2015/03/31

Phishing 101: Target Identification / OSINT

When a new Phishing exercise/engagement is began, among the first items that will need to be collected is a list of target email addresses.  This is typically handled in one of two ways (or in some cases, a combination of them).

  1. The customer provides a list of email address that is to be targeted.  All phishing emails MUST be sent to one of the email address in the list.
  2. The attacker (you) must do your own research to identify potential email targets.

As the first way (customer provides the target list) is a bit boring to discuss here, we will be focusing on the second; finding your own targets.  This type of internet recon is typically referred to as OSINT (Open Source Intelligence).  As I covered a bit of OSINT in a previous post, I will review it here and add additional information as needed.

In your attempts to identify potential email targets for the phishing exercise/engagement, you will find that there are many resources (websites and tools) that can aid you in your research/intelligence gathering.  Some of the common website I find useful for identifying email addresses are:
Google, Bing, and other search engines can be a great asset in identifying email addresses.  Simply by searching for "@<targetdomain.com>" you should get a list of links that each contain an email address in the displayed description.  Then by simply copy-n-pasting the email addresses into a targets file, you can start building your list.  Please not that tools like "theHarvester" mentioned later can do this for you.

Social media sites are ripe with useful information.  Most of them have a way to search for people who say they work for a particular company.  Thus, by searching for "employees of <target company>" you should be presented with a list of potential employees.  Unfortunately, most social media sites do not display the email addresses.  However, they do usually display their first and last names.  Now, if you have been able to identify a few (or at least 1) valid email address, you should know the email address format.  Common email formats are: (fn=first name, fi=first initial, ln=lastname)

  • [fi][ln]@company.com
  • [fn].[ln]@company.com
  • [fn]_[ln]@company.com

By using this knowledge, and the list of first and last names you collected, you should be able to convert them into likely email addresses.  Again, it should be noted that the tool Recon-NG has the ability to semi-automate this process of searching social media sites, identifying reported employees, and mangling their names into potential email addresses.

Additionally, some of the common tools I typically employ in OSINT are:
"whois" is just a command line tool that allows you to look up information on a particular domain name.  Many times, this information will contain a few email addresses, names, and phone numbers.  All of which can be useful during the phishing exercise/engagement.

As mentioned before, "theHarvester" is a command line Linux tool that can perform various searches against common search engines, to identify email addresses and host names associated with a target domain name.

Again, as mentioned earlier, "Recon-NG" is a command line Linux tool, that can perform various searching using a multitude of online tools to identify potential employees of a company, identify potentially leaked passwords, generate potential target email address lists, and many other bits of useful information.

"Foca" is a windows binary that can search a given target website for any available documents (office docs, pdfs, etc) and then extracts the "metadata" from the documents to identify interesting information such as:

  • usernames
  • machine names
  • installed software
It should be noted that Foca is a commercial product, but does have a limited/free version available.

"Maltego" is sort of a "catch all" tool for OSINT.  Maltego can perform numerous "transforms" on entered and gathered data to identify associated data from numerous online sources.  For example, given a company name, it can identify potential email addresses.  From those email addresses, it can attempt to idenify the associate People (first name and last name) as well as any online accounts that have the associated email address.  And so on.  It should be noted that Maltego is a commercial product, but does have a limited/free version available.

By no means, is the lists above provided as all inclusive.  These are just some of the tools I find myself using on a regular basis.  new tools are being developed all of the time as well as improvements being made to the older tools.

In future blog posts, I may go into more detailed reviews of some of the mentioned tools, but for now, just know they exist and go, download them, and try them out.

As always, all comments/questions/criticisms are welcomed.

2015/03/27

Phishing 101: An Intro

If you search on the internet or attend pretty much any security conference, you will find a plethora of information on what "phishing" is and how to perform it.  As such, this post (and the following ones in the series) will just cover the high points and provide useful references on where you can find more in-depth information.

At its core, phishing is the sending of an email to a target with the intent of having the target perform some action which will lead to the attacker gaining some new piece of information or access.

The statement is a bit vague, and it is meant to be so.  That is because phishing can take many forms with many different desired outcomes.  The typical outcomes are:
  • harvesting credentials from a target, typically via a credential harvesting website
  • compromise of the target's web browser via a drive by browser attack or a malicious java payload
  • compromise of a target's system typically via a malicious attachment
For the purposes of this blog post and the following ones, we will be discussing phishing primarily from the perspective of a contractually/legally authorized phishing exercise/engagement.

For most phishing exercises/engagements, the following 4 steps will occur:
  1. Target identification via
    1. the customer providing the target list
    2. the attacker performing Open Source Intelligence Gathering (OSINT)
  2. One or more websites are designed and made active.
    1. Two possible site types are:
      1. credential harvesting
      2. browser exploit
  3. The attacker will craft and then send the phishing emails to the target email addresses.
    1. These emails could be nothing more than a simple template containing a url to one of the previously designed websites, or it could contain a malicious attachment.
  4. As the exercise/engagement progresses, the attacker will monitor the results and use them to ultimately create a report for the customer.
Each of these steps will be discussed in more detail in future blog posts.