Phase 1: Info Gathering Phase (Reconnaissance)
As with any other type of penetration test, we need to gather information. The only difference here is that instead of looking for operating system types, software versions, and vulnerabilities, we're searching for information about the company, their employees, their social networking presence, et cetera.
Given that we're performing an assessment from a corporate perspective, there are some limitations with regard to privacy and employees’ private life, but the truth is that real attackers won't abide by such limitations. So, you should assume that any information made public or available on the Internet will be considered usable. (Disclosure: consultants/employees should talk to your client/employer and lawyers to define the scope for any penetration test prior to information gathering.)
As stated in the comic, information gathering is really simple and there's only one rule: There is never enough information; the more you have the better. Everything is relevant in some way or another—everything from company icons, images, and documents all they way down to where an employee went to dinner last week and with whom.
Luckily for us, Mark Zuckerberg (creator of Facebook) and corporate America have made people’s lives public and easy to follow by convincing them that they're supposed to forget about privacy and share as much information as they can with as many people and services as they can, because it is “good” for them.
The type of data we need depends on the type of attack we're performing. Given that we are currently discussing social engineering assessments in a corporate context, we will surely need to gather corporate email accounts and plenty of names. There are many tools capable of performing Open Source Intelligence (OSINT) including the Harverster, Maltego, and, of course, ESearchy.
Esearchy is project that I began a few years go as a small Ruby library with a proof-of-concept CLI tool capable of searching the internet for email addresses and people from a specific domain or company. Currently, the supported search plug-ins include but are not limited to:
- Google Profiles
- PGP servers
- GoogleGroups Search
In addition to that, ESearchy is capable of downloading—upon request—several types of files and searches their contents for emails. File types supported include but are not limited to:
With this simple introduction, we're now going to install the tool and test a few of the information gathering concepts described above. ESearchy is currently hosted as a Ruby gem at https://rubygems.org, so by fetching the gem in any Linux, OSX, or Windows environment, it will install all the necessary dependencies and binaries.
Note: Ubuntu users will need to add the Ruby path to their $PATH in order to run
Once ESearchy is installed, we are ready to start gathering information. As previously mentioned, the application supports several types of searches using the
esearchyCLI command and/or by creating custom scripts using the ESearchy library—that is, they require
Using the tool is straightforward; for example:
The first command searches for email addresses inside @company.com using the Google and the PGP plug-ins, as shown in the following video examples:
The second example actually searches for people on LinkedIn using the search string Company Inc:
For a full description on the engines supported and all the other possible ESearchy features, please refer to the
helpcommand in the ESearchy tool itself, which is:
Despite now having a list of email addresses related to the company in question, it's a good idea to continue gathering as much data as possible. We should continue performing searches; we may need to find information regarding the DNS servers and mail servers, as well as other information that is usually collected as part of a standard penetration test. ESearchy currently does not perform these search types , but that functionality will be supported in future versions as separate, standalone tool.
Last but not least, a good way to confirm (and possibly obtain more) email addresses involves checking the SMTP server for vulnerabilities (such as information disclosures) using VRFY or EXPN, et cetera. If present, this information should allow us to confirm our email addresses and possibly even acquire more.
This is part two of a four-part social engineering post. The next entry will discuss using ruses to gather more intrusive information about the internal network.