Video Activity

Information Gathering (part 3) Targeting Email and Maltego

Video Transcript

All right, I again encourage you to run through this yourself, going kind of fast year. But encourage youto halls the videos and try these against your own organization of choice. These are certainly worth knowing some people they specialize in information gathering is a lot of research to be done in the area, and at the very least, you can really impress people with the things you confined. Now I know people who like work with local law enforcement to try and find missing criminals using these kinds of open source intelligence gathering. That's a useful skill to have. All right, so another thing we might want to know is some target email addresses. So what email addresses air available online that we might could use for future attacks. So you might think, Well, hopefully no one's putting there corporate email address just anywhere online. But of course they are have found them in, like soccer rosters.

Petey A lists Mail service is all over the place, so we could certainly just go to goo and look. But there's naturally tools for that as well. The nice one is the harvester, and the harvester will basically search through different search engines and look at the results and try and find email addresses I would give it. No options will show us the help on these examples down here at the bottom er for useful. So we do the harvester and in the domain. So please just go to Tom. It's really not that much for bulb security dot com. And then how many? We look out to the stash l for the limit told you 500 and effi is the source. Um, so here's all the available sources here looking to stoop ball time and let this run. Gonna search through the different search engines and try and find us and results. It really just depends on how much is out there. There may be next to nothing. My organization we have helped for email addresses total. So even if they were all available online, there wouldn't be much to find. Really, just depends.

We'll see what we get out of this cave dot com. It will take a few minutes to Ron's that searching through all these different search engines, But it's much quicker than, say, If we used Google and did it manually, I actually didn't find that many found. It also does a little bit of host searching as well. So it found some posts. It actually didn't find that many email addresses. So, like, this guy's a pretty good policy about telling people not to just leave there. Email address is lying around, but we did find to see you so these would be potential emails we could use for future attacks like social engineering. Another thing we can d'oh ISS take a look at. It's like cold net craft. Well, give us information about a particular site. We're net craft dot com. You do a lot of different things besides this, but this is what I like it for is what's that site running down here to rate.

So if I do, um, say glass was developed security come, there's bulb security that come to be there be w doubt on dhe live very nicely. That actually sent me to it. That's not what I wanted. Oh, what fixed that and actually tell it to me to be doubly that What's it say running? There we go. That looks better. Date first seen in March 2012. That sounds about right. IP address Name servers that block owner Oh, Daddy remains by proxy PHP xml Java script Jake Query WordPress indigenous WordPress which some people have described wordpress as a backdoor with longing functionality. So I suppose it's only really a matter of time from my sight. Gets it So it does have PHP support. Does have WordPress some javascript that it iss run on Apache Lennox. So a little bit of information about it so naturally anything that was for I s O for Drew Pole or other technologies that I'm not running.

If you wanted to go after this site, you could immediately discard any of those potential vulnerabilities because my sight isn't running those but anything for WordPress or PHP or patchy. There would be things that would instead want to spend my time looking at if I wanted to break into the site. One of the good information gathering tool is multi go. This is a graphical tool. Welcome to multi you. We don't need thio register finishing registered for a free account. If you are gonna use his own pin test, they do want you to actually buy a life ins but for our learning purposes we can. Let's check it out so you can give it some information. Here it is gonna send the activation code. Your email. So do you use a really email address and see? But I even made my password, and I figured this out. Not too long. Air. Well, somebody told me in a class that it doesn't actually check the capture.

Um, captures. Honest. You're extremely hard. Sometimes this one doesn't say bad Wells is captures or heard. Um, but there have been someone's in multi go where it's like there's no way I could ever get that rage. There's only she put something that actually will let you and so say, captures their hard. That's a quickie militarist it waas. That's right. Only eight character factories. It's not very good, all right, So when we can let it use the multi go public servers for the transforms transforms or basically what multi go calls its jobs where it searches, you could set up your own transfer form servers, but well, this use the public ones here. Ah, now I know people who could make lto do just about anything really exciting. And then there's people like me who are just good enough about it to talk about it, but again, youthful. So let's do it. Open a blank graft and let me play around.

You kind of deviate here and just kind of pull whatever you want. It's over here. On the last year, all of the entities we can run more figure transforms on that. I was just start with the domain. So, pater va dot coms, guys, you make it to all the boats security that come on again. You, this against anyone you like. We can again pull any entity from this list we want. You don't want to do the same things as may. In fact, he may find more interesting information. If you don't we right click on any entity you'll get transforms based on what kind of entity it is. This is a domains. It'll have domain based entities. I was broken down in categories as well as theirs. Old transforms. So let's do. How about to absurd age friends the meat of you that bold security dot com run transform on this Ones that will be different transforms here, um, to server technologies. Websites are similar to net craft.

Here. I had a little except the warning. So how about you? J Query, Google, FBI, WordPress. So similar to what we saw with Net Craft, and we could get email addresses that are on that site. Probably just Georgia bulb. Security does come, but maybe there's something else. Didn't show anything. It says it found one, huh? Carry insists. One that's just one word will use. A search engine was similar to what the harvester does here, so it actually gets a little heavy handed here. It's like publicly at Whoa there. The other one went So the other one finished. Tell Nice like it says publicly at job security that common over at bulb security dot com. So basically, if you did a search, I think it's on the site for the smartphone pin test framework.

When I first put it out, I said it'll be released publicly at bulb security dot com Rode out at as a T and multi Go fell out is possibly a attempt to keep my humility nurses from being picked up Bye things like this or Spam bots, and it turned it into an email address. But actually there is no over at bulb security dot com or publicly at bulb security dot com. Neither of those addresses exist look like on the website. It also found additional email addresses like info that no starch dot com was my book Penetration. Testing came from no start show. I guess. Tell them to contact no start. And here's another one where it's look at Android Manifesto XML. Obviously, I was telling them to actually look at it, not trying to hide an email address. Let's see so we could d'oh! Search pace Been for email? That's always fun. Never know what you'll get my running against info it. No starch dot com. I typically run it against May, but that's always a little bit depressing. It seems like nobody ever putting signifies on pace.

Ben says there is no no start info it. No start start common paceman. Okay, let's see what they have. Save Elder tripled Security. Whose days? I don't have a MYSPACE account on it. Nothing on paceman for mine either Interesting other you or else that it appears on. See who else is talking about me these days? Looks like a bunch of sledges. Hey, Eddie, there just about all my slide shares so you can go really far with it. I mean, I've seen people break into people's flicker accounts and stuff through it, but with a certain amount of just playing around and get pretty competent and find a lot of information. Plus it makes it pretty graft. And he doesn't like pretty pretty graphs and customers like pretty graphs. It's something you might get put in your report and make yourself look really cool.

But you don't want the Fordham or use only in the background, so he would need to buy a license. You wanted to use this on a pin test, but I encourage you to play around with it. Information gathering and some people's favorite things. Some people don't like it, so I really just depends. So something just about everybody does like is showdown good. A website shoot on each q dot com shouldn't headquarters so we can set up an account with this on, and it'll give us better results and weaken Salter them. Basically, what this does is not super particularly sophisticated. Even so, it's amazing that it's this cools. It is just based on this. It just looks. That banner is basically that air served on the Internet on based on what banners come up it and show you lots of interesting stuff. So basically exposed online devices. So my favorite one just was a example. Webcam x p So banner for a certain kind of what can that may or may not have a password on it? So again, this is all of this public. I mean, people have long in front of their stuff.

We would be attacking them if we even tried default credentials. But if there's no Logan and it's just on the Internet somewhere, the reason we can't take a look at what's there. See this one right here in his 1st 1 on the list? It does have a user name and password, so we'll leave that alone. This is not our client, so we'll see if we can find one that's open. Here's one. So looks like who I'm doing laundry somewhere. So again, this is just publicly available. I don't know why people put their work. Kim's on the Internet, but you so I person who's doing laundry. So that's always fun. Any people set up things where they kind of like the original Facebook. Before it was Facebook, where they are like the two pictures and it was Who's hotter?

I mean, people have set up things we showed and where it pulls two webcams and which one is more funny to look at kind of thing. So Webcam expert is just one example of a search query. You conduce. Oh, and in this case that comes up with people's Webcams. But you can look for we're pretty much anything that's distinguishable by banner. So basically, what comes back little check there and look for it. Thio Webcam, X p in this case so you can search for some more interesting ones to play with. But, I mean, that's always fun. At the very least, you can impress your friends who look Oh my God, you can really do that. So you two seconds of learning and now you're really impressive, right?

Course link:
Advanced Penetration Testing
The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.
Instructed by
Georgia Weidman

I am the founder and CTO at Shevirah and Bulb Security LLC. I am a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. I hold an MS in computer science, and I also hold the CISSP, CEH, and OSCP certifications.