13 hours 9 minutes
Hello and welcome to the penetration testing execution standard discussion. Today we're going to be looking at open source intelligence and this is going to be part one of three and our discussions. So a quick disclaimer. The Pee test videos do cover tools that could be used for system hacking.
Any tools discussed or years during the demonstrations should be researched and understood by the user.
Please research your laws and regulations regarding the use of such tools in your given area. While we're having fun and learning, we want to ensure that we don't get into any trouble with the local authorities. So let's go ahead and jump into our objectives. They're a bit lengthy of a list today,
so we're going to discuss the forms that have sent takes. And so there are three forms that we're going to be looking at on those forms. We will hit next on the following slide here. We're going to discuss physical oh, stent and specifically locations. Pervasiveness of controls and relationships with respect to physical. Oh, sent.
We're going to discuss logical Oh, sent.
And then we're going to discuss how we can look at and utilize an orb chart in our intelligence gathering and claiming techniques. So let's jump straight in two forms of o cents. So as indicated, there are three.
So the first of the three is passive information gathering. And so in this method you're never detected
by the target and gathering, archived or stored information is the key here, so we're not directly query in a system. We're not pulling data office system. We're not attempting to actively engage a system where we create traffic. Semi passive is the second
it looks like normal Internet traffic. We're not doing in depth reverse lookups. We're not brute forcing de NS requests, and so we're not doing anything
out of the ordinary that would be perceived as anything other than standard bots or Internet traffic, or something that's going on that we really don't need to look into a pay attention to semi passes.
Active is when we're actively mapping
and the new Marine in Objects Service's etcetera so typically falls again into reconnaissance or scanning phases of penetration Testing.
This is when you're triggering alerts on intrusion detection systems. This is when you're being blocked by the firewall. If it's got I P s in place.
So those air the three primary forms of open source intelligence really the 1st 2 we want to try and use to see what's out there. As far as on the Internet,
social media, things of that nature will discuss all of that soon. The last is really where we're directly hitting a system and trying to figure out what we can glean from that.
So let's jump into physical Oh sent.
So starting with locations, which is classified as an L one here, so you should be able to use some basic tools to gather this type of information we're doing per location lists, like full addresses, ownership Associated records with city tax information listing of all physical security measures for the location so that could be
camera placement sensors, fences, guard posts,
entry controls, gates supplier entrances, physical locations based on I P blocks. Geo location service is etcetera. So this is important as you're looking up, maybe on Google or some other search engine, the name of the business, and you pull six locations and you've been given to
It's relevant at that point to maybe ask about the other four what those are.
You could easily pull up maybe a street view from Google and see fences, see some additional guard posts or see some information specific to the location. So it's important to use some of those things that are at your disposal to attempt to understand the locations and what's going on there.
Pervasiveness is essentially where there are multiple separate physical locations. Okay, so the organization has multiple locations, and in the central office they have very well laid out controls.
But security maybe isn't as good at the remote locations, and they may have poor controls in place. And so when we say pervasiveness with respect to physical open source, intelligence
is the level of control, the level of protections going to be the same
between the central location and the remote location. Because if we've got all of our eggs in one basket per se
in that basket has connections out to other remote locations that can equally access the data sets.
But those locations don't have the same level of either physical controls in place as well as logical.
Then they could be, ah, high risk of letting an infection in having an attacker slipped us be on the premise. Whatever the case may be,
they would pose a higher level of risk because the controls are not pervasive. They're not is well laid out throughout the other locations because we're only focusing on the central location.
And then we talk about relationships. And so business partners
are part of that relationship. Cussed customers, suppliers, analysis via openly shared or corporate Web pages. So rental companies, things of that nature information could be used to better understand the business or organizational projects. So, for example,
products or service's are critical to the target organization. So if I make widgets
and I buy my widget paint from a specific provider than that provider is important, if that provider has a remote connection into my organization to ensure that my widget painting system is up to date,
then that connection is critical to the success of my widget organization. So
knowing those things and knowing those relationships, knowing those connections
critical to understanding the risk profile of the organization and and again some of this can be useful for social engineering scenarios as well. Now that all comes back to the rules of engagement,
and what is a minute and is not off limits with respect to testing.
But if we were full spectrum here and you're allowed to impersonate
business partners or partner organizations, being aware
of the widget painters connection into the organization, being aware of maybe 1/3 party technical resource that the organization uses for crumble shooting our company being aware of how maybe customers can call in to file complaints or ask for additional information
or to get data or feedback on accounts
that could all be beneficial in pretexting and setting up a believable social engineering campaign in your testing process now logical Oh sent
is accumulated. Information for partners, clients, competitors. Um, so this is for each one a full listing of the business name, business address type of relationship, basic financial information, basic host network information. So if you can get that data
about a business partner, if you can collect systems information etcetera, than that would be huge. So for business partners, targets advertised business partners, sometimes on the main website, the W W. W. And so,
if you've ever been thio this, just say a provider's Web site of a service. We are Adele partner. We are in a T and T partner. We are a Comcast partner awhile partner. We are a global provider of X y Z service through X y Z business
that convict eight. How they run their business, the types of technology they use. If they're a partner with the M, where then it's likely that they used VM where more than they would use hyper V
So taking those things into account from the website
and those relationships could give you some indicators as to what types of technology they're using internally.
Business clients targets advertised business clients, sometimes again on the main site. So if we're partners with a logistics company, maybe we do business with the logistics company. Maybe they help us to move product. Moved the widgets from location eight to location beat. So is that widget company, or is that logistics company connected to us?
We do business with X Y Z
Do we provide any surfaces to those charities? Do those charities call us for assistance and things of that nature that can all play into again
social engineering, building a strong pretext and understanding critical risk points in the organization? Now, competitors
may require a little more analysis, but knowing who our competitors are
and what they're doing within the market and what technologies they're using. A lot of times competitors will attempt to mimic or offer similar service is
as their competition. And so you may be able to go to a competitors site and see information that may be beneficial to what you're doing. It may not be beneficial if it's eerily similar. Is there something that that competitors getting are doing that's providing them insider information?
All of that may be worth looking into and worthwhile. You'll also know
that each of these have a level 12 and three designation, meaning that you can really go as shallow or as deep as the engagement would dictate for these areas. If you're using something like Multi Go or the harvester,
you know it could potentially assist in getting some information from sites.
You can also use some skinning sites for the website to get key. You know, word, information, things of that nature. But
again, all depends on the level and scope of the engagement and what the end goals are that you have in mind.
let's talk about the orb chart.
So with the orchard, the biggest thing. You want to look at his position identification
in that we're looking at important people in the organization,
and that helps us to target specific persons
transactions. So mapping on changes within the organizations of promotions, lateral movements and then affiliates so mapping of affiliate organizations that are tied to the business there may be some cases were nor chart ties into another business or another organization.
Typically, what I see is when you go to, um,
ah, business website, you've got, like, a teams
area or something of that nature, and then from there they'll map out leadership in something of that nature. And so this really gives you an idea when you're looking at social engineering, looking at leadership, looking at decision makers, looking at building a strong social engineering pretext
or story or campaign or whatever the case may be, the Orc chart is really going to be beneficial in understanding the relationships of different employees in the organization, understanding who to use as faras if you're throwing a name out
when you're doing some type of vision, call or mass mailer to a particular department.
Whatever the case, may be the or chart, if it does connect out to other partner organizations could be beneficial in vamp in a relationship. I don't see that all the time.
What I'm looking at or tarts typically the publicly available components oven or are going to be the executive team in the leadership and management team for an organization, which is usually why most of your junk mail and things that nature find your inbox because folks will pick out those people on,
um, the website and then they'll send you, you know, e mails, and they'll try to craft based on first name, last initial
first initial last name, whatever the case may be.
So the or chart can be beneficial when building a social engineering campaign or just trying to understand the relationships of team members within the structure.
So let's do a quick check on learning
passive information gathering could be detected by the target.
All right, so
passive information gathering
should not be detected by the target. So passive information gathering false because it should not, so it should not be detected by the target, not not not detected. If you're doing semi passive or active information, gathering there. There's definitely an active information gathered that the target could detect it.
Unless they don't have some things in place, it would allow them to
semi passive. There may be a chance that they do or don't it would be normal Internet traffic on semi passive and so they may not pick that up, but definitely on active. They could if they have the tools in place. So that was false. So let's go ahead and summarize everything for today's discussion.
So we looked at the three forms that oh sent takes passive active
ah, and semi passive in nature. We looked at physical oh sent with respect to locations, pervasiveness of controls throughout remote locations versus the central location and the importance of understanding relationships with respect to physical locations. We discussed logical oh, sent.
And then we at last discussed some high level uses for the orc chart
and some techniques that we can use with that information as faras mass mailing or targeted fishing campaigns or vision. Whatever the case may be, that old chart could be beneficial as well. So, with that in mind, I'm gonna thank you for your time today, and I look forward to seeing you again soon.