2015/03/31

Phishing 101: Target Identification / OSINT

When a new Phishing exercise/engagement is began, among the first items that will need to be collected is a list of target email addresses.  This is typically handled in one of two ways (or in some cases, a combination of them).

  1. The customer provides a list of email address that is to be targeted.  All phishing emails MUST be sent to one of the email address in the list.
  2. The attacker (you) must do your own research to identify potential email targets.

As the first way (customer provides the target list) is a bit boring to discuss here, we will be focusing on the second; finding your own targets.  This type of internet recon is typically referred to as OSINT (Open Source Intelligence).  As I covered a bit of OSINT in a previous post, I will review it here and add additional information as needed.

In your attempts to identify potential email targets for the phishing exercise/engagement, you will find that there are many resources (websites and tools) that can aid you in your research/intelligence gathering.  Some of the common website I find useful for identifying email addresses are:
Google, Bing, and other search engines can be a great asset in identifying email addresses.  Simply by searching for "@<targetdomain.com>" you should get a list of links that each contain an email address in the displayed description.  Then by simply copy-n-pasting the email addresses into a targets file, you can start building your list.  Please not that tools like "theHarvester" mentioned later can do this for you.

Social media sites are ripe with useful information.  Most of them have a way to search for people who say they work for a particular company.  Thus, by searching for "employees of <target company>" you should be presented with a list of potential employees.  Unfortunately, most social media sites do not display the email addresses.  However, they do usually display their first and last names.  Now, if you have been able to identify a few (or at least 1) valid email address, you should know the email address format.  Common email formats are: (fn=first name, fi=first initial, ln=lastname)

  • [fi][ln]@company.com
  • [fn].[ln]@company.com
  • [fn]_[ln]@company.com

By using this knowledge, and the list of first and last names you collected, you should be able to convert them into likely email addresses.  Again, it should be noted that the tool Recon-NG has the ability to semi-automate this process of searching social media sites, identifying reported employees, and mangling their names into potential email addresses.

Additionally, some of the common tools I typically employ in OSINT are:
"whois" is just a command line tool that allows you to look up information on a particular domain name.  Many times, this information will contain a few email addresses, names, and phone numbers.  All of which can be useful during the phishing exercise/engagement.

As mentioned before, "theHarvester" is a command line Linux tool that can perform various searches against common search engines, to identify email addresses and host names associated with a target domain name.

Again, as mentioned earlier, "Recon-NG" is a command line Linux tool, that can perform various searching using a multitude of online tools to identify potential employees of a company, identify potentially leaked passwords, generate potential target email address lists, and many other bits of useful information.

"Foca" is a windows binary that can search a given target website for any available documents (office docs, pdfs, etc) and then extracts the "metadata" from the documents to identify interesting information such as:

  • usernames
  • machine names
  • installed software
It should be noted that Foca is a commercial product, but does have a limited/free version available.

"Maltego" is sort of a "catch all" tool for OSINT.  Maltego can perform numerous "transforms" on entered and gathered data to identify associated data from numerous online sources.  For example, given a company name, it can identify potential email addresses.  From those email addresses, it can attempt to idenify the associate People (first name and last name) as well as any online accounts that have the associated email address.  And so on.  It should be noted that Maltego is a commercial product, but does have a limited/free version available.

By no means, is the lists above provided as all inclusive.  These are just some of the tools I find myself using on a regular basis.  new tools are being developed all of the time as well as improvements being made to the older tools.

In future blog posts, I may go into more detailed reviews of some of the mentioned tools, but for now, just know they exist and go, download them, and try them out.

As always, all comments/questions/criticisms are welcomed.

1 comment:

  1. This is a great primer. Using Google parameters is a great way to manually search for specific information--especially when working towards a uniquely identified target.

    ReplyDelete