Intelligence Gathering

General

This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a (living?) document designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target.

Intelligence Gathering

What is it

• Intelligence Gathering is performing reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information you are able to gather during this phase, the more vectors of attack you may be able to use in the future.
• Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. [1]

Why do it

• We perform Open Source Intelligence gathering to determine various entry points into an organization. These entry points can be physical, electronic, and/or human. Many companies fail to take into account what information about themselves they place in public and how this information can be used by a determined attacker. On top of that many employees fail to take into account what information they place about themselves in public and how that information can be used to to attack them or their employer.

What is it not

• [Needs Content]

Target Selection

• Identification and Naming of Target
• Consider any Rules of Engagement limitations
  • Rules of Engagement
    • Typical Reconnaissance rules
    • Defining your own rules
• Consider time length for test
• Consider end goal of the test
• Consider what you want to accomplish from the Information Gathering phase
• Make the plan to get it

OSINT

Open Source Intelligence (OSINT) takes three forms; Passive, Semi-passive, and Active.

• Passive Information Gathering: Passive Information Gathering is generally only useful if there is a very clear requirement that the information gathering activities never be detected by the target. This type of profiling is technically difficult to perform as we are never sending any traffic to the target organization neither from one of our hosts or “anonymous” hosts or services across the Internet. This means we can only use and gather archived or stored information. As such this information can be out of date or incorrect as we are limited to results gathered from a third party.

• Semi-passive Information Gathering: The goal for semi-passive information gathering is to profile the target with methods that would appear like normal Internet traffic and behavior. We query only the published name servers for information, we aren’t performing in-depth reverse lookups or brute force DNS requests, we aren’t searching for “unpublished” servers or directories. We aren’t running network level portscans or crawlers and we are only looking at metadata in published documents and files; not actively seeking hidden content. The key here is not to draw attention to our activities. Post mortem the target may be able to go back and discover the reconnaissance activities but they shouldn’t be able to attribute the activity back to anyone.

• Active Information Gathering: Active information gathering should be detected by the target and suspicious or malicious behavior. During this stage we are actively mapping network infrastructure (think full port scans nmap –p1-65535), actively enumerating and/or vulnerability scanning the open services, we are actively searching for unpublished directories, files, and servers. Most of this activity falls into your typically “reconnaissance” or “scanning” activities for your standard pentest.

Corporate

Physical

Locations

Per location listing of full address, ownership, associated records (city, tax, legal, etc), Full listing of all physical security measures for the location (camera placements, sensors, fences, guard posts, entry control, gates, type of identification, supplier’s entrance, physical locations based on IP blocks/geolocation services, etc…

• Owner
• Land/tax records
• Shared/individual
• Timezones
• Hosts / NOC

Pervasiveness

• [Need Content]

Relationships

Business partners, customs, suppliers, analysis via whats openly shared on corporate web pages, rental companies, etc

• Relationships
• Shared office space
• Shared infrastructure
• Rented / Leased Equipment

Logical

Accumulated information for partners, clients and competitors: For each one, a full listing of the business name, business address, type of relationship, basic financial information, basic hosts/network information.

Business Partners

• • • Target’s advertised business partners. Sometimes advertised on main www.
  • Business Clients
    • Target’s advertised business clients. Sometimes advertised on main www.

Competitors

• • • Who are the target’s competitors. This may be simple, Ford vs Chevy, or may require much more analysis.

Touchgraph

Hoovers profile

• • • What: a semi-open source intelligence resource (paid subscriptions usually). Such sources specialize in gathering business related information on companies, and providing a “normalized” view on the business.
    • Why: The information includes physical locations, competitive landscape, key personnel, financial information, and other business related data (depending on the source). This can be used to create a more accurate profile of the target, and identify additional personnel and 3rd parties which can be used in the test.
    • How: Simple search on the site with the business name provide the entire profile of the company and all the information that is available on it. Its recommended to use a couple of sources in order to cross reference them and make sure you get the most up-to-date information. (paid for service).

Product line

Market Vertical

• • • Which industry the target resides in. i.e. financial, defense, agriculture, government, etc

Marketing accounts

Meetings

• • • Meeting Minutes published?
    • Meetings open to public?
  • Significant company dates
    • Board meetings
    • Holidays
    • Anniversaries
    • Product/service launch

Job openings

• • • By viewing a list of job openings at an organization (usually found in a ‘careers’ section of their website), you can determine types of technologies used within the organization. One example would be if an organization has a job opening for a Senior Solaris Sysadmin then it is pretty obvious that the organization is using Solaris systems. Other positions may not be as obvious by the job title, but an open Junior Network Administrator position may say something to the effect of ‘CCNA preferred’ or ‘JNCIA preferred’ which tells you that they are either using Cisco or Juniper technologies.

Charity affiliations

Court records

Political donations

Professional licenses or registries

Org Chart

• • Position identification
    • Important people in the organization
    • Individuals to specifically target
  • Transactions
    • [Need Content]
  • Affiliates

Electronic

• • Document Metadata
    • What it is? Metadata or meta-content provides information about the data/document in scope. It can have information such as author/creator name, time and date, standards used/referred, location in a computer network (printer/folder/directory path/etc. info), geo-tag etc. For an image its’ metadata can contain color, depth, resolution, camera make/type and even the co-ordinates and location information.
    • Why you would do it? Metadata is important because it contains information about the internal network, user-names, email addresses, printer locations etc. and will help to create a blueprint of the location. It also contains information about software used in creating the respective documents. This can enable an attacker to create a profile and/or perform targeted attacks with internal knowledge on the networks and users.
    • How you would do it? There are tools available to extract the metadata from the file (pdf/word/image) like FOCA (GUI-based), metagoofil (python-based), meta-extractor, exiftool (perl-based). These tools are capable of extracting and displaying the results in different formats as HTML, XML, GUI, JSON etc. The input to these tools is mostly a document downloaded from the public presence of the ‘client’ and then analyzed to know more about it. Whereas FOCA helps you search documents, download and analyzes all through its GUI interface.
  • Marketing Communications

==== Infrastructure Assets ==== [!!This section needs to be added to mindmap!!]

• • Network blocks owned
  • Email addresses
  • External infrastructure profile
  • Technologies used
  • Purchase agreements
  • Remote access
  • Application usage
  • Defense technologies
  • Human capability

Financial

• • Reporting
  • Market analysis
  • Trade capital
  • Value history
  • EDGAR (SEC)
    • What is it: EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system) is a database of the U.S. Security and Exchanges Commission (SEC) that contains registration statements, periodic reports, and other information of all companies (both foreign and domestic) who are required by law to file.
    • Why do it: EDGAR data is important because, in additional to financial information, it identifies key personnel within a company that may not be otherwise notable from a company’s website or other public presence. It also includes statements of executive compensation, names and addresses of major common stock owners, a summary of legal proceedings against the company, economic risk factors, and other potentially interesting data.
    • How to obtain: The information is available on the SEC’s EDGAR website (http://www.sec.gov/edgar.shtml). Reports of particular interest include the 10-K (annual report) and 10-Q (quarterly report).

Individual

Covert Gathering

HUMINT

Footprinting

Identify Protection Mechanisms