Reaping a rich Harvest
First Published: SC Magazine September 2004

An important phase of any security assessment is passive information gathering. Unfortunately the security benefits associated with this phase of an assessment are the least understood by many organizations and are consequently dropped for cost-saving reasons.

During this phase information is gleaned from a variety of external (non-client) sources and by using data-gathering techniques directed against the infrastructure, such that they would not normally be identified as anything beyond typical network traffic.

A lot of important information can be passively harvested and subsequently used in a direct attack, or to reinforce other attacks targeted at the organization. Depending upon the source, information such as current service patching levels, internal network architecture layout and account details can be easily obtained. Just as importantly, with a little insight as to where this information is obtained and the level of detail to the information, an organization can often rectify this information leakage simply and quickly.

There is a popular saying in the underground when it comes to passive information gathering: “Google is my friend.” It is surprising what can be unearthed using an advanced public search engine, particularly one as sophisticated as Google. Not only will Google allow you to search for specific text strings, it also caches page content. Even after an offending or insecure page has been withdrawn from a web site, the attacker can still call up and analyze the cached page content.

Quite often other information gems appear through conventional searching techniques. In the past I have discovered client firewall configuration manuals, internal auditing manuals and confidential financial analysis documents just by searching for different permutations of the organization’s name, and restricting the search to .doc and .xls file extensions. Searching newsgroups and other public posting areas often reveals infrastructure details as the organization’s administrators pose or answer questions relating to specific components of their network or software.

For example, one client had a posting providing advice on getting a new security patch for AIX systems to work - telling the group that the only way they managed to do it was by removing certain other “less likely to be exploited” security patches. Not only did this describe the type and patch level of their server, but also went on to explain what patches they had removed. In other cases, the details can be used for social engineering or extortion purposes.

Another important aspect of passive information gathering is the harvesting of email accounts. Most organizations follow one of two naming models for their users’ email addresses: either the address contains the user’s full name, or an abbreviated version that directly maps to their logon ID. Consequently, the full name is useful for social engineering attacks, and the abbreviated name forms half of the user-name/password pair needed to log into corporate resources. These addresses may be extracted from organizations’ web sites or purchased from various spam mailing lists. Of most value are the names and email addresses of staff with technical administrative authority. They can often be gained from domain registration entries - including billing address information.

A frequently overlooked source of information lies within the headers of an organization’s sent email. Email headers are great for providing insight into internal server naming, IP numbering schemes, the type and version of content filter or anti-virus solution, service patch levels and even the version of the client’s mail client.

The actual naming of the organization’s servers can also be beneficial ammunition. Common mistakes include appending abbreviations for the physical location of the server (e.g. LON for London), the operating system (e.g.W2K for Microsoft Windows 2000), the server’s function (e.g. FW for firewall), the manufacturer, and even network location (e.g. DMZ2).

To make the process of passively gathering information about a client even easier, there are a number of web sites and online tools that bring together a lot of this information. The benefit of using these online resources is anonymity and a guarantee that logs or intrusion systems won’t alert the client’s operational staff that the first phase of a penetration test has already begun.

How to hide information

(1) Be prepared to ask third parties to remove copies or cached content.
(2) Educate your staff not to post information to public forums and newsgroups.
(3) Use email header filtering devices to remove internal email routing information.
(4) Don’t implement an obvious server naming convention.
(5) Change the banners on all internet-visible services to be less informative.
(6) Use role-based email addresses on all internet accessible information instead of personal email addresses.
(7) Be wary of implementing email addressing schemes that use logon names.
(8) Use search engines to examine the information already out there.

    Copyright 2001-2007 © Gunter Ollmann