Weaponization is the process of turning the results of passive reconnaissance into directions or launch points for active reconnaissance and preliminary attacks. This will ensure that the more overt phases of the pen test process are influenced by your previous actions, rather than being isolated and therefore missing out on key information that could enhance their effectiveness.
In order to weaponize your findings, you'll need to analyze them for potential content of interest. What exactly is of interest will depend greatly on the pen test scope, the capabilities of your team, and the target's assets and day-to-day business operations. During your analysis, you'll also need to consider these findings not in a vacuum, but as parts of a bigger picture. It may not be clear which direction you should take with a particular piece of information until you combine that information with something else or consider how it may pertain to a larger environment.
Another key component of findings analysis is separating the signal from the noise—in other words, determining what information you gathered is not useful to the pen test and should be discarded or otherwise set aside during future phases. Failing to do so may impede the progress of the pen test or lead you astray when it comes to weaponizing the results through targeted exploits.
Content of Interest
The following are some examples of passive reconnaissance content that may be of interest to your weaponization efforts:
- IP addresses and subdomains that may lead to opportunities in the test.
- External or third-party domains and websites that may be related to the target organization.
- Key personnel related in some way to the target organization, and their contact information.
- Personal information or other points of data that may facilitate social engineering tests.
- Information that reveals specific types of technology used by the target organization.
IP Addresses and Subdomains
IP addresses gained from OSINT will usually be public ranges that are allocated to the target organization. The organization uses this block of public addresses to communicate with the untrusted Internet and other external networks, often for the purpose of providing online services to customers and external personnel. Through active scanning, you can leverage these IP addresses in order to discover active services, open ports, operating system information, and more. It's important to note, however, that hosts accessible through public address blocks are most likely to be public-facing resources like web servers, FTP servers, mail servers, etc. There's a much smaller chance that you'll be able to use public IP addresses to discover a domain controller, for example.
You might also be able to leverage public IP addresses as an entry point into the private network. Assuming the hosts running these public services are vulnerable in some significant way, their exposure to the Internet can provide you with a vector for further compromise.
Although less likely, it is possible that you'll find private IP addresses and subnet ranges amongst your gathered OSINT. This usually happens due to accidental leakage of sensitive data. For example, the organization might publish a network diagram or list of network hosts to a section of their site that fails to properly control access to resources. Even if the sensitive document is not easily visible or accessible from the site, you may be able to use a tool like Recon-ng to crawl for hidden file downloads. If you do manage to obtain private IP addresses in this way, you might be able to better focus your active scanning tools on specific addresses, rather than scanning entire subnets, which is more likely to attract attention.
Subdomains enumerated from DNS records and other resources can also help you focus your active reconnaissance and exploitation efforts. For example, the target organization might run a marketing site on the domain example.tld. On that same domain, you gathered OSINT that indicated the presence of a subdomain called intranet.example.tld. By the name alone you can deduce that this subdomain is likely a gateway to privileged access—and therefore, something you might want to investigate further. You can also tie in your public IP address findings to specific subdomains.
External and Third-Party Sites
As you've seen, there are many different types of websites that might be distinct from the organization's main websites, yet still related in some way. By performing OSINT on sites owned by the target's partners, sites owned by consultants and contractors known to work with the target organization, and more, you'll potentially expand your knowledge of the target's business operations, personnel, and assets.
How you proceed with this information will depend on your pen test scope and whether or not the information is actionable. If you discover a site owned by a contractor the target organization has worked with in the past, you may be prohibited from gathering any further information through more direct methods like active reconnaissance. After all, the contractor's business is not wholly owned by the organization, and has not necessarily agreed to be subjected to the pen test. Even if such action is authorized, you may find that the information you gathered from the third-party is too loosely associated with the parameters of the test. For example, a contractor's website will have its own public IP address, but this probably isn't relevant to the test. You might need to discard such information.
There are many more types of third-party sites, however. Any site that isn't owned by the target organization can be included. For example, the Glassdoor website enables employees to review their place of employment and its management. The target organization may have been reviewed on this site, and those reviews may reveal interesting information about the type of people that work there, the business processes in place, and the technology that is used. The organization has no direct control over this site, yet it can still aid your pen test.
How you leverage the information about people you gathered from Whois, social media profiles, PGP email key searches, the organization's website, and more, will depend on several factors. Those factors include, but are not limited to:
- The role the people play in the organization; e.g., their job title or management level, if any.
- The people's day-to-day responsibilities.
- The teams and departments that the people work in; i.e., who they work with.
- The people's business-related identification details; e.g., phone numbers, email addresses, office location, workspace location, etc.
- The people's technical aptitude and whether or not they've been trained in end-user security.
- The people's mindsets and perspectives on their employers and colleagues; e.g., office politics.
Consider some of the following scenarios:
- You gather an executive's email address, office location, role in the company, and who they manage, all from the organization's website. You then prepare this information to use in a spear phishing attack to try and get them to authorize a fraudulent payment.
- You discover the social media profiles of an accounts payable employee that has information on their date of birth, relationships, interests, and more. You then prepare your password cracking attempts to use these details in a wordlist to minimize the time and effort required.
- You discover that a network administrator is dissatisfied with their colleagues by reading the employee's rambling posts on Facebook. The employee complains that their colleagues have a lax attitude toward securing and monitoring the network. You then prepare to focus your tests on finding the weaknesses that may exist due to these negligent employees.
Note that not all people who may be useful to your pen test are necessarily employees of the target organization or work with the organization in any capacity. They may be friends, family, or customers. You can potentially learn a lot from people who have different interactions with an organization than an employee would.
One of the most powerful and effective tactics for leveraging people information is social engineering. Social engineering is the practice of deceiving people into giving away access to unauthorized parties or otherwise enabling those parties to compromise sensitive assets. The target of social engineering is unaware that they are being tricked, and is therefore not malicious but ignorant of the situation. Social engineering is very commonly used by attackers because it can be extremely effective. People are naturally trusting of other human beings, and most are agreeable and want to avoid conflict or confrontation. Attackers therefore exploit people's eagerness to trust others.
Social engineering is a logical next step after gathering people-based OSINT. The personal data you gather can tell you a lot about a person, including their interests, their demeanor, and how they live their lives from day to day. For example, cracking a password can be very difficult, and under certain circumstances, improbable. Rather than taking this technical approach to gaining access, why not try to get this password from the person who uses it? By gathering people information, you can identify employees in the organization and their email addresses, phone numbers, and other points of contact. You can then attempt to contact an individual, and, using one or more techniques, trick them into providing their password. You obtained something very valuable to the test without putting forth the effort, time, and risk of conducting a more technical attack.
Social engineering tests can target many different people with many different job roles. Among the most common targets are employees who handle sensitive financial data. If you manage to identify such an employee, you might try to entice them into sending you money by pretending to be someone actually deserving of that money, like an executive at the company. High-profile personnel like executives and managers are another common target of social engineering. These people tend to hold the greatest amount of access in an organization, and in many cases, rely on others to complete specific tasks. You might focus your social engineering tests on these personnel to see how easily they hand over information that they shouldn't.
Keep in mind that, because social engineering involves exploiting real human beings and the trust they place in others, some pen test scopes will prohibit certain tactics, or even social engineering altogether. You must be aware of how your actions may affect others before leveraging people information.
OSINT tools like Maltego, and even standard Google searches or Google hacking searches, can reveal the technologies that a public website or other resource is built with. By identifying the type of technology, as well as its version information, you can better prepare to exploit specific scenarios. If your target is a web server, and you identified that the web server is running on Apache, you may consider structuring your active reconnaissance efforts on enumerating Linux-based hosts, rather than Windows-based hosts. By that same token, the technology that an organization uses may indicate a reliance on specific vendors for other technology assets that are either private or weren't obtained as part of your OSINT gathering. For example, a web server that runs the ASP.NET framework on version 6 of Microsoft's Internet Information Services (IIS) will tell you a lot about not just the web server itself, but might also suggest that the organization runs Windows servers for other resources—perhaps in an Active Directory (AD) environment.
To best leverage your findings on an organization's technologies, you should research those technologies for vulnerabilities. Major vendors will often issue alerts for their products in which they detail security issues related to specific versions. You can use this as an opportunity to hone your later vulnerability scans, improving their efficiency and increasing the chances that you'll find something actionable.
On the other hand, the information you gather about an organization's technologies can tell you where its defenses are strong. If a piece of technology is up-to-date and no known vulnerabilities exist, it may be wise to rule this technology out as either a target or an attack vector. That way you can focus on other resources that may not be so well protected.