Social Engineering - Christopher Hadnagy [23]
What they do
The products and services they provide
Physical locations
Job openings
Contact numbers
Biographies on the executives or board of directors
Support forum
Email naming conventions
Special words or phrases that can help in password profiling
Seeing people’s personal websites is also amazing because they will link to almost every intimate detail about their lives—kids, houses, jobs, and more. This information should be cataloged into sections because it will often be something from this list that is used in the attack.
Many times company employees will be part of the same forums, hobby lists, or social media sites. If you find one employee on LinkedIn or Facebook, chances are that many more are there as well. Trying to gather all that data can really help a social engineer profile the company as well as the employees. Many employees will talk about their job title in their social media outlets. This can help a social engineer to profile how many people may be in a department and how the departments are structured.
Search Engines
Johnny Long wrote a famous book called Google Hacking for Penetration Testers and really opened up many people’s eyes to the amazing amount of information that Google holds.
Google forgives but it never forgets, and it has been compared to the Oracle. As long as you know how to ask, it can tell you most anything you want to know.
Johnny developed a list of what he calls “Google Dorks,” or a string that can be used to search in Google to find out information about a company. For example if you were to type in: site:microsoft.com filetype:pdf you be given a list of every file with the extension of PDF that is on the microsoft.com domain.
Being familiar with search terms that can help you locate files on your target is a very important part of information gathering. I make a habit of searching for filetype:pdf, filetype:doc, filetype:xls, and filetype:txt. It is also a good idea to see if employees actually leave files like DAT, CFG, or other database or configuration files open on their servers to be harvested.
Entire books are dedicated to the topic of using Google to find data, but the main thing to remember is learning about Google’s operands will help you develop your own.
A website like www.googleguide.com/advanced_operators.html has a very nice list of both the operands and how to use them.
Google is not the only search engine that reveals amazing information. A researcher named John Matherly created a search engine he called Shodan (www.shodanhq.com).
Shodan is unique in that it searches the net for servers, routers, specific software, and so much more. For example, a search of microsoft-iis os:“windows 2003” reveals the following number of servers running Windows 2003 with Microsoft IIS:
United States 59,140
China 5,361
Canada 4,424
United Kingdom 3,406
Taiwan 3,027
This search is not target-specific, but it does demonstrate one vital lesson: the web contains an amazing wealth of information that needs to be tapped by a social engineer seeking to become proficient at information gathering.
Whois Reconnaissance
Whois is a name for a service and a database. Whois databases contain a wealth of information that in some cases can even contain full contact information of the website administrators.
Using a Linux command prompt or using a website like www.whois.net can lead you to surprisingly specific results like such as a person’s email address, telephone number, or even DNS server IP address.
Whois information can be very helpful in profiling a company and finding out details about their servers. All of this information can be used for further information gathering or to launch social engineering attacks.
Public Servers
A company’s publicly reachable servers are also great sources for what its websites don’t say. Fingerprinting a server for its OS, installed applications, and IP information can say a great deal about a company’s infrastructure. After you determine the platform and applications in use, you could combine this data with a search on the