Obtaining user information
Many penetration testers gather user names and e-mail addresses, as this information is frequently used to log on to targeted systems.
The most commonly employed tool is the web browser, which is used to manually search the target organization's website as well as third-party sites such as LinkedIn or Jigsaw.
Some automated tools included with Kali can supplement the manual searches.
Tip
E-mail addresses of former employees can still be of use. When conducting social engineering attacks, directing information requests to a former employee usually results in a redirect that gives the attacker the "credibility" of having dealt with the previous employee. In addition, many organizations do not properly terminate employee accounts, and it is possible that these credentials may still give access to the target system.
Gathering names and e-mail addresses
The theharvester tool is a Python script that searches through popular search engines and other sites for e-mail addresses, hosts, and subdomains.
Using theharvester is relatively simple as there are only a few command switches to set. The options available are:
-d: This identifies the domain to be searched; usually the domain or target's website.- b: This identifies the source for extracting the data; it must be one of the following:Bing, BingAPI, Google, Google-Profiles, Jigsaw, LinkedIn, People123, PGP, or All
- l: This limit option instructstheharvesterto only harvest data from a specified number of returned search results.-f: This option is used to save the final results to an HTML and an XML file. If this option is omitted, the results will be displayed on the screen and not saved.
The following screenshot shows the results of a simple search of the Google indexes for the domain digitaldefence.ca:
Gathering document metadata
Document metadata refers to the information that is appended to documents so that applications can manage them during the creation and storage processes. Examples of metadata typically attached to documents include the following:
- The company or person who owns the application used to create the document
- The name of the document's author
- The time and date that the document was created
- The date when the file was last printed or modified; in some cases, it will identify who made the modifications
- The location on the computer network where the document was created
- Some files, especially those created by cameras or mobile devices, may include geographic tags that identify where the image was created
Metadata is not immediately visible to the end user, so most documents are published with the metadata intact. Unfortunately, this data leakage can reveal information that can be used by a tester or attacker to facilitate an attack. At a minimum, testers and attackers can harvest user names by comparing them to data in documents; they can identify persons associated with particular data types, such as annual financial reports or strategic planning.
As mobile devices become more common, the risks associated with geographical metadata have increased. Attackers look for locations (cottages, hotels, and restaurants that are frequently visited) as sites that may allow them to launch attacks against users who have let their guard down outside the corporate perimeter. For example, if an employee of the target organization regularly posts pictures to a social media website while waiting for a commuter train, an attacker may target that employee for a physical attack (theft of the mobile device), wireless attack, or even peek over the victim's shoulder to note the username and password.
On Kali, the tool Metagoofil performs a Google search to identify and download a target website's documents (doc, docx, pdf, pptx, xls, and xlsx) and extract usernames, a software version, path storage names, and a server, or workstation names, as shown in the following screenshot:
Metagoofil downloads the specified number of documents to a temporary folder, and extracts and organizes the relevant metadata. It also performs this function against files that have previously been downloaded and are now stored locally.
One of the first returns of Metagoofil is a list of the users that are found. The following is a screenshot of a truncated list:
Metagoofil also identifies servers and pathnames of the documents. If certain documents of interest are localized with a particular user (for example, drafts of financial reports found on an administrative assistant's workstation), that system can be targeted later during testing, as shown in the following screenshot:
