Infrastructure Foot Printing
Any organization that has an Internet presence needs to have some form of infrastructure to support their presence. In the Infrastructure Foot Printing section Paterva will discover how much of it exists, what type of infrastructure is used, where it is located, what technology is used and how it is structured.
This type of information is interesting for:
- security assessments (as this is the first and most tedious phase of any external assessment)
- getting an idea of the organization’s Internet and geographical presence
- gaining insight into the technology used by the organization
- making connections between seemingly unconnected organizations (as they might be sharing common infrastructure)
- getting a list of brands or affiliations supported by the organization
Infrastructure Reports:
[+] Passive Report [whats this?]
- Domains from shared resources, search engines
- DNS names from search engines and historical DNS information
- IP addresses - resolved from caches ( where possible )
- Networks used or owned - from registrars
- Physical distribution of infrastructure.
[+] Semi-Passive Report [whats this?]
- Domains
- DNS names
- IP Addresses
- Networks used or owned
- Physical distribution of infrastructure
- Web server versions on published servers
[+] Active Report [whats this?]
- Domains
- DNS names
- IP Addresses
- Networks used or owned
- Physical distribution of infrastructure.
- Network visibility on all networks (e.g. open ports/services)
- Application fingerprint on all found services:
- Web servers:
- Version-, application-, CMS/Framework identification where possible.
- Cursory test of these application’s initial authentication
- Other servers:
- Application and version identification
- Network entry point identification (web based mail, remote access, VPN etc.)
Email Addresses
At this stage Paterva will seek to provide a list of email addresses found at any of the domains identified in the previous step. Where possible these addresses will be verfied and social network memberships will be resolved. On resolved membership details such as full names, gender and geographical location will be identified. Due to the nature of this service full detals can only be obtained on certain social networks.
This is interesting for:
- Getting an indication of how many people are employed at the organization
- Geographical/age/gender distribution of organization’s members (where possible)
- Where possible information leaks have/could happen
- Where unauthorized communication between employee’s and competitors have/could happen
Email Address Reports:
[+] Passive Report [whats this?]
- Email addresses mined from search engine snippets and public sources (not on target’s servers)
- Resolving social network memberships
[+] Semi-Passive Report [whats this?]
- Email addresses mined from search engines and public sources including documents and files located on target domains
- Resolving social network memberships
[+] Active Report [whats this?]
- Email addresses mined from
- search engines
- public documents and files
- information found on servers identified in the previous section
- Resolving social network memberships
- Verifying existence of email addresses
Documents and sensitive data
At this stage Paterva will start looking for documents or files containing interesting or sensitive information about the organization. This may include confidential information that was leaked to the Internet, indexable directories on web servers, internal memos and phone directories, internal presentations, budgets, minutes of meetings etc. Where possible meta data will be extracted from the documents and files.
Documents and Sensitive data Reports:
[+] Passive Report [whats this?]
- Will only search for data that are available on public resources not belonging to the target.
- Meta data extraction - however this might be of less value on unofficial documents.
[+] Semi-Passive Report [whats this?]
- Will search for data on public resources and published sites of the target organization.
- Meta data extraction from official files and documents
[+] Active Report [whats this?]
- Will search for data on
- public sites
- published sites of the target organization
- unpublished sites discovered during the infrastructure foot print
- Will further attempt to extract data from web/FTP sites belonging to the organization
- Active and passive directory and file mining (e.g. checking for /backup, /docs etc. on all discovered sites)
- Meta data extraction on all documents and files found
Person Profiling
Paterva will attempt to provide a full profile on a person - based only on open source information. Although such a profile can be compiled on any individual it is envisaged that such profiles would be completed for key personnel within an organization - such as board members, executives and upper management.
This information is useful:
- During the due diligence process in possible sale.
- HR related investigations on specific individuals
- Discovering and Minimising information on the internet about high profile individuals
Person Profiling Reports:
Because the profile is constructed using open source information the accuracy and completeness cannot be guaranteed.
Such a report will consist of personal information including:
Full names, Age, Gender, Work experience, Educational background, Family relations and Interests. It also includes:
- Email addresses (both ‘home’ and work)
- Social network memberships
- Relevant postings to groups/forums/mailing lists
- Community memberships
- Articles / interviews
- Telephone numbers
- Known associatives
- Committee/Board memberships
The profile is compiled using open source information only - as such the concept of passive / semi-passive and active does not apply here.