Attackers do not necessarily limit their attacks to organizations. Often, the attacks are aimed at specific employees and business units of the target organization. The human factor is still the weakest part of the organization.
First things first: attackers need to gather employee lists and then correlate attack vectors to them. In doing so, attackers have a better chance of successfully entering the target organization.
A critical step for attackers is to gather a target list of employees. This list will often contain employee names, personal and work email addresses, home addresses, work and home phone numbers, and some interesting notes about the employees.
The information contained in such an employee list can have multiple uses. For example, certain information about an employee may suggest that the best attack method is social engineering through intimidation. Another employee’s profile may suggest she is particularly vulnerable to clicking links from emails received from social applications.
One of the first steps an attacker needs to take is to gather the corporate email addresses of employees. Attackers do this by using search engines or by crawling the corporate website. In addition, they can search forums, looking for email addresses ending in the target domain.
Obtaining email addresses provides a starting point for an attacker; once he has the email addresses, he can research the employees in more depth.
theHarvester, also known as goog-mail.py, is a tool for enumerating email addresses from a target domain using these methods. You can configure theHarvester to use Google or the MSN search engine, as well as attempt enumeration on PGP servers and LinkedIn.com. The following example demonstrates how to use theHarvester.py to find email addresses belonging to example.com using Google as the search engine:
$ python theHarvester.py -d example.com -b google -l 1000
*************************************
*TheHarvester Ver. 1.4 *
*Coded by laramies *
*Edge-Security Research *
*cmartorella@edge-security.com *
*************************************
Searching for example.com in google :
========================================
Total results: 326000000
Limit: 1000
Searching results: 0
Searching results: 100
Searching results: 200
Searching results: 300
Searching results: 400
Searching results: 500
Searching results: 600
Searching results: 700
Searching results: 800
Searching results: 900
Accounts found:
====================
psurgimath@example.com
csmith@example.com
info@example.com
brios@example.com
jlee@example.com
====================
Total results: 5Note
theHarvester is available on BackTrack 3 under the /pentest/enumeration/google directory and is named goog-mail.py. It is also available for download at http://www.edge-security.com/theHarvester.php.
Using online search engines, attackers can search for resumés containing sensitive information. The amount of “sensitive” information contained in a resumé can be substantial. Job seekers will often include information in their resumés that could be considered sensitive and therefore could be useful to an attacker.
The majority of people building resumés don’t realize attackers can data-mine the information they include, and therefore will often include details about projects they are currently working on. These details can range from benign information or general knowledge to information that is intended for an internal audience only.
Again, an attacker can use Google to search for resumés containing the name of the target organization. For example, this search query will return Microsoft Word resumés that contain the phrase “current projects”:
resume filetype:doc "current projects"
Searches such as this turn up hundreds of results. Searching for current and previous employees of the target organization can reveal information that is important to an attacker. Information from resumés can:
Reveal programs, databases, and operating systems that are used internally. Systems include SAP, MySQL, Oracle, Unix, and Windows. This information may include version numbers.
Reveal previous and current projects. Attackers can search for other resumés that have similar project names to attempt to locate other team members.
Allow attackers to link employees who worked on projects together, aiding an attacker in identifying social networks.
Reveal internal details of projects.
Reveal home addresses and phone numbers of current employees that can be used in social engineering attacks.
The projects listed in the sample resumé illustrated in Figure 1-13 include competitive products currently in development, information about SAP integration, and a hybrid engine purchased by Boeing in September 2006.
In addition to resumés, job postings can lead attackers to useful information. Job postings are often found on corporate websites or through job search sites (for example, Monster.com). Some job postings contain information such as hiring managers’ names, corporate email addresses, or additional information that can aid attackers in tracking down employees.
Using information gathered from a simple job posting, along with ideas we presented earlier in the chapter, we will demonstrate how we were able to track down a target employee. Our first step was to search a job posting site looking for hiring managers. After searching Monster.com for a hiring manager from the target organization, we acquired the email address shown in Figure 1-14.
Once we obtained the email address, we used Google to track down information on the hiring manager, as illustrated in Figure 1-15. The information we obtained identified the hiring manager’s name and work phone number. We found this information on the company’s corporate website.
Now we had a work number and extension. What other information can we dig up?
Using LinkedIn, we searched for the hiring manager along with the name of the organization. We successfully identified the hiring manager’s profile, which gave us more information about her. Figure 1-16 is a screenshot of the hiring manager’s LinkedIn page, which contains a wealth of information that we could use for nefarious purposes.
Now we have professional information about the target. Can we dig further to identify other personal information? Can we use this information to intimidate or blackmail the hiring manager?
Assume that we browse to some social application sites and use the hiring manager’s name as a search term. We can limit the results based on the geographic location listed in the target’s LinkedIn profile. We can use additional information to limit results, including the target’s age and occupation, and even her social contacts. Figure 1-17 shows the target’s MySpace profile.
This demonstrates the impact that a few pieces of information can have. Using that information, we were able to obtain additional information about the victim and her organization. Obviously, job postings can lead attackers in identifying key people, and give them a starting point for an attack.
Attackers can use Google Calendar, located at http://calendar.google.com, to find information about companies and their employees. Using a valid Google account, an attacker can search through public calendars. Most individuals are aware that public calendars shouldn’t contain sensitive or confidential information. But people often forget this fact after they have made their calendar public. Information in public calendars can include internal company deadlines, internal projects, and even dial-in information.
Figure 1-18 shows the dial-in number and code required to attend an IBO teleconference. Attackers can use this public information to call in and “overhear” the conference call.
Figure 1-19 shows another conference call, but outlines more detail about the call. The description states that three vendors will be making their final pitches to the organization. The description goes on to say that the company is not informing the vendors about the other phone calls to avoid having them “listen in” on their competition’s calls. Why did someone put this in his public calendar for the world to see? It is clear how this may aid an attacker and a competitor.
Get Hacking: The Next Generation now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
