Introduction

OSINT as a discipline has gained a lot of traction over the past few years and it is clear we have started to formalize some of the more known techniques and concepts found within OSINT. We have also started to see more OSINT related courses and certifications, for instance from SANS. We have also seen threat reports talk about how advanced attackers will use OSINT to both find targets and gain valuable information to tailor their attack. While these reports are great, they rarely show you what a reconnaissance phase might look like from the perspective of an attacker. This article will hopefully shed some light on exactly that and showcase how a company may end up as a target and what happens during the reconnaissance phase.

To get a realistic outcome, I am going to apply some OSINT techniques to a real Scandinavian-based business and share my techniques and findings with you. Details have been altered to protect the business used as an example.

As an attacker, I have a few specific things that I look for in a potential target and there are certain criteria that I would like to apply when I am sifting through potential targets.

Criteria

  • Business must operate in Scandinavia
  • The business must operate outside of Infosec/Cybersecurity
  • Small/Medium-sized company, preferably with international ties
  • No high-profile businesses

Some attackers may have fewer criteria, some may have more – nevertheless, it is well documented that advanced attackers will specialize in certain technologies and regions of the world, which I will do as well.

Finding a target

There are multiple ways of finding a potential target and there is no right or wrong way of going about this, but seeing as my area of operation is in Scandinavia I figured I would use the biggest business finder in Scandinavia, Proff.

Proff allows me to search for any business, in any industry and category as well as providing me with valuable information like corporate structure, economic details, owners and board members.

Example

I can also sort businesses by industry, region, country and their economic situation. I thought I would pick a company in the IT operations and support category, as that will most likely lead me to a company with some sort of SaaS solution with a wide attack surface.

It turns out that Proff also has a network relationship service, that will show you business relationships between business owners. Interesting. Proff will also allow me to automate my searches as queries are reflected clearly in the URL.

https://www.proff.no/s%C3%B8k-etter-bransje/it-drift-og-support/I:45844/?q=IT-operations%20and%20support

After looking for a while, I found what I thought was the best company based on my criteria. Their website revealed some of the technologies they use in their business and how a customer may utilize their platform for their day-to-day needs. This particular company offers a remote desktop solution based on Citrix, along with several platform solutions for the educational market.

  • Based in Norway, but has international offices in Scandinavia, Russia and Germany.
  • Technology-based business, with a SaaS solution based on Citrix
  • Customers all over the world
  • 150-250 employees

Exploring the business

  • The Swedish office is the headquarter and this is where most of the workforce is located.
  • From their contact page, I can see that their e-mail naming structure is firstname.lastname@domain.com
  • Under domain.com/support it is clear that they use Team Viewer when supporting the customer.
  • They are present on most social media platforms, and their website has links to Twitter, Instagram, Facebook, LinkedIn and Youtube

In the footer of their website they have all social media presence linked to the profile they operate on the different social media – unfortunately, they have not registered a user at all on Twitter for any of the countries they operate in, and when visiting the profiles on Twitter you’re given a blank page. Easy win – I can now register an account for each country and very easily imitate being official accounts of the company. This would be very beneficial in a spear-phishing attack, for instance.

Twitter confirming that the user does not exist

DNS enumeration

Since I can’t reveal any identifying information about the company, it is hard to reveal results from the DNS enumeration and how it is done – but I highly suggest checking out Nahamsec’s video and see how it can be done live. The goal of DNS enumeration is to broaden the attack surface and find any unlinked resources tied to the company that’s not revealed by visiting their website. No tools or techniques were used to look for exploits, I am only looking for information and interesting resources for now.

From DNS enumeration I noticed that they own several domains in different languages, all meaning “help me” or “show me” – These links to various remote desktop solutions like Netviewer and Team Viewer quick support. I assume, based on what I have read on their website, that you are asked to use one of these links to download remote control software when you need support. Some of the links are in the format of help.companydomain.com, while others are non-related domains that look to be only used for this. I take note that the customer is most likely used to clicking URLs that do not include the company domain.

I also found their Office 365 logon portal

The DNS enumeration also revealed that they use hosting services from two big hosting companies in Norway, Atea and Basefarm. Good to know if we want to impersonate these companies somehow for social engineering or spear-phishing.

Customer solutions

From DNS enumeration I noticed that they offer their Citrix platform via subdomains like customer.company.com and there are multiple authentication methods, probably based on the customer’s needs and demands. A quick Nmap scan reveals that there are a number of services running on these servers, from SFTP and IIS to custom TCP/IP listeners on dynamic ports. These findings are saved and can be looked at after the recon stage.

While looking at one specific customer solution I found a developer note indicating the username structure of the customer – which is customer name + 4 numbers. The login field is also open to username enumeration since it indicates whether or not the username exists. With this information, it is easy to enumerate all the existing users for this particular customer and possibly try to brute force some passwords.

I also found unconfigured CentOS servers, SFTP/FTP servers that allow anonymous logon and interesting URLs that should be explored in more detail after the recon phase is done and I have gathered all the information I want to work with.

Breach data

Since I have the board members’ e-mail addresses from their contact page, I figured I would check some breach data to see if I can find account credentials that might still be in use. Sadly, the only person with breach data is the VP of Norway, but this particular breach only exposed personal information that I already know from the companies contact page, Proff and LinkedIn. I also tried sending an email to the company with a bogus email address, to see if they would respond with a “This email does not exist”, and sadly they did – By receiving confirmation of an accounts existence or non-existence I can enumerate potential email addresses that could not be found on the companies contact page.

I did not look at personal emails at this stage, as I was only targeting accounts related to the company’s domain. Finding personal accounts and emails could be done at a later stage, in hopes of finding passwords that they have used for multiple accounts.

Potential attacks

Let us imagine a few different attacks based on what I have found

A spear-phishing attack with the use of the companies un-registered Twitter account could be used to spread malicious links to either the company’s customers or their employees. The attack could be tailored to indicate an update to Office 365, the educational platform, Citrix receiver client or Team Viewer.

Enumerating a customer’s username could eventually lead to successfully logging in to an account, possibly opening for traversing further into the platform. There are also interesting URLs and servers to be explored in detail, which may reveal vulnerabilities or other angles of attack.

I also know that they rely on Office 365, Team Viewer and Citrix extensively. Attacking these would not only hurt the company, but their customer solutions would be impacted as well.

Lessons learned

To summarize this article let us look at what’s been found and how it can be used to our advantage, as an attacker.

  • I was able to find a suitable target based on our criteria via public records, indexed by Proff.
  • I have details about their economic situation, their board members and the corporate structure
  • Linking to non-registered social media accounts, which can be used for spear-phishing either the company itself or their customers.
  • DNS enumeration revealed a wide attack surface that can be explored further, in the hopes of finding a vulnerability.
  • Customer solutions were mapped and understood, making us capable of tailoring platform-specific attacks

Thanks for reading! You can find me on Twitter @zewensec or via email at sevenn@wearehackerone.com