Chapter 1. Intelligence Gathering: Peering Through the Windows to Your Organization

To successfully execute an attack against an organization, the attacker must first perform reconnaissance to gather as much intelligence about the organization as possible. Many traditional methods for gaining intelligence about targets still work today, such as dumpster diving, querying public databases, and querying search engines. However, new methods that rely on gathering information from technologies such as social networking applications are becoming more commonplace. In this chapter, we will discuss the traditional methods as well as how the new generation of attackers is able to abuse new technologies to gather information.

From the attacker’s point of view, it is extremely important to perform reconnaissance as surreptitiously as possible. Since information gathering is one of the first steps the attacker may perform, he must take care not to do anything that may alert the target. The techniques in this chapter will therefore concentrate on methods that allow an attacker to gather information without sending a single network packet toward the target.

Information gathered during reconnaissance always ends up aiding the attacker in some way, even if it isn’t clear early on how the information is useful. Attackers want to obtain as much information about their target as possible, knowing that the data they collect, if not immediately useful, will most likely be useful in later stages of the attack.

Physical Security Engineering

Gathering information through physical means is a traditional tactic that attackers have been using for a while now. Some examples of information that an attacker can obtain from these methods include network diagrams, financial information, floor plans, phone lists, and information regarding conflicts and communications among employees.

In the next section, we will look at the different techniques attackers use to gather intelligence by physical means.

Dumpster Diving

Dumpster diving, also called “trashing,” is a method of information gathering in which an attacker searches through on-site trash cans and dumpsters to gather information about the target organization. This technique is not new, yet attackers are still able to use it to gather substantial amounts of intelligence. Methods have been developed to attempt to prevent attackers from dumpster diving, such as shredding sensitive data and using off-site companies to securely dispose of sensitive documents.

Even though some companies have taken preventive measures to prevent dumpster diving, attackers can still gather information if they are willing to go through a target’s trash. Instead of securely disposing of trash, employees often throw away information that is considered sensitive into the nearest trash can. Humans are creatures of habit and convenience. Why would a person want to walk 25 feet to dispose of something when there is a trash can under her desk?

Figure 1-1 shows a printer cover sheet that exposes the username of the person who requested the print job. Even this username on a piece of paper is an important find for an attacker because it helps the attacker understand how the corporation handles usernames (the first letter of the user’s first name, capitalized, appended to the user’s last name, initial-capped). This knowledge gives the attacker an understanding of how to formulate an individual’s corporate username. The attacker can then use this to conduct further attacks, such as brute force password cracking.

Printer banner exposing a username

Figure 1-1. Printer banner exposing a username

On-site dumpsters are typically easy for attackers to access and often have no locks to secure their contents. Even if locks do exist, attackers can easily bypass them to expose the dumpsters’ contents.

More and more attackers are learning ways to bypass locks. Information security conferences often conduct lock-picking contests in which contestants are judged based on the speed with which they can pick a lock or the variety of locks they can bypass. Figure 1-2 shows a photo of the electronic timing system used to test contestants’ speed in bypassing a lock at the DEFCON 12 hacker convention. Even locks don’t prevent attackers from going through the contents of a dumpster.

Electronic timing system at DEFCON 12’s lock-picking contest (picture provided by Deviant Ollam)

Figure 1-2. Electronic timing system at DEFCON 12’s lock-picking contest (picture provided by Deviant Ollam)

As long as attackers can obtain useful information from trash cans and dumpsters, dumpster diving will continue to be an avenue for information gathering.

Hanging Out at the Corporate Campus

Attackers often go on-site, to the corporate location, to gain more information about their targets. Attackers have determined they can gain intricate knowledge about an organization just by walking around the corporate campus and overhearing work conversations.

Employees are often oblivious to the fact that some people walking around corporate campuses aren’t company employees. Attackers can overhear conversations regarding confidential topics such as IPOs, products in development, and impending layoffs. This information can become useful in social engineering attacks involving phone calls and emails, which we will address in later chapters. For now, here is a sample conversation that is typical of what an attacker may overhear at a corporate campus, involving two employees walking to their cars:

Sam: …but that’s why the Rams won the game.

Bob: Yeah, but it was a close game.

Sam: The seats were unbelievable. I wish you and Sally could’ve come.

Bob: Yeah, me too; too many conference calls last night with the investment bank.

Sam: I forgot about that. How is the IPO work going anyway?

Bob: Pretty good. We have obtained underwriting from Large Investment Bank XYZ Corporation. The share price is currently being set at around 15. The bank thinks that is around 70% of what the stock will go for on the open market.

Sam: Well, that should be a nice little investment for them.

Bob: Yeah. Well, our shares should be worth more after the 180-day waiting period too.

Sam: All right! That’s what I like to hear.

The information that is exposed in this conversation may not seem super-sensitive. But this information may aid an attacker in gaining an employee’s trust, since he knows about the IPO work that is being done. This information may even help someone who is not an attacker. It may help a non-critical employee or some other person who was walking around the corporate campus that day.

Cigarette smokers are easy targets for gathering information about an organization. Typically, smokers have designated areas for their breaks; attackers can hang out in these areas, asking for “a light” and beginning a conversation with an employee about internal projects or intellectual property.

The following is a conversation involving a person who appears to be an employee walking back to the building from lunch. The person stops and lights a cigarette and begins a conversation with a director at the company.

Employee: How’s it going?

Director: Good. (Reading a newspaper)

Employee: Good to hear. (Waits patiently)

*After a few seconds*

Director: You know, every time I read one of these electronics ads, I want to go to the store and buy something. But once I get there I realize why I don’t go there. They have horrible customer service.

Employee: I totally agree. What are you interested in purchasing?

Director: Well, I was thinking about the....

*General small talk regarding television sets*

Employee: Yeah, I would get the LCD television. So, when is the Q4 earnings call? I don’t think I received an email with the date yet.

Director: January 25. But it’s a year-end call. As you know, here at Large Organization we have year-end calls instead of Q4 calls.

Employee: How are we handling ourselves with the way the economy is going right now?

Director: Well, I can’t comment. It would be considered insider information. I wouldn’t want you to suffer from insider trading.

Employee: Yeah, I understand. You can’t be too careful nowadays.

Director: Nothing to be concerned about. (She walks toward the door.)

Employee: I just want to know if I will have a job next year at this time. Ha!

Director: Don’t worry about that. We did better this year than last year, even with the slumping economy. Have a good day.

Employee: Have a good one.

Even though the director stated she couldn’t give out “insider” information, she still did. She stated, “We did better this year than last year.” This is exactly the type of information the attacker is looking for.

In addition to overhearing or engaging in conversations on corporate campuses, attackers will attempt to follow employees into buildings. This is referred to as “piggybacking” and can be quite successful. Once inside a building, the attacker may attempt to check for unlocked doors that may provide additional areas to access or may expose the attacker to more corporate information.

While attempting a physical penetration test for a client, we, the authors of this book, were able to piggyback an employee into a building. Once inside the building, we began to open doors to see which additional areas we might be able to access. We discovered an unlocked room in which employee badges were created. We created badges for ourselves (the computer’s password was the name of the company) and we no longer needed to piggyback employees into the building.

Get Hacking: The Next Generation now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.