OSINT – Findings, Analysis, and Weaponization

OSINT

Weaponization is the process of turning the results of passive reconnaissance into directions or launch points for active reconnaissance and preliminary attacks. This will ensure that the more overt phases of the pen test process are influenced by your previous actions, rather than being isolated and therefore missing out on key information that could enhance their effectiveness.

In order to weaponize your findings, you’ll need to analyze them for potential content of interest. What exactly is of interest will depend greatly on the pen test scope, the capabilities of your team, and the target’s assets and day-to-day business operations. During your analysis, you’ll also need to consider these findings not in a vacuum, but as parts of a bigger picture. It may not be clear which direction you should take with a particular piece of information until you combine that information with something else or consider how it may pertain to a larger environment.

Another key component of findings analysis is separating the signal from the noise—in other words, determining what information you gathered is not useful to the pen test and should be discarded or otherwise set aside during future phases. Failing to do so may impede the progress of the pen test or lead you astray when it comes to weaponizing the results through targeted exploits.

Content of Interest

The following are some examples of passive reconnaissance content that may be of interest to your weaponization efforts:

  • IP addresses and subdomains that may lead to opportunities in the test.
  • External or third-party domains and websites that may be related to the target organization.
  • Key personnel related in some way to the target organization, and their contact information.
  • Personal information or other points of data that may facilitate social engineering tests.
  • Information that reveals specific types of technology used by the target organization.
IP Addresses and Subdomains

IP addresses gained from OSINT will usually be public ranges that are allocated to the target organization. The organization uses this block of public addresses to communicate with the untrusted Internet and other external networks, often for the purpose of providing online services to customers and external personnel. Through active scanning, you can leverage these IP addresses in order to discover active services, open ports, operating system information, and more. It’s important to note, however, that hosts accessible through public address blocks are most likely to be public-facing resources like web servers, FTP servers, mail servers, etc. There’s a much smaller chance that you’ll be able to use public IP addresses to discover a domain controller, for example.

You might also be able to leverage public IP addresses as an entry point into the private network. Assuming the hosts running these public services are vulnerable in some significant way, their exposure to the Internet can provide you with a vector for further compromise.

Although less likely, it is possible that you’ll find private IP addresses and subnet ranges amongst your gathered OSINT. This usually happens due to accidental leakage of sensitive data. For example, the organization might publish a network diagram or list of network hosts to a section of their site that fails to properly control access to resources. Even if the sensitive document is not easily visible or accessible from the site, you may be able to use a tool like Recon-ng to crawl for hidden file downloads. If you do manage to obtain private IP addresses in this way, you might be able to better focus your active scanning tools on specific addresses, rather than scanning entire subnets, which is more likely to attract attention.

Subdomains enumerated from DNS records and other resources can also help you focus your active reconnaissance and exploitation efforts. For example, the target organization might run a marketing site on the domain example.tld. On that same domain, you gathered OSINT that indicated the presence of a subdomain called intranet.example.tld. By the name alone you can deduce that this subdomain is likely a gateway to privileged access—and therefore, something you might want to investigate further. You can also tie in your public IP address findings to specific subdomains.

External and Third-Party Sites

As you’ve seen, there are many different types of websites that might be distinct from the organization’s main websites, yet still related in some way. By performing OSINT on sites owned by the target’s partners, sites owned by consultants and contractors known to work with the target organization, and more, you’ll potentially expand your knowledge of the target’s business operations, personnel, and assets.

How you proceed with this information will depend on your pen test scope and whether or not the information is actionable. If you discover a site owned by a contractor the target organization has worked with in the past, you may be prohibited from gathering any further information through more direct methods like active reconnaissance. After all, the contractor’s business is not wholly owned by the organization, and has not necessarily agreed to be subjected to the pen test. Even if such action is authorized, you may find that the information you gathered from the third-party is too loosely associated with the parameters of the test. For example, a contractor’s website will have its own public IP address, but this probably isn’t relevant to the test. You might need to discard such information.

There are many more types of third-party sites, however. Any site that isn’t owned by the target organization can be included. For example, the Glassdoor website enables employees to review their place of employment and its management. The target organization may have been reviewed on this site, and those reviews may reveal interesting information about the type of people that work there, the business processes in place, and the technology that is used. The organization has no direct control over this site, yet it can still aid your pen test.

People

How you leverage the information about people you gathered from Whois, social media profiles, PGP email key searches, the organization’s website, and more, will depend on several factors. Those factors include, but are not limited to:

  • The role the people play in the organization; e.g., their job title or management level, if any.
  • The people’s day-to-day responsibilities.
  • The teams and departments that the people work in; i.e., who they work with.
  • The people’s business-related identification details; e.g., phone numbers, email addresses, office location, workspace location, etc.
  • The people’s technical aptitude and whether or not they’ve been trained in end-user security.
  • The people’s mindsets and perspectives on their employers and colleagues; e.g., office politics.

Consider some of the following scenarios:

  • You gather an executive’s email address, office location, role in the company, and who they manage, all from the organization’s website. You then prepare this information to use in a spear phishing attack to try and get them to authorize a fraudulent payment.
  • You discover the social media profiles of an accounts payable employee that has information on their date of birth, relationships, interests, and more. You then prepare your password cracking attempts to use these details in a wordlist to minimize the time and effort required.
  • You discover that a network administrator is dissatisfied with their colleagues by reading the employee’s rambling posts on Facebook. The employee complains that their colleagues have a lax attitude toward securing and monitoring the network. You then prepare to focus your tests on finding the weaknesses that may exist due to these negligent employees.

Note that not all people who may be useful to your pen test are necessarily employees of the target organization or work with the organization in any capacity. They may be friends, family, or customers. You can potentially learn a lot from people who have different interactions with an organization than an employee would.

Technologies

OSINT tools like Maltego, and even standard Google searches or Google hacking searches, can reveal the technologies that a public website or other resource is built with. By identifying the type of technology, as well as its version information, you can better prepare to exploit specific scenarios. If your target is a web server, and you identified that the web server is running on Apache, you may consider structuring your active reconnaissance efforts on enumerating Linux-based hosts, rather than Windows-based hosts. By that same token, the technology that an organization uses may indicate a reliance on specific vendors for other technology assets that are either private or weren’t obtained as part of your OSINT gathering. For example, a web server that runs the ASP.NET framework on version 6 of Microsoft’s Internet Information Services (IIS) will tell you a lot about not just the web server itself, but might also suggest that the organization runs Windows servers for other resources—perhaps in an Active Directory (AD) environment.

To best leverage your findings on an organization’s technologies, you should research those technologies for vulnerabilities. Major vendors will often issue alerts for their products in which they detail security issues related to specific versions. You can use this as an opportunity to hone your later vulnerability scans, improving their efficiency and increasing the chances that you’ll find something actionable.

On the other hand, the information you gather about an organization’s technologies can tell you where its defenses are strong. If a piece of technology is up-to-date and no known vulnerabilities exist, it may be wise to rule this technology out as either a target or an attack vector. That way you can focus on other resources that may not be so well protected.

Social Engineering

One of the most powerful and effective tactics for leveraging people information is social engineering. Social engineering is the practice of deceiving people into giving away access to unauthorized parties or otherwise enabling those parties to compromise sensitive assets. The target of social engineering is unaware that they are being tricked, and is therefore not malicious but ignorant of the situation. Social engineering is very commonly used by attackers because it can be extremely effective. People are naturally trusting of other human beings, and most are agreeable and want to avoid conflict or confrontation. Attackers therefore exploit people’s eagerness to trust others.

Social engineering is a logical next step after gathering people-based OSINT. The personal data you gather can tell you a lot about a person, including their interests, their demeanor, and how they live their lives from day to day. For example, cracking a password can be very difficult, and under certain circumstances, improbable. Rather than taking this technical approach to gaining access, why not try to get this password from the person who uses it? By gathering people information, you can identify employees in the organization and their email addresses, phone numbers, and other points of contact. You can then attempt to contact an individual, and, using one or more techniques, trick them into providing their password. You obtained something very valuable to the test without putting forth the effort, time, and risk of conducting a more technical attack.

Social engineering tests can target many different people with many different job roles. Among the most common targets are employees who handle sensitive financial data. If you manage to identify such an employee, you might try to entice them into sending you money by pretending to be someone actually deserving of that money, like an executive at the company. High-profile personnel like executives and managers are another common target of social engineering. These people tend to hold the greatest amount of access in an organization, and in many cases, rely on others to complete specific tasks. You might focus your social engineering tests on these personnel to see how easily they hand over information that they shouldn’t.

Keep in mind that, because social engineering involves exploiting real human beings and the trust they place in others, some pen test scopes will prohibit certain tactics, or even social engineering altogether. You must be aware of how your actions may affect others before leveraging people information.

Basic Components of Social Engineering Attacks

Most social engineering attacks share some basic components that enable them to be so effective. Some of those components are:

  • Target evaluation: In many cases, attackers with specific targets in mind will evaluate those targets and determine how susceptible they are to specific types of social engineering. They will also evaluate their general level of awareness of computing technology and cybersecurity.
  • Pretexting: Attackers will communicate, whether directly or indirectly, a lie, half-truth, or sin of omission in order to get someone to believe a falsehood. This belief may spur the victim into committing an action they had not intended or that runs counter to their interests.
  • Psychological manipulation: Attackers exploit humans’ willingness to place trust in others and prey upon their sometimes erroneous decision-making abilities. Attackers also exploit the inherent cognitive biases within all people to craft more effective and targeted attacks.
  • Building relationships: The more comfortable and friendly a victim is with the attacker, the more likely they will trust the attacker. Attackers may therefore try to get to know their target on a personal level.
  • Motivation: Attackers will try to motivate their target to take some action that will ultimately benefit the attacker.
Motivation Techniques

In order to motivate their target, a social engineer will rely on one or more different techniques.

Motivation TechniqueDescription
AuthorityPeople tend to obey authority figures even when they know the requested action is either ethically dubious or counter to their own interests. They also tend to obey authority figures when they don’t have enough information to accurately assess a situation. An attacker posing as an authority figure, like a police officer, is often more successful at enticing a victim to perform some action they shouldn’t.
ScarcityPeople tend to attach undue value to objects or ideas that are uncommon or otherwise difficult to obtain. A “secret” or “exclusive” item is more enticing to the victim than something they encounter every day. For example, the attacker may claim to reward a victim with a unique collectible that they cannot acquire anywhere else.
UrgencyThis is similar to scarcity, but with a time element involved. An attacker might encourage a victim to act quickly, lest the victim miss their opportunity at acquiring something. For example, a “limited time offer” will be more likely to pique a victim’s interest.
Social proofThis is similar to the concept of conformity, in which people tend to mirror the actions of others because they want to fit in. If a victim sees or believes they see an attacker engaging in some behavior, they may themselves engage in that behavior. This is more effective if the behavior is exhibited by a group of people whom the victim trusts. For example, a group of attackers working in concert may install a fake “antivirus” program on their computers, and the victim may decide to do the same in order to appear competent to their peers.
LikenessPeople are more likely to listen to someone and comply with their requests if they feel an affinity toward them. They may see themselves in this other person, such as having a similar speech pattern. Or, the other person may represent an ideal, such as someone who is physically attractive. Attackers can leverage this to be charming and persuasive to specific people.
FearBecause fear is such a visceral emotion, it can motivate people to act in ways they normally wouldn’t, just to purge themselves of that fear. Fear of loss is especially powerful. Attackers often use fear tactics to convince a victim that they will lose money or access if they do not comply.

Phishing

In its original sense, phishing is the social engineering tactic in which an attacker attempts to obtain sensitive information from a user by posing as a trustworthy figure through email communications. Due to the rise of communication media other than email, the term “phishing” can also encompass an attempt to obtain sensitive information through any electronic communication medium. Phishing is one of the most common and effective social engineering tactics because it easy to distribute, impersonal, and can leverage technical tricks—like spoofing the FROM headers in email—to make it more convincing.

For instance, an attacker may prepare an email in which the attacker claims to work for the victim’s bank. The contents of the email tell the victim they should send their password to the attacker so that their account can be properly reset. If the victim doesn’t comply within one week, the bank will terminate their account. This leverages the motivation techniques of urgency and fear. When the victim receives the email, the spoofed headers make it appear as if the email is actually coming from the bank. The victim, unwise to the threat, complies with the fraudulent request. A number of tools, including Metasploit Pro and the Social Engineering Tookit (SET) in Kali, have built-in features that make it easy to launch a phishing campaign.

Types of Phishing

The following are some terms that refer to specific types of phishing:

  • SMiShing: Also called SMS phishing, this is a phishing attack in which the attacker entices their victim through SMS text messages. The prevalence of smartphones may make using SMS more attractive to an attacker than email, but people are more likely to ignore text messages from unknown or untrusted senders than with email.
  • Vishing: Also called voice phishing, this is a phishing attack in which an attacker entices their victim through a traditional telephone system or IP-based voice communications like Voice over IP (VoIP). While speaking to someone directly in order to entice them may be difficult for an attacker to pull off, it can also be more effective, as people tend to place more trust in those they can have a real-time conversation with.
  • Pharming: In this type of attack, the attacker entices the victim into navigating to a malicious web page that has been set up to look official. The site may mimic an existing website, like the victim’s banking website, or it may simply have an air of legitimacy. The victim interacts with this site in order to provide their sensitive information to the attacker, like filling out a fake “login” form with their password.
  • Spear phishing: This is a phishing attack, irrespective of medium, that is crafted to target a specific person or group of people. Spear phishing attacks require that the attacker perform some reconnaissance and gather some people-based information on their targets before launching the attack. The attacker uses what they learn about their targets’ habits, interests, and job responsibilities to create a custom message that is much more convincing than a generic message sent to anyone and everyone. For example, an attacker might know that a target’s birthday is coming up soon and that they plan on holding a party at a specific venue. The attacker can pretend to work for this venue and mention the target’s birthday party.
  • Whaling: This is a form of spear phishing that targets particularly wealthy or powerful individuals, like CEOs of Fortune 500 companies. The risk is higher for an attacker, as such individuals are likely to be better protected than an average person. However, the payout for the attacker will be significantly higher. For example, an urgent phony invoice might induce a CEO to order the finance department to wire a “long overdue” payment to the attacker’s account.

Impersonation

Impersonation is the act of pretending to be someone you are not. Many of the most effective social engineering attacks, especially phishing, usually include impersonation as a component. In that sense, impersonation is an element of an attack, rather than an attack itself.

Impersonation often relies on situations where a target cannot sufficiently establish the attacker’s identity. A common example of impersonation is when an attacker pretends to be a help desk worker and calls an employee, asking them for their password so that they can reset an accounts database. If the target isn’t familiar with the help desk employees or the phone number that they use, then they might not be suspicious of the request.

Impersonation can also be more effective in face-to-face interactions. Most people want to avoid appearing rude or dismissive when they’re talking with another human being directly. So, they may be less likely to question the impostor than if they had been contacted through email or on the phone. Of course, face-to-face impersonation will only work if the target doesn’t know what the impersonated individual looks like, or doesn’t know them well enough to be suspicious of their appearance.


Elicitation

Elicitation is the process of collecting or acquiring data from human beings. This is different than information gathered about human beings—in elicitation, a social engineer will attempt to learn or access useful information by contacting people who may provide certain key insights. The advantage of this approach is that some knowledge useful to an attack or pen test can only be acquired by other people.

Like impersonation, elicitation is not a social engineering attack per se, but an approach that may be used as part of an actual attack. Some specific elicitation techniques include:

  • Requests, where the social engineer in a trusted position requests that the target provide them with some useful information. This is the most direct method of elicitation.
  • Interrogation, where a social engineer directly asks people questions with the intention of extracting useful information. The social engineer may be posing as an authority figure to improve their chances of eliciting answers.
  • Surveys, where a social engineer indirectly collects data from volunteers. Surveys are effective where interrogation is not a viable option.
  • Observation, where a social engineer examines the target’s behavior in a particular environment, with or without their knowledge. A person’s behavior and day-to-day routine can provide the social engineer with insight into how they think or act in certain situations.

Elicitation is useful in supporting a variant of phishing called a business email compromise (BEC). In a BEC, an attacker usually impersonates a high-level executive or directly hijacks their email account. They then send an email to financial personnel, requesting money via a method like a wire transfer. Because the financial personnel believe the request is legitimate, they will approve the transfer. The attacker successfully elicits this payment without stealing it directly.


Hoaxes

A hoax is another element of social engineering in which the attacker presents a fictitious situation as real. It is related to the idea of a scam, though in a hoax, the attacker’s goal is not necessarily financial gain. The following are some examples of hoaxes that may convince unsuspecting users:

  • A pop-up that says an antivirus program identified the presence of malware on a target’s system. The target should click a link in order to fix this infection. In reality, the link itself leads to malicious code.
  • An email claiming to be from a citizen of a foreign country asks the target to help them access funds in a bank account. They request that the target send them money in advance and that they will receive a percentage of the total sum in the account. In reality, there is no such account, and the attacker simply takes the money the victim sends them.
  • An email claiming to be from Amazon says that the target’s account has been flagged for suspicious activity. The target must sign in to Amazon and confirm that the account has not been compromised. In reality, the sign in link goes to a pharming website that steals the user’s credentials.
  • A blog post claiming that most computer performance issues are the result of RAM that has not been “cleaned” often enough. The post offers steps for how to perform a “clean” operation at the command line. In reality, this command has formatted a user’s storage drive, completely wiping its contents.

Baiting

Baiting is a social engineering attack in which an attacker leaves some sort of physical media in a location where someone else might pick it up and use it. This exploits people’s tendency to be curious about objects and situations that are out of the ordinary or that catch the eye in some way. The most common form of baiting involves leaving a USB thumb drive in a parking lot or some other public area near a workspace. An employee might notice the USB drive lying on the ground, pick it up, and plug it into their computer. Unbeknownst to them, the drive has been pre-loaded with malicious software that compromises the employee’s computer.

These kinds of attacks can rely on the victim’s computer having autorun enabled so that the malicious code is executed immediately. The malware, depending on its nature, may then spread outward and start infecting other hosts on the network. Even if autorun is not enabled, the attacker can still entice a user to run the malicious code on the USB drive by disguising it as something fun (e.g., a video game), useful (e.g., an antivirus program), or mysterious (e.g., files with cryptic names).

Deception Tactics

Deception is the primary mechanism in social engineering. It is used to create trust, sympathy, fear, greed, or urgency—anything to induce the victim into revealing information or doing something they shouldn’t. The following are some common deception techniques used in social engineering.

Posing as someone/something you’re not:

  • A beleaguered fellow employee who needs you to look up some information for them.
  • An authority figure from a government agency or law enforcement threatening to arrest you or penalize you with stiff fines.
  • A new employee, especially in a directorship position, needing your help.
  • Someone from the IT department wanting you to re-enter your credentials into a newly rebuilt database.
  • A vendor or systems manufacturer warning you about a critical security vulnerability and offering to send you a patch.
  • A customer trying to reset their login portal password.
  • A co-worker or business associate who uses insider lingo to gain trust, while asking you to perform some task for them.
  • A friend or relative who is in trouble and needs your help.
  • A vendor or creditor insisting that you pay a long-overdue payment.

Offering something the victim doesn’t really need:

  • Distributing malware disguised as free music, software, games, or funny videos.
  • Offering help if a problem occurs, then causing the problem to occur so the victim calls for your help.
  • Sending false pop-up windows or messages asking a user to provide credentials.
  • Sending an email with an infected attachment.
  • Posting a link to a malicious site on social media.
  • Leaving a USB stick, memory card, or DVD laying around the workplace with malicious software on it.

URL Hijacking

URL hijacking, also called typosquatting, is a social engineering attack in which an attacker exploits the typing mistakes that users may make when attempting to navigate to a website. For example, a user wishing to visit CompTIA’s website might type in their browser: comtpia.org. The browser has no way of knowing this was a mistake, so it sends the user to that literal website, typo and all. An attacker has already registered this domain and is counting on users to make just such a mistake. So, the user essentially gets directed to a malicious site instead of their intended destination.

The malicious site might be very clearly the wrong one, but more clever attackers will turn this into a pharming site that mimics the real one closely. That way, the victim may never even know that they committed an error, and will continue on, ignorant of the problem.

In addition to misspellings, URL hijacking also encompasses instances where the wrong top-level domain is used (e.g., comptia.gov), instances where domains and subdomains are obfuscated (e.g., login.comp.tia.org), and instances where a different form of a word is used (e.g., thecomptia.org). Note that many companies have expended significant effort in combating typosquatted domains, though some do fall through the cracks.


Spam and Spim

Spam is an attack where the user’s inbox is flooded with advertisements, promotions, get-rich-quick schemes, and other unsolicited messages. Like phishing, the term initially included email-based messaging, but may now more generally include any communication medium. Spam is often used in conjunction with phishing; the attacker attempts to overload as many targets as they can with unsolicited messages, hoping that at least some users will act on them.

Other than email, spam can also be carried over instant messaging (IM). For example, an attacker might send unsolicited messages to members of a Facebook group promising a great deal on a product, if only they follow a link. This is sometimes called spim. Spim may be harder to pull off because it requires a synchronous interaction. If the victim expects to interact with a person in real-time, they may grow more suspicious if the attacker doesn’t respond or doesn’t respond like a human (i.e., the sender is a bot). Still, spim has been known to work, especially when the target is not tech-savvy.

Because of the rise of robust filters in email and IM clients, spam and spim are less effective than they used to be. However, the volume of unsolicited messages is so great that, every day, an unsuspecting user is successfully snared by spam or spim.


Task Completion Through Social Engineering

Very often, an attacker does not have direct access to a system they want to compromise. They must depend on an unwitting user to help them. Besides opening malicious email attachments or providing information on the phone, the user might be persuaded into performing some other task that they should not. This usually takes more effort and skill on the part of the attacker. Examples include:

  • Disabling or bypassing security controls.
  • Granting physical or network access.
  • Creating or resetting credentials that the attacker can use.
  • Delivering or forwarding messages, faxes, documents, or emails.
  • Installing software.
  • Authorizing payments.
  • Connecting or disconnecting devices.
  • Reconfiguring a system.


Guidelines for Performing Social Engineering Tests

When performing social engineering tests:

  • Understand the basic components of social engineering and what ideas they rely on to be effective.
  • Leverage the techniques that motivate people to fall prey to social engineering.
  • Launch a phishing attack that entices targets to leak sensitive information.
  • Use media other than just email to phish sensitive information.
  • Create a convincing forgery of a popular website to entice targets to visit.
  • Use the forgery to capture input credentials, like in a login form.
  • Leverage gathered data about people to craft customized spear phishing attacks.
  • Consider targeting executives and other high-level personnel in a phishing attack.
  • Use impersonation techniques to make the attack seem more authentic, like posing as a help desk worker.
  • Use elicitation techniques to get targets to reveal information, like requests and surveys.
  • Leverage hoaxes to make attacks more convincing.
  • Drop a USB drive loaded with malware in a parking lot to see if anyone plugs it into their system.
  • Determine how users may fall victim to an attack by mistyping URLs.
  • Leverage spam techniques with phishing attacks to reach many users.
  • See how easy it is to observe employees at their computers without them noticing.
  • Consider how an office environment might make tailgating or piggybacking more or less effective.

Leave a Reply

Your email address will not be published. Required fields are marked *