Reconnaissance
Summary
The remote assessment methodology focuses on direct observation of an organization and their infrastructure, consisting of passive reconnaissance of publicly available data sources ("Open Source Intelligence") This allows the auditor to identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources.
Purpose
While much of SAFETAG focuses on digital security challenges within and around the office, unintended information available from "open sources" can pose real threats and deserve significant attention. This also builds the Auditor's understanding of the organization's digital presence and will guide specific vulnerabilities to investigate once on site.
The Flow Of Information
Guiding Questions
- Depending on the organization's security needs, does it "leak" any sensitive information online (location, staff identities, program locations?)
- Can you identify partners or beneficiaries through the organizations sites?
- What is the pattern for staff e-mail addresses?
- Have any of the the organization's servers, users, or e-mail accounts been compromised in the past?
Approaches
- Manual OSINT: Identify availability of partner, beneficiary, and current project information online using advanced Google searching and website-scraping. 1
- Recon-NG: Use recon-ng to do automated web-based open source reconnaissance. 2
- Social Network OSINT: Identify availability of staff partner, beneficiary, and current project information by searching social networks for information leaked about the organization.
Outputs
- Dossier of organizational, partner, and beneficiary "open sources" information exposed online.
- A list of e-mail address for members of the organization.
- Identification and mapping of externally facing services and unintentionally exposed internal services.
- Possible vulnerabilities in the websites and externally facing servers of the organization.
- Existing information about earlier breaches identified in the paste-bin search.
- Follow the proper incident response plan if high risk problems are identified.
Operational Security
- While this does not focus on identifying of vulnerabilities, it may nonetheless expose certain threats, particularly with regard to publicly-accessible information that is presumed to be confidential, such as the identity of sensitive staff, the existence of sensitive partner- and funder-relationships, or the organization’s history of participation in sensitive events or travel to sensitive locations.
Preparation
Resources
Open Source Intelligence (General)
Standard: Intelligence Gathering (The Penetration Testing Execution Standard)
Guide: "Passive Reconnaissance" (Security Sift)
Tool: "NameChk account search" (NameChk)
List: "Open Source Intelligence Links" (Intel Techniques)
List: "OSINT Tools - Recommendations List Free OSINT Tools." (subliminalhacking.net)
Guide: "OWASP Testing Guide v4 - Information Gathering" (OWASP)
Organizational Information Gathering
- Database: "find the email address formats in use at thousands of companies." (Email Format)
Searching
Online Courses: Power Searching and Advanced Power Searching online courses (Power Searching With Google)
Online Course: Advanced Power Searching By Skill (Power Searching With Google)
Cheat Sheet: Google Search Operators (Google Support)
Cheat Sheet: Google Hacking and Defense Cheat Sheet (SANS)
Cheat Sheet: Google Searchable Filetypes (Google Support)
Cheat Sheet: Google Search Punctuation Operators (Google Support)
Cheat Sheet: Google Power Searching Quick Reference Guide (Power Searching With Google)
Database: Google Hacking Database (Exploit Database)
Pastebin Searching
Article: "Using Pastebin Sites for Pen Testing Reconnaissance" (Lenny Zeltser)
Custom Search "This custom search page indexes 80 Paste Sites:" (Intel Techniques)
Article "Pastebin: How a popular code-sharing site became the ultimate hacker hangout" (Matt Brian)
Advanced Search "Github Advanced Search" (Github)
Recon-ng
Site: "Recon-ng: Website" (Bitbu * Guide: [The Recon-ng Frameworkcket)
Type: "Recon-ng: Usage Guide" (Bitbucket)
Demonstration: "Look Ma, No Exploits! – The Recon-ng Framework - Tim "LaNMaSteR53" Tomes" (Derbycon 2013)
Guide: toolsmith guide to Recon-ng
Video: Tektip ep26 - Information gathering with Recon-ng Video Tutorial
Guide: The Recon-ng Framework : Automated Information Gathering
Activities
undefined
