Google.  It's a powerful weapon.  Anyone who uses the internet understands that if you want to know something you don't know you "google" it.  So why not do the same when on a penetration test or when finding what public information about your company is available on the internet?  There is already a lot on the internet regarding this subject so I'm going to keep it pretty simple.  Say company "ABC" decides to hire you for an internal penetration test.  They want you to do some vulnerability scanning, phishing, and they want to ensure their confidential data is secure.  Before you start throwing Nessus, Metasploit, and SET at them you should start by gathering as much information about the company as you can.  Here are a few steps to get you started.

 

1. Google the company name -  Generally you will find their website, address, and maybe a social networking page or two.

 

2. Spider their website - Using something like Dirbuster to brute force the websites directories you may end up finding a page the development team didn't intend to publish.  Sometimes you will find login pages this way as well.  Uberharvest is a tool that will allow you to crawl a site to find valid email addresses.  Also, try to find their web access to email URL.  Typically this can be found at webmail.companyA.com, mail.companyA.com, or owa.companyA.com.

 

3. Check Linkedin.com - In the Google search box type this without quotes: "site:linkedin.com companyA engineer".  Using the "site" option your search results will be limited to linkedin.  A great deal of employees tend to place their resumes online.  Placing the name of the company (companyA in the example above) will help you find employees at the site you a trying to penetrate.  Using the title "engineer" or "administrator" will help you narrow down someone in IT.  Reasons you would want to find IT are that they typically have the keys to the kingdom, meaning they could possibly be domain administrators, making them prime targets.

 

4. Create a list of targets - Using the previous steps create a list of possible targets.  These are people that you may be able to social engineer.  You want names, job titles, email addresses, etc.

 

5. Pipl.com - Pipl.com is a great site for finding where people are on the internet.  It scours all of the social networking sites (facebook, myspace, linkedin, etc.) as well as many public records sites (addresses, whitepages, etc.) for the person you are trying to find.  Using these other sites you will be able to gather a great deal of information about your targets (hobbies, other email addresses, pet names, etc.).

 

6. Search for public documents - There are many "Google Hacks".  Finding documents a company didn't think were public or have forgotten about is as easy as searching: site:companyabc.com filetype:xls.  The filetype option allows you to search a specific domain for any files of the stated type.  Some filetypes to look for are xls, doc, pdf, sql, or txt.

 

The best part about this type of enumeration is that there is no footprint.  This can all be done with a web browser and an internet connection.

 

 

To show you how powerful this type of enumeration is I will give an example.  During the writing of this post I decided to pick a random company to find information about.  I Googled the company's name and it returned their main website, a Wikipedia posting, and a new website for a product they are beginning to market.  Using Google I searched "site:linkedin.com companyname engineer".  On the second page of the results I found an employee's linkedin page.  Clicking on the link I found out that this particular employee was a security engineer at the company.  Ok, let's use Pipl.com to see where else they are.  Pipl found this person's Facebook, Myspace, and Classmates accounts.  On their Myspace they list their hometown, sign, education, and they have photos showing their favorite band, pets name, and favorite baseball team.  If this were a real penetration test we could potentially use this information to devise a targeted phishing campaign and potentially get them to open a malicious email.  If this employee was indeed a domain admin and we compromised their account it would be game over. 

 

There are stories in the news everyday about groups being hacked.  You can look at any of my posts starting with "DAFTNEWS" and find an article referencing some sort of hack.  The primary way these businesses are being compromised is due to targeted phishing attacks.  You cannot rely on anti-virus alone to prevent these attacks.  It's extremely easy to bypass AV all together.  But that will be another post...