Sources for Information Gathering

Many different sources exist for information gathering. The following list cannot possibly cover every source out there, but it does outline the major choices you have.

Gathering Information from Websites

Corporate and/or personal websites can provide a bounty of information. The first thing a good social engineer will often do is gather as much data as he can from the company’s or person’s website. Spending some quality time with the site can lead to clearly understanding:

• What they do
• The products and services they provide
• Physical locations
• Job openings
• Contact numbers
• Biographies on the executives or board of directors
• Support forum
• Email naming conventions
• Special words or phrases that can help in password profiling

Seeing people’s personal websites is also amazing because they will link to almost every intimate detail about their lives—kids, houses, jobs, and more. This information should be cataloged into sections because it will often be something from this list that is used in the attack.

Many times company employees will be part of the same forums, hobby lists, or social media sites. If you find one employee on LinkedIn or Facebook, chances are that many more are there as well. Trying to gather all that data can really help a social engineer profile the company as well as the employees.

Many employees will talk about their job title in their social media outlets. This can help a social engineer to profile how many people may be in a department and how the departments are structured.

Search Engines

Google forgives but it never forgets, and it has been compared to the Oracle. As long as you know how to ask, it can tell you most anything you want to know.

“Google Dorks,” or a string that can be used to search in Google to find out information about a company.

For example if you were to type in: site:microsoft.com filetype:pdf you be given a list of every file with the extension of PDF that is on the microsoft.com domain.

Being familiar with search terms that can help you locate files on your target is a very important part of information gathering. I make a habit of searching for filetype:pdf, filetype:doc, filetype:xls, and filetype:txt. It is also a good idea to see if employees actually leave files like DAT, CFG, or other database or configuration files open on their servers to be harvested.

Google is not the only search engine that reveals amazing information. A researcher named John Matherly created a search engine he called Shodan (www.shodanhq.com).

Shodan is unique in that it searches the net for servers, routers, specific software, and so much more. For example, a search of microsoft-iis os:“windows 2003” reveals the following number of servers running Windows 2003 with Microsoft IIS:

·         United States 76,592

·         China 3,003

·         Canada 2,171

·         United Kingdom 3,776

·         Germany 1,933

This search is not target-specific, but it does demonstrate one vital lesson: the web contains an amazing wealth of information that needs to be tapped by a social engineer seeking to become proficient at information gathering.

Whois Reconnaissance

Whois is a name for a service and a database. Whois databases contain a wealth of information that in some cases can even contain full contact information of the website administrators.

Using a Linux command prompt or using a website like www.whois.net can lead you to surprisingly specific results like such as a person’s email address, telephone number, or even DNS server IP address.

Whois information can be very helpful in profiling a company and finding out details about their servers. All of this information can be used for further information gathering or to launch social engineering attacks.

Public Servers

A company’s publicly reachable servers are also great sources for what its websites don’t say. Fingerprinting a server for its OS, installed applications, and IP information can say a great deal about a company’s infrastructure.

After you determine the platform and applications in use, you could combine this data with a search on the corporate domain name to find entries on public support forums.

IP addresses may tell you whether the servers are hosted locally or with a provider; with DNS records you can determine server names and functions, as well as IPs.

An important note to keep in mind is that performing a port scan—using a tool like NMAP or another scanner to locate open ports, software, and operating systems used on a public server—can lead to problems with the law in some areas.

For example, in June 2003, an Israeli, Avi Mizrahi, was accused by the Israeli police of the offense of attempting the unauthorized access of computer material. He had port scanned the Mossad website. About eight months later, he was acquitted of all charges. The judge even ruled that these kinds of actions should not be discouraged when they are performed in a positive way.

Of course, if you are involved in a paid audit of a company most of this will be in the contract, but it is important to state that it is up to the social engineer auditor to be aware of the local laws and make sure you are not breaking them.

Social Media

Many companies have recently embraced social media. It’s cheap marketing that touches a large number of potential customers. It’s also another stream of information from a company that can provide breadcrumbs of viable information. Companies publish news on events, new products, press releases, and stories that may relate them to current events.

Lately, social networks have taken on a mind of their own. When one becomes successful it seems that a few more pop up that utilize similar technology. With sites like Twitter, Blippy, PleaseRobMe, ICanStalkU, Facebook, LinkedIn, MySpace, and others, you can find information about people’s lives and whereabouts in the wide open.

User Sites, Blogs, and So On

Public Reports

Public data may be generated by entities inside and outside the target company. This data can consist of quarterly reports, government reports, analyst reports, earnings posted for publicly traded companies, and so on. An example of these are Dunn and Bradstreet reports or other sales reports that are sold for very little money and contain a lot of details on the target company.

Remember, your goal as you collect data is to learn about the target company and the people within the company. Once a social engineer collects enough data, a clear picture will form in their minds as to the best way to manipulate the data from the targets. You want to profile the company as a whole and find out roughly how many employees are part of some club, a hobby, or group. Do they donate to a certain charity or do their kids go to the same school? All of this information is very helpful in developing a profile.

A clear profile can help the social engineer not only in developing a good pretext, but can also outline what questions to use, what are good or bad days to call or come onsite as well as many other clues that can make the job so much easier.

All of the methods discussed so far are mostly physical, very personal methods of information gathering. I didn’t touch on the very technical side of information gathering like services such as SMTP, DNS, Netbios, and the almighty SNMP.

Whatever the method you utilize to gather information logically, the question that may come up is now that you know where to gather, how to gather, and even how to catalog, store, and display this info, what do you do with it?

As a social engineer, after you have information you must start planning your attacks. To do that you need to start modeling an outline that will use this information. One of the best ways to start utilizing this data is to develop what is called a communication model.