Case Study- Importance of Information Gathering in Penetration Testing

Target:  

A small company having no website and no internet presence.


Search Engine Result:

Target employee's post on stamp collection forum.

Message:

Hi! I’m looking for rare stamps from the 1950’s - for sale or trade. Please contact me at david@company-address.com Cell: 999-9999999


Enough Info to start:

  • Now can launch a semi-sophisticated client-side attack. 
  • Register a domain such as rare-stamps-trade.com and design a landing page which displayed various rare stamps from the 1950’s, which can be found using Google Images. 
  • The domain name and design of the site both led to increasing the perceived reliability of the stamp trade website.

How To:

  •  Inside HTML Website there is  exploit code for the latest Internet Explorer security hole (MS05-001 at the time), and called David on his cellular phone.
  • Tell him grandfather had given me a huge rare stamp collection from which I would be willing to trade several stamps. 
  • I made sure to place this call on a workday, to increase my chances of reaching him at the office. David was overjoyed to receive my call, and without hesitation, 
  • He visited my malicious website to see the “stamps” I had to offer. 
  • While browsing my site, the exploit code on the website downloaded and executed a        “Netcat like payload” on his local machine, sending me back a reverse shell. 


This is a good example of how some innocuous information, such as an employee tying up his personal life with his corporate email, can lead to a successful penetration. Information-gathering in a penetration test is the most important phase. Knowing your target before attacking it is a proven recipe for success.

Even mundane forum posts can provide you with useful information.
.


Reactions: