And with that, here’s another entry in our OSINT Top Ten. This time, we’re not looking at one particular tool or web app, but rather an array of tools that allow you to get to the very heart of a big issue for many organizations; especially ones on the smaller side. This week, we’re looking at the ways in which the adversary launches brute force attacks – leaked password/username credential leaks.
Of course, anyone with even the slightest amount of experience in cybersecurity knows the various ways that threat actors use to launch brute force attacks. That’s why we should turn inside instead – we should look for ways to clean up our online presence and understand the way that adversary is already capable of seeing us.
Finding out what they already know
Although this sounds like the basic plot of a cheesy cyber-horror film, there is certainly a precedence for the adversary using OSINT tools to find out everything they need about you. Yes, you, System Administrator. If you aren’t careful with your cyber footprint (that is, everything that you leave online which could be traced back to you, personally), then you face the possibility of exposing your organization.
We have already looked at tools like Have I Been Pwned? in the past to illustrate how you can find out what is out there after a breach. The defensive posture that we want to take is understanding what is out there before a breach. There are three common ways to find out what the adversary already knows about you within a professional context:
- Hunter, a “professional lookup” tool
- NS Lookup, a tool for finding DNS records
- Public Buckets, a tool for finding public buckets
“Uh oh, Austin”, you say – “this sounds like a direct way to learn how to hack into a company”. Yeah, I agree, but you should remember that the adversary already has all this at their fingertips. If you’re not doing your due diligence via professional tools, you should start with open-source intelligence web apps to start playing catch up.
Hunter is a great tool for those aspiring to climb the corporate ladder. It’s an even better tool for people who need quick access to any email addresses that are sitting on the internet somewhere, ready to be exploited.
When I enter a domain name into the search box, everything that is publicly available online is shown. This means that if there are any contact details that have been accidentally posted publicly, the adversary can find them. All they need to know is your domain name.
Alone, that’s not too fearsome. But let’s think back to the LAPSUS$ attacks and remember that finding a legitimate email address was the first step to getting leaked credential sets.
Although this one isn’t strictly related to personal data, it would become very handy for the adversary when they know a legitimate credential set. Finding an exposed or otherwise weakened server would be an easy way to start running zone transfers and loading out information. In combination with other tools which we will be exploring in upcoming entries, this becomes a very challenging situation to defend.
As you can see from the above, there are a variety of different searches you can run, which could be concerning for people with unsecured email servers or generally outdated DNS practices.
And here, the adversary takes on a very exploitative character. As we all move into the world of web service storage, exposed S3 Buckets seems to become an all-consuming worry and a very easy way for the adversary to undermine all other defensive work. Thankfully, in an effort to make that process a little harder for threat actors, Grayhat Warfare developed Public Buckets.
First of all, I would like to draw your attention to the “random files” button – knowing that the adversary is also using tools like this one, it’s safe to say that no buckets that contain sensitive information should be left pointing outwards.
By entering in your chosen keywords, you can find if there are any public S3 buckets that are exposing your data. For people who are responsible for data management, an unhealthy obsession with CTRL + R (or F5 if you’re a bit old school) might become the standard way of life if automatic alerts aren’t put in place.
Should I use this approach?
These tools taken together present a disjointed way in which the adversary could find you, find your organization, potentially start zone transfers, and even exfiltrate data directly from poorly secured S3 buckets. Although this is only an imagined situation – and there are a million other imagined scenarios which could keep you up at night – it is important to understand how OSINT tools can be used against you, especially when you or your organization have a careless attitude towards cyber footprints.
As a heads up, expect further combined tool articles. As the OSINT framework is already very broad (and that’s without considering all of the other sources of open-source intelligence), we have decided to create small bundles of tools that will help you achieve certain goals.