Open Source Intelligence (OSINT) and Passive Attacks
In recent years, the relevance of open source intelligence has grown within the field of information security. As social engineering attacks become more prominent and data dumps seem to be becoming a regular occurrence, open source intelligence (OSINT) is proving to become a much less expensive way to the traditional information-gathering tools. The simple definition of OSINT is intelligence that has been derived from publicly available sources, this can mean company websites, search engines and even social media networks. OSINT tools are then used to help gather information on a target from these sources by either mining the web or helping build a profile based on the recovered data.
Before attempting social engineering attacks, black hat hackers and ‘script kiddies’ will often look to utilise search engines such as Google, Baidu, Bing etc) to harvest information. This can range from looking through paste bins to find any hacked data dumps or to use search engines to identify vulnerable sites. Websites such as Exploit-DB , for example, make it relatively simple for anyone to search the web for pages containing login portals, files containing passwords and web pages displaying verbose error messages that may reveal too much information. Whilst some of these can be easily avoided by following the OWASP top 10 rules when developing web applications, for many of these systems, they are usually legacy systems which may have been forgotten about. It is possible through this method to search specifically for websites that are possibly vulnerable to SQL injection attacks and for an organisation, this vulnerability can prove to be very costly. A recent attack on an organisation through SQL injection was the TalkTalk hack in 2015 which led to a £400,000 fine by the Information Commissioners Office (ICO). From their findings, it was determined that the vulnerable systems where the data was extracted were from an underlying customer database that had been part of an acquisition by TalkTalk in 2009. As TalkTalk had failed to properly scan this infrastructure, they were unaware the vulnerable pages existed or that they had access to a database which held customer information.
The ‘Internet of things’ is often referred to by some online as the “internet of insecure things” and search engines such as Shodan which is primarily focused on providing a search engine of IP connected devices enable users to search through a database of hosts and view what open services for IP connected devices. It is important to remember that websites are just one part of the internet, power plants, microwaves, smart TV’s and even petrol station pumps can be found with Shodan. To fully utilise Shodan, however, a paid version is available which gives you access to the entire database. The information provided from Shodan can show geo information to open ports. Whilst researching this article, for example, a quick search for online devices on the portal showed me a vulnerable host where the SSH port was open, the version of Apache running and other information which could be used in an attack. By searching again on Google for the Apache version, I was able to identify it had a vulnerability, which if not patched, could allow remote hackers to cause a denial of service attack and crash the host. With the paid version of Shodan, an attacker can potentially search using a various filter to narrow down targets by ports, countries, operating systems and even hostnames. With the growth of IoT enabled devices steadily becoming part of homes, devices such as security cameras can prove to be a risk for homeowners if the device is not secure. If an attacker can remotely access a home security system, determine a pattern of when the home is unoccupied, and then decide to gain access after turning off the cameras, the purpose of having a home security system is defeated.
Other tools which fall under OSINT include Metagoofil, a tool developed by Edge Security which is regularly used to extract metadata from documents. It is possible to specify a target host or domain and then search for either specific file types, or for all. Data from documents could potentially include GPS coordinates or file path information which could then be used to map the network. GPS coordinates from images, for example, could reveal the location of data centres and in some cases, locations people might be trying to keep a secret. Take for example the Hospitality Association of Namibia recently put up signs across all national parks to try to stop people taking pictures of animals deemed vulnerable to poaching. Using a tool like Metagoofil, it is possible to extract GPS coordinates and by entering the coordinates, poachers are able to determine where rhinos could be feeding/kept. Combine this knowledge with the fact some animals like rhinos are very sedentary and will often stay in one area for days, this information could potentially put the animals at risk.
But it’s not always all doom and gloom with tools such as Metagoofil, for forensic investigations these tools can prove to be very useful in determining the source of a leak. In fact, tools such as Shodan can also be used as a means to see what information is available about your assets and then this can be used to protect your system as you know where the threat vectors are. There are many methods of gathering information using OSINT and it is not always the most accurate or easiest method to manage due to it being time-consuming. OSINT also requires human validation to determine if the information is false, misleading or outdated. These attacks can be passive in nature as they often begin without a target in mind. Take for example for use of Google Dorks to search google for vulnerable sites. An attacker would not have known that X site is vulnerable, but they would’ve known that there are sites vulnerable to a certain vulnerability and this is how you find them.