OSINT Part 2

00:00

Hello and welcome to another penetration. Testing execution. Standard discussion today we're looking at oh, sent part two. Now a quick disclaimer. Pee test videos do cover tools that could be used for system hacking. Any tools discussed are used during demonstrations should be understood by the user.

00:20

Please research your laws

00:22

and regulations regarding the use of such tools in your given area. If we're learning to use a new tool or we're just trying to in general, figure out how until works, we want to ensure that we're safe and not violating any laws.

00:37

So what are the objectives for today's particular discussion?

00:41

What we're going to be looking at electronico sent as well as meta data. We're going to discuss infrastructure, assets and so some different types of oh sent in that particular area, and then we're going to discuss financial ascent. Now,

00:55

some of this information

00:57

may be pertinent to your particular campaign or your particular test,

01:03

but also some of it may be outside of the scope, and it may not be relevant to what objectives you're trying to achieve or what it is that your client is expecting.

01:11

So each of these things should be taken and used as necessary based on the skull. Open what it is you're trying to achieve, so let's go ahead and jump right into metadata. So

01:23

what is meant? A data You may have heard. The term it is data about data so metadata or minute content provides information about the data document that is within the scope so it can have information such as the author's name. The time it was created, the date standard used or referred to locations

01:42

in a computer network. The printer folder directories, paths, files, etcetera,

01:47

so it can be very powerful information if it tells us the location of a directory where the document was stored, that could be pertinent because then there could be other documents that are stored. There are other sets of sensitive information. It could give us a computer name,

02:02

which could be pertinent in understanding the naming scheme

02:07

for the organization. Geo tags and geo information can be beneficial because we could understand that this is a remote employee that works from home and uses a company asset. We could understand if this is a location that maybe is not given to us in the scope

02:23

so there's a lot of things that this information conduce for us. For images, it can contain things like color resolution, camera making type coordinates as well as location information, so this again could be useful for pinpointing

02:38

where the photo was taken, whether or not it was at a partner location. What kind of events

02:45

are we taking pictures at? So there's a lot of different things that you can read into and use metadata. Four.

02:53

So what would you,

02:55

uh do? Or why would you do it?

02:59

Well, as we were discussing, it's important because it contains information about the internal network user names, email addresses, printer locations and can help you to create a blueprint of the location and also contains information about software that's used in creating the respect of document. And it can enable an attacker to create a profile

03:17

and or perform targeted attacks with internal knowledge on the network and users.

03:23

So that's critical, because if we can find email addresses

03:27

or user names associated with the organization with the target organization, that helps us to better understand the common naming scheme for user names as well as email addresses

03:38

and again, that can be utilized in social engineering is well as putting together an attack.

03:46

So, man, a date is definitely important in that respect. So what are a few tools

03:52

that we can use for extracting metadata?

03:54

Well, we've got a focal. We've got meta goo foul. We've got many extractor. We've got exit tools. So each of these allows you to

04:08

either look formatted data on sites and at different locations, as well as extract the contents out of that particular file. Some of them provide decent reports. Some of them provide just what they provided the CLI.

04:23

So I would look at each of these on determine what's going to be best based on the use and based on the case of what you're trying to achieve. But there are plenty of tools outside of this or even some online tools that you can use

04:35

for putting files in in those particular sites extract meta data. But I'm always cautious about using third party sites.

04:44

You never know what data they're holding on to and what they're using. That information for

04:49

now, infrastructure assets. This is a pretty short list, but there is more ends, so let's touch on what each of these is important. So the network block that his own can be both internal or external, but particularly this would be the external network block that would be owned. So we're looking at

05:08

what addresses air provided by the Internet service provider.

05:12

I know that I've seen network blocks before that are a full 254 dresses, and that's just because the ice P doesn't sub net really well. So you need to make sure that you're careful

05:21

when you're identifying a network block that you actually know what is owned and what's being used.

05:28

Email addresses are important because again, if we're going to do any type of social engineering, if we're going to do any type of research online for where that email address, maybe it could be message boards. It could be, you know, the I T guys use Microsoft message boards or the use external message boards, third party message boards to try and

05:46

work out problems or get feedback from the community.

05:48

Whatever the case may be, knowing the email addresses could be beneficial.

05:54

The external F infrastructure profile. So can we detect firewalls? How does everything look? Do they have a cloud based assets? Do they have multiple locations? Do they have backup sites?

06:03

What are we able t extrapolate from that

06:08

technologies used so through things like job post steins again through some active intelligence gathering Through the review of partner pages, we could build kind of a profile

06:21

on what technologies the organization would be using on and then that could, as again, assist us in that process.

06:30

Now purchase agreements can be beneficial again and understanding what technologies air in place.

06:35

Something that's not listed here would be if the particular target or the particular organization has ever put out an R F P,

06:45

typically or if peace give information about the organization about its technologies about, you know, future projects and things that it may be trying to do. So. If an R P was put out in 2016

06:59

to be selected and fulfilled in 2017 then there could still be some relevant technology as you move into 2018 2019. But if you got 2026

07:10

that technology may be outdated. It may no longer be present in the environment, so our peace can be beneficial in that as well.

07:16

If you're able to find remote access that they used some type of remote access tool or remote access technique that could be beneficial. Application usage again is huge. So if we figure that out through either job postings, if we figure that out through metadata and documents

07:34

things of that nature on message boards, that could be beneficial. Because if they use

07:39

older software's, we may be able to find exploits that could be used at a later phase of the test,

07:46

or at least less some potential methods that could be used for exploiting the system. So that could be beneficial. Defense technologies air great when we're working on bypassing controls and understanding what they should be able to do from a capability standpoint.

08:01

So it's going to be critical to understand those things on be able to provide a kind of a risk profile and potential attack vectors through those as well. And then human capability is going to be ah, component of infrastructure assets as well.

08:16

Now, this may not always be applicable to the organization that you're reviewing, and the the actual information may not even be available. If you're working with a private company. But financials are primarily coming from folks that have to comply with the SEC,

08:33

um, and report on an annual basis. And so you can look at those reports market analysis, etcetera. There's a system called Anger,

08:43

which is a database of information that contains registration statements, periodic reports and other informations of all companies, both foreign and domestic,

08:54

that are required by law to file again. Financial data may not be partner to the information gathering phase of your particular test. It may not be pertinent to the risk announces that you're doing because you just don't have time or it's not specific to a Web implication

09:11

if you're just doing full spectrum and the client has given you three months to really compile a profile and attempt to

09:18

attack systems and understand connections and really see what you can see about the organization, financial data may be pertinent,

09:24

but again,

09:26

depending on the Golan, depending on what you're trying to do, this may not be as is beneficial, and it may not be relevant to the current engagement's. Always keep that in mind, especially for publicly traded companies, private companies. You may not find a lot of financial information out there because they're not held to the same standards that publicly traded into teeth are.

09:45

So let's do a quick check on learning.

09:48

True or false metadata could provide geo location information.

09:54

All right, so that is a pretty easy one. That is a true statement. Metadata can include and provide geo location, information

10:05

based on the software used or the tool used, or the way in which the document was created, especially in images and things of that nature. So Geo location information can be important in establishing additional locations within. The scope is well, as if we have employees that work remotely,

10:24

which means that there could be some form of remote access that would be needed to systems, et cetera, so that can all be beneficial.

10:31

So in summary, we looked at electronico sent today and particularly metadata and how that could be beneficial for us. As a tester, we discussed infrastructure assets and gave some examples of how each of those areas could be beneficial and useful in our testing.

10:48

And then we discussed financials, particularly four publicly traded companies.