How to Gather Public Information for Security Testing
Before conducting a security test or an ethical hack, you should gather as much information about the system and its vulnerabilities as possible. The amount of information you can gather about an organization’s business and information systems that is widely available on the Internet is staggering. To see for yourself, the techniques outlined here can be used to gather information about your own organization.
Social media sites are the new means for businesses interacting online. Perusing the following sites can provide untold details on any given business and its people:
As you’ve probably witnessed, employees are often very forthcoming about what they do for work, details about their business, and even what they think about their bosses — especially after throwing back a few when their social filter has gone off track! You can also found interesting insight based on what ex-employees say about their former employers at Glassdoor.
Performing a web search or simply browsing your organization’s website can turn up the following information:
Employee names and contact information
Important company dates
SEC filings (for public companies)
Press releases about physical moves, organizational changes, and new products
Mergers and acquisitions
Patents and trademarks
Presentations, articles, webcasts, or webinars
Bing and Google ferret out information — in everything from word processing documents to graphics files — on any publicly accessible computer. And they’re free. Entire books have been written about using Google, so expect any criminal hacker to be quite experienced in using this tool, including against you.
With Google, you can search the Internet in several ways:
Typing keywords. This kind of search often reveals hundreds and sometimes millions of pages of information — such as files, phone numbers, and addresses — that you never guessed were available.
Performing advanced web searches. Google’s advanced search options can find sites that link back to your company’s website. This type of search often reveals a lot of information about partners, vendors, clients, and other affiliations.
Using switches to dig deeper into a website. For example, if you want to find a certain word or file on your website, simply enter a line like one of the following into Google:
site:www.your_domain.com keyword site:www.your_domain.com filename
You can even do a generic filetype search across the entire Internet to see what turns up, such as this:
Use the preceding search to find Flash .swf files, which can be downloaded and decompiled to reveal sensitive information that can be used against your business.
Use the following search to hunt for PDF documents that might contain sensitive information that can be used against your business:
filetype:pdf company_name confidential
Web-crawling utilities, such as HTTrack Website Copier, can mirror your website by downloading every publicly-accessible file from it, similar to how a web vulnerability scanner crawls the website it’s testing. You can then inspect that copy of the website offline, digging into the following:
The website layout and configuration
Directories and files that might not otherwise be obvious or readily accessible
The HTML and script source code of web pages
Comment fields often contain useful information such as names and e-mail addresses of the developers and internal IT personnel, server names, software versions, internal IP addressing schemes, and general comments about how the code works. In case you’re interested, you can prevent some types of web crawling by creating Disallow entries in your web server’s robots.txt file as outlined at w3.org. You can even enable web tarpitting in certain firewalls and intrusion prevention systems (IPSs). However, crawlers (and attackers) that are smart enough can find ways around these controls.
Contact information for developers and IT personnel is great for social engineering attacks.
The following websites may provide specific information about an organization and its employees:
Government and business websites:
Background checks and other personal information, from websites such as: