Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,120 --> 00:00:01,650 Speaker: There is a lot of great information 2 00:00:01,650 --> 00:00:04,380 available online for free that can help you understand 3 00:00:04,380 --> 00:00:07,200 how a business or organization is operating. 4 00:00:07,200 --> 00:00:09,210 This information is just sitting out there 5 00:00:09,210 --> 00:00:11,040 waiting for you to find it. 6 00:00:11,040 --> 00:00:13,530 This information is considered open-source 7 00:00:13,530 --> 00:00:16,110 in the world of information and intelligence gathering 8 00:00:16,110 --> 00:00:19,050 if it comes from publicly available sources. 9 00:00:19,050 --> 00:00:21,960 Now, Open-Source Intelligence, also known as OSINT, 10 00:00:21,960 --> 00:00:24,240 is the collection and analysis of data gathered 11 00:00:24,240 --> 00:00:25,920 from publicly available sources 12 00:00:25,920 --> 00:00:28,290 to produce actionable intelligence. 13 00:00:28,290 --> 00:00:30,630 Open-source intelligence tools are often used 14 00:00:30,630 --> 00:00:32,430 to collect and analyze information 15 00:00:32,430 --> 00:00:34,890 that's already publicly available on the open web 16 00:00:34,890 --> 00:00:37,320 such as social media, blogs, 17 00:00:37,320 --> 00:00:39,450 newspapers, governmental records 18 00:00:39,450 --> 00:00:41,850 and academic and professional publications 19 00:00:41,850 --> 00:00:44,370 during your passive reconnaissance phase. 20 00:00:44,370 --> 00:00:47,430 For example, if the company puts out a new press release 21 00:00:47,430 --> 00:00:48,570 about an upcoming merger 22 00:00:48,570 --> 00:00:50,640 between themselves and another company, 23 00:00:50,640 --> 00:00:53,460 this information could become actionable intelligence 24 00:00:53,460 --> 00:00:55,560 in the hands of a penetration tester 25 00:00:55,560 --> 00:00:56,910 because they could use it to craft 26 00:00:56,910 --> 00:00:58,590 various social engineering attacks 27 00:00:58,590 --> 00:01:01,020 against those targeted organizations. 28 00:01:01,020 --> 00:01:03,090 Let's pretend that a physical penetration test 29 00:01:03,090 --> 00:01:04,739 was part of our engagement. 30 00:01:04,739 --> 00:01:06,660 Knowing that a company named SodaCo 31 00:01:06,660 --> 00:01:09,030 is about to undergo a merger with DrinkCo, 32 00:01:09,030 --> 00:01:12,330 that means that SodaCo might be seeing a lot of new faces 33 00:01:12,330 --> 00:01:15,360 in the offices as DrinkCo starts sending over people 34 00:01:15,360 --> 00:01:18,030 to learn all about SodaCo's operations. 35 00:01:18,030 --> 00:01:19,410 If you happen to put on a suit 36 00:01:19,410 --> 00:01:20,820 and print up some business cards 37 00:01:20,820 --> 00:01:22,440 that say you work for DrinkCo, 38 00:01:22,440 --> 00:01:23,790 well, you could probably walk right 39 00:01:23,790 --> 00:01:25,170 in the front door of SodaCo 40 00:01:25,170 --> 00:01:26,730 and have some helpful employees walk you 41 00:01:26,730 --> 00:01:30,060 directly into the data center if you play your cards right. 42 00:01:30,060 --> 00:01:32,310 Now similarly, this same press release 43 00:01:32,310 --> 00:01:34,470 might give you the names, phone numbers, 44 00:01:34,470 --> 00:01:37,020 emails, and positions of all the different people 45 00:01:37,020 --> 00:01:39,300 who are expecting to get questions from the press 46 00:01:39,300 --> 00:01:40,770 about this merger. 47 00:01:40,770 --> 00:01:43,080 So you could call it the person listed 48 00:01:43,080 --> 00:01:44,340 and start asking them questions 49 00:01:44,340 --> 00:01:46,620 about how SodaCo and DrinkCo's merger 50 00:01:46,620 --> 00:01:48,870 might affect their technical infrastructure. 51 00:01:48,870 --> 00:01:50,910 Are you going to be using SodaCo's network, 52 00:01:50,910 --> 00:01:53,460 DrinkCo's network, or a combination of both of these 53 00:01:53,460 --> 00:01:54,750 after the merger? 54 00:01:54,750 --> 00:01:57,810 Will there be any downsizing of redundant IT personnel? 55 00:01:57,810 --> 00:01:59,130 Are you already using the cloud 56 00:01:59,130 --> 00:02:01,620 or are you going to migrate your data centers into the cloud 57 00:02:01,620 --> 00:02:04,050 during the merger over the next few months? 58 00:02:04,050 --> 00:02:05,700 Most companies that put out press releases 59 00:02:05,700 --> 00:02:08,580 will be able to answer questions about them and their future 60 00:02:08,580 --> 00:02:10,650 so you can leverage this open-source intelligence 61 00:02:10,650 --> 00:02:13,290 to your advantage during your reconnaissance phase. 62 00:02:13,290 --> 00:02:15,480 Now, other types of open-source information 63 00:02:15,480 --> 00:02:17,370 includes things like job listings, 64 00:02:17,370 --> 00:02:19,860 metadata and website information. 65 00:02:19,860 --> 00:02:22,770 For example, simply reviewing the Companies About Us page 66 00:02:22,770 --> 00:02:25,200 on their website can give you some detailed information 67 00:02:25,200 --> 00:02:27,060 about executives at the company. 68 00:02:27,060 --> 00:02:29,370 If you really want to grab some important names, 69 00:02:29,370 --> 00:02:30,930 numbers and emails though, 70 00:02:30,930 --> 00:02:32,520 you should also check out the website 71 00:02:32,520 --> 00:02:34,770 that a company creates for its investors. 72 00:02:34,770 --> 00:02:37,590 These websites or pages off their main website 73 00:02:37,590 --> 00:02:40,290 are usually termed the investor relations site 74 00:02:40,290 --> 00:02:42,360 or investor relations portal. 75 00:02:42,360 --> 00:02:44,490 Now, for example, let's say you're going to conduct 76 00:02:44,490 --> 00:02:46,590 a penetration test against Udemy, 77 00:02:46,590 --> 00:02:48,420 the online educational platform. 78 00:02:48,420 --> 00:02:51,540 And you might want to go and visit investors.udemy.com 79 00:02:51,540 --> 00:02:54,510 as part of your open-source intelligence collection efforts. 80 00:02:54,510 --> 00:02:55,920 Here, you're going to see tabs 81 00:02:55,920 --> 00:02:57,450 with the latest press releases, 82 00:02:57,450 --> 00:02:59,940 event information, financial information, 83 00:02:59,940 --> 00:03:02,100 stock information, corporate governance, 84 00:03:02,100 --> 00:03:03,960 and shareholder resources. 85 00:03:03,960 --> 00:03:06,300 Now going to the corporate governance tab, 86 00:03:06,300 --> 00:03:07,710 you're going to find pages dedicated 87 00:03:07,710 --> 00:03:08,940 to their management team 88 00:03:08,940 --> 00:03:10,860 which consists of all of their executives, 89 00:03:10,860 --> 00:03:12,450 presidents and vice presidents 90 00:03:12,450 --> 00:03:14,340 as well as their board of directors. 91 00:03:14,340 --> 00:03:16,650 For each of these people, you can click on their photos 92 00:03:16,650 --> 00:03:18,990 and get additional profile information about them 93 00:03:18,990 --> 00:03:20,430 such as where they went to college, 94 00:03:20,430 --> 00:03:21,570 what degrees they earned, 95 00:03:21,570 --> 00:03:23,250 former companies they've worked for, 96 00:03:23,250 --> 00:03:25,620 and their focus area within the current organization. 97 00:03:25,620 --> 00:03:27,930 And in this case, that's Udemy. 98 00:03:27,930 --> 00:03:29,580 Now, using this information, 99 00:03:29,580 --> 00:03:31,770 you can really craft some detailed whaling emails 100 00:03:31,770 --> 00:03:33,750 against these executives and board members 101 00:03:33,750 --> 00:03:35,850 if that's within the engagement scope. 102 00:03:35,850 --> 00:03:37,230 Something I've learned over the years 103 00:03:37,230 --> 00:03:39,030 is that executives and board members 104 00:03:39,030 --> 00:03:41,370 tend to be extremely busy people. 105 00:03:41,370 --> 00:03:43,860 And because of this, they tend to fall for whaling, 106 00:03:43,860 --> 00:03:46,950 spear phishing and phishing emails at a much higher rate 107 00:03:46,950 --> 00:03:49,290 than a normal or regular employee would. 108 00:03:49,290 --> 00:03:50,490 At least that's what I've seen 109 00:03:50,490 --> 00:03:52,020 in my own real world engagements. 110 00:03:52,020 --> 00:03:53,940 Your mileage may vary. 111 00:03:53,940 --> 00:03:55,350 Now, blogs and social media 112 00:03:55,350 --> 00:03:57,720 are another great source of information too, 113 00:03:57,720 --> 00:03:59,250 especially when you're trying to understand 114 00:03:59,250 --> 00:04:01,920 the workplace culture or tempo of an organization 115 00:04:01,920 --> 00:04:03,240 that you're targeting. 116 00:04:03,240 --> 00:04:05,940 For example, is everyone working remotely from home? 117 00:04:05,940 --> 00:04:08,700 Or is everyone back in the office every single day? 118 00:04:08,700 --> 00:04:11,190 This is valuable information for a penetration tester, 119 00:04:11,190 --> 00:04:12,630 especially one who has to conduct 120 00:04:12,630 --> 00:04:14,700 a physical penetration test. 121 00:04:14,700 --> 00:04:15,900 Are the employees unhappy 122 00:04:15,900 --> 00:04:18,029 because they have a bad work-life balance? 123 00:04:18,029 --> 00:04:19,320 Do they hate their managers? 124 00:04:19,320 --> 00:04:21,480 And do they feel they're dumb or incompetent? 125 00:04:21,480 --> 00:04:22,980 Does the company focus on training 126 00:04:22,980 --> 00:04:24,270 and building up their employees? 127 00:04:24,270 --> 00:04:25,890 Or do they overlook training 128 00:04:25,890 --> 00:04:28,020 in favor of additional work output? 129 00:04:28,020 --> 00:04:30,360 All of these things can give you valuable information 130 00:04:30,360 --> 00:04:31,290 that you're going to be able to use 131 00:04:31,290 --> 00:04:33,000 during your engagement as well. 132 00:04:33,000 --> 00:04:34,500 Maybe you find out where people like to go 133 00:04:34,500 --> 00:04:36,210 to blow off steam after work. 134 00:04:36,210 --> 00:04:37,860 And you can find that the system administrators 135 00:04:37,860 --> 00:04:40,080 are the local bar right next to the office 136 00:04:40,080 --> 00:04:41,970 every Friday at 5:00 PM. 137 00:04:41,970 --> 00:04:43,350 This could be a great opportunity 138 00:04:43,350 --> 00:04:45,420 to go clone one of their proximity badges 139 00:04:45,420 --> 00:04:47,460 as part of your physical penetration test 140 00:04:47,460 --> 00:04:49,770 because they would be tired after a long week of work 141 00:04:49,770 --> 00:04:52,260 and distracted while they're getting a drink at the bar. 142 00:04:52,260 --> 00:04:54,000 Or maybe you start chatting up 143 00:04:54,000 --> 00:04:55,980 one of the technical team members at the bar, 144 00:04:55,980 --> 00:04:58,080 flirting and asking them what they do at their job, 145 00:04:58,080 --> 00:04:59,160 how they like it 146 00:04:59,160 --> 00:05:01,920 what kind of tech they get to work on and things like that. 147 00:05:01,920 --> 00:05:03,810 This is a form of social engineering 148 00:05:03,810 --> 00:05:05,010 where you're up close and personal 149 00:05:05,010 --> 00:05:06,000 with some of the employees 150 00:05:06,000 --> 00:05:07,440 and trying to gather as much information 151 00:05:07,440 --> 00:05:10,380 as you can from them without raising their suspicions. 152 00:05:10,380 --> 00:05:11,430 I know, I know. 153 00:05:11,430 --> 00:05:13,290 This sounds kind of like a spy movie here. 154 00:05:13,290 --> 00:05:15,210 But again, if this was agreed upon 155 00:05:15,210 --> 00:05:16,350 in the rules of the engagement 156 00:05:16,350 --> 00:05:19,110 and it's within scope of the engagement, then guess what? 157 00:05:19,110 --> 00:05:20,670 It's fair game. 158 00:05:20,670 --> 00:05:23,250 Once you gather all this open-source information, 159 00:05:23,250 --> 00:05:25,080 it's going to be time to put that information to work 160 00:05:25,080 --> 00:05:27,030 as actionable intelligence. 161 00:05:27,030 --> 00:05:28,950 At this point, you should be able to identify 162 00:05:28,950 --> 00:05:31,950 a couple of key details about your target organization 163 00:05:31,950 --> 00:05:34,260 such as the roles that different employees have 164 00:05:34,260 --> 00:05:36,750 in the organization, including their job titles, 165 00:05:36,750 --> 00:05:38,550 level in the organizational hierarchy, 166 00:05:38,550 --> 00:05:41,130 and their day-to-day tasks and responsibilities. 167 00:05:41,130 --> 00:05:42,570 You'll also find out the different teams 168 00:05:42,570 --> 00:05:44,700 and departments that exist in the organization 169 00:05:44,700 --> 00:05:45,900 as well as the phone numbers, 170 00:05:45,900 --> 00:05:48,750 email addresses and office locations of these teams 171 00:05:48,750 --> 00:05:50,460 and the employees within them. 172 00:05:50,460 --> 00:05:52,110 You might find out the technical aptitude 173 00:05:52,110 --> 00:05:53,550 of the organization and if they have 174 00:05:53,550 --> 00:05:55,470 a good security training program. 175 00:05:55,470 --> 00:05:57,780 And finally, you can start to understand the mindset 176 00:05:57,780 --> 00:06:00,690 of the employees and the managers inside that organization 177 00:06:00,690 --> 00:06:02,550 including how they perceive their coworkers, 178 00:06:02,550 --> 00:06:04,620 subordinates and managers. 179 00:06:04,620 --> 00:06:07,950 Now, all of this data can be put to work in different ways. 180 00:06:07,950 --> 00:06:09,450 I've already talked about how we can use it 181 00:06:09,450 --> 00:06:12,900 to conduct social engineering either by email or in person. 182 00:06:12,900 --> 00:06:15,570 But there's other ways to leverage all this data too. 183 00:06:15,570 --> 00:06:17,760 For example, if you've identified that Harriet 184 00:06:17,760 --> 00:06:19,500 over in the human resources department 185 00:06:19,500 --> 00:06:20,880 has a dog named Yoda, 186 00:06:20,880 --> 00:06:23,460 graduated from Rutgers University in 2003, 187 00:06:23,460 --> 00:06:24,930 her birthday is August 5th 188 00:06:24,930 --> 00:06:26,910 and her favorite singer is Celine Dion. 189 00:06:26,910 --> 00:06:28,620 And you can use all those names and dates 190 00:06:28,620 --> 00:06:30,540 to create a word list that you can use 191 00:06:30,540 --> 00:06:32,880 to conduct a hybrid password cracking attempt. 192 00:06:32,880 --> 00:06:35,250 Because most people use their date of birth, 193 00:06:35,250 --> 00:06:36,660 names of people or animals 194 00:06:36,660 --> 00:06:38,670 that they have a relationship with, interests, 195 00:06:38,670 --> 00:06:41,310 and other things like that to create their passwords. 196 00:06:41,310 --> 00:06:42,930 So as you're gathering this information, 197 00:06:42,930 --> 00:06:45,030 think about how can it be useful to you 198 00:06:45,030 --> 00:06:47,680 and how can you turn it into actionable intelligence. 14961