Tips for an Information Security Analyst/Pentester career - Ep. 26: OSINT (Pt.5)

This time we're going to talk about some more open source intelligence tools that I have left out in the previous episodes.

Before analyzing these two tools in detail, I want to show here how to redirect all the web traffic through Tor browser within your Kali Linux virtual machine.

The reason why I'm taking these precautionary steps is that one tool I want to show might gain access to industrial facilities accessible online and I don't want to inadvertently incur in any legal issues whatsoever.

However, to be on the safe side, what I'm going to show isn't in the US.

Proxychains configuration

For you to redirect all your Internet traffic through Tor, you need to make some changes to the /etc/proxychains.conf file.

As this could egregiously mess up your settings, I warmly recommend to create a backup copy of the original file, so you can restore it, should something go south.

This can be easily done through the command shown below.

Within the configuration file, you need to make two changes.

a) Switch default settings to dynamic chain: by default, strict chain is used. Its downside is, if you have a list of proxies and some of them is off-line, all the other proxies in the list will not be checked. Dynamic chain, instead, allows to go through the whole list.

b)  Add Tor as the default proxy: You need to enter the two lines shown below at the end of the configuration file. This will cause Tor to listen on local port 9050.

 In the same location, you can add a list of proxies you want to use as well, by respecting the same format you see in the examples.

For more details on Tor installation and how to start its instance, check out the embedded video.

a) Maltego

Maltego is a very powerful open source intelligence tool. The reason why I have left it out before is that, although it uses public domain information, I'm not 100% positive it doesn't interact somehow with the target.

However, it's too powerful a tool for me to overlook it; I personally like it a lot and I widely used it in a couple of forensics classes.

What's good about this tool is the unbelievable amount of information you can obtain on the target and the fact that it's very visual.

It allows to create complex graphs of a network or of a domain, highlighting devices like routers, switches and firewalls.

I'm barely scratching the surface with this post. 

I hope that provides you a good basis to build upon with more advanced tutorials.

In my example, I'm using the free community version that comes with Kali, which will suffice for our purposes. 

However, for professional use you should be purchasing a paid license.

You have several options to choose from when starting the tool. In this tutorial, I chose to start from a blank graph, which isn't what I normally do, to give you a clearer overview of the basics.

If you want to dig deeper, I invite you to play around with this tool (already installed with Kali), and to explore especially the Run a machine option, that I won't cover here, due to time constraints.

For the purposes of my analysis, I used nmap.org.

Maltego has a bunch of available plug-ins, called transforms, that allow you to do pretty much whatever you want.

After choosing a blank graph, you find yourselves in a blank canvas.

On the left you'll see the entities you can drag to the graph and, based on the entities you use, they can have different transforms associated with them.

I started by dragging a domain entity and then I used a transform to retrieve all websites associated with it.

I used several transforms that allowed me to dig deeper and deeper (check out the embedded video for more details) and I ended up with the graph below. 

You can actually export graphs you create with Maltego to different formats, like Visio, but this functionality comes with the paid version.

Graphs like this provide you with a very straightforward overview of your target and, at the same time, look good on a professional report. 

b) Shodan: It's a very important tool, very popular in the hacker community.  It's widely used to find vulnerable devices, ranging from routers to webcams to smart devices, belonging to the so-called Internet of things.

It can be a useful tool if you do physical penetration testing, because you can access surveillance cameras, which are sadly often connected to the Internet, without any apparent reason for it.

You can often break in by guessing the password, as most users never change default credentials shipped with their device, after they bought it.

If you are lucky enough, you may run into completely unprotected devices, like I did in the video. You can understand from the camera possible ways to physically access that location for penetration testing purposes.  

What's scary here is this tool can easily give access to industrial facilities, such as SCADA plants, and, if weak credentials are used, bad guys can easily wreak havoc with that. 

Stuff like that shouldn't be connected to the Internet in the first place, or the network these industrial plants are in should be physically segmented and isolated. 

Wrap-up

Open source intelligence can lead to very important outcomes but needs to be performed responsibly.

Always remember what the scope of your pentest is and to cover your tracks.

This is less important for pentesters than it is for black hat hackers, but you don't want the alarm to be triggered too soon in your pentest.

If you get caught too early, because you messed up egregiously, you can't know whether this is a real indicator the organization's security posture is strong.

If you sucked and created a lot of noise, that doesn't necessarily mean all the members of the organization have gotten their job done right.

If you drop a file called MALWAREHERE.EXE on the victim machine, no surprise you get caught (and if you don't, either in such a case, it would be the right time for the whole organization to implement/enhance a security awareness training program).

Episode 27

Episode 25