technologies, and infrastructure. Perfect for client-side exploitation and attack vectors. By doing this in Maltego you can use additional transforms to gain additional information.

Tools to use .:

  • Maltego
  • Metagoofil
  • FOCA

Gathering this information can take a great deal of time. In tests Chris will send around a week working on this phase of the test. Providing a report on information disclosure to the company as part of a penetration test can help them understand the exposure.


Libextract isn’t good with newer PDF’s = Solutions include FOCA and scripting to directly pull out the data
Goolag = Easy to get your IP banned from Google

Organisation profiling – Online networking and HR tools are a great resource for information. Sites like pipl, xing, spokeo, spoke, 123people and zoominfo can be crawled using their build in APIs. Some sites will cost money, but the information is worth it.

Namechk can be used to find peoples use of social networks.

Maltego now has twitter transforms to see who is communicating with these people, followers, people following and connections.

Tweepsearch or search.twitter.com are useful to finding keywords or groups of people based on specific search criteria.

Taking over somebody’s identity
If somebody has a weak online presence can you act as that person. Can you add a new staff member and join the company groups and use this for Social Engineering. Can you great a Gmail account for this user, register on social networking sites, or write a blog on their behalf.

Comments are closed.

%d bloggers like this: