I’m in the process of transitioning jobs and I’ll admit: the time off has made me a little antsy. After six years (four in the CISO role) at the same organization, I got to know my employer pretty well. I understood our customers, products and services, and the technology that supported it. Yes, there were always surprises (two /16 networks will do that) but in general, the initial time that I spent learning about my organization served me well during my tenure. As I get ready to start all over, I have been thinking about how to most efficiently learn about my new employer. Since I don’t actually work there yet, I have no inside knowledge or access. Only an Internet connection and some open-source intelligence (OSINT) skills. The following is a checklist of sorts for the information that I am looking for and how I found it.
None of these techniques or tools require much technical skill to perform but the underlying concepts and how to interpret the results require experience and knowledge. Most of this analysis is passive, meaning that I am not touching any of the target machines. With respect to active recon, we’re only going to browse websites and run some (hopefully) polite queries.
- Review the company website: this is the first step in the process. Once you know the website, you can browse around to learn about the company’s history, its leadership, and the various products and services. You can also start to look into the underlying technologies that make up the website. For this, I used the WhatRuns Chrome browser plug-in (see below) against Medium. Built With (builtwith.com) is also very good. You’ll also want to check out the robots.txt file off of the main domain (also below) to see what pages are off limits to search engines. I’ve found some really interesting pages by perusing robots.txt.
- I want to learn a little bit more about the company’s online presence. I used two specific services for these lookups. The first is ARIN (https://search.arin.net/) which allows you to learn about any assigned network ranges and any designated contacts. Next, I’ll want to do a WhoIs search on the domain. I like DomainTools (https://whois.domaintools.com/) so I used this. Here I can see information like name servers and when the domain expires.
- Once you know the network ranges, you can look on Shodan (https://www.shodan.io/home) to see what, if anything, is on that network range. The two operators that are most useful for our purposes are org and net. For example (see below): net:17.0.0.0/8 or org:Apple. Search results may vary based on the operator and search terms you use.
- The Qualys SSL Labs scan (https://www.ssllabs.com/ssltest/index.html) can tell you a lot about security hygiene at the company. I like to run this (without posting results to the board) to get an idea of which versions of TLS are supported (and which aren’t) and if there are any vulnerabilities present in the current configuration.
- There are a couple of ways to learn about website subdomains. One is to perform a Google search specifying the site and eliminating any sites with “www” in the url. Use this search query: site:apple.com -inurl:www. In the below screenshot, you’ll see the results. It’s not great for copying and pasting into another file but it gives you an idea of other sites that may not otherwise be observable. I also like dnsdumpster.com (results are limited to 120 A records) because in addition to subdomains, I can sometimes find out what kind of email the company is using.
- On the topic of mail, I really like MXToolBox (https://mxtoolbox.com/). This will allow you to get really specific information about a company’s mail service. For example, you can check to see if a domain has implemented a DMARC policy and if they have, what it is (see below).
- Many times, companies will say they’ve never had a security incident or data breach. While this sounds fantastic, a Google search can sometimes refute this claim.
- The Harvester is a really nice command line tool that comes with Kali Linux that can assist you in harvesting emails and other data from search engines and other publicly available sources. Command syntax is pretty easy: theharvester -d cnn.com -l 500 -b all. This command will search up to 500 records for cnn.com from all available sources (see results below). There are other ways to configure the command; type theharvester options at the command prompt to get a listing of available options.
This is just a small sample of what’s out there to help you learn more about your employer or any company/organization that you’re interested in. While this can be helpful to get you started, remember that anything you find should be validated before you draw any conclusions. To get more comfortable with any of these tools, practice using them against organizations or domains that you know well so you can validate true positives. As for me, I’ll be on the job soon enough to get into these and all the other details that OSINT and an Internet connection can’t provide.
