1 00:00:06,444 --> 00:00:07,851 - One of the most important things 2 00:00:07,851 --> 00:00:09,659 you can do from an external standpoint 3 00:00:09,659 --> 00:00:11,527 when you're doing security testing is search 4 00:00:11,527 --> 00:00:14,027 for files belonging to these organizations 5 00:00:14,027 --> 00:00:15,375 that you're targeting. 6 00:00:15,375 --> 00:00:17,721 You can use web searches to find files. 7 00:00:17,721 --> 00:00:19,651 Just by doing simple Google searches, 8 00:00:19,651 --> 00:00:21,531 you can get a lot of documents 9 00:00:21,531 --> 00:00:23,282 that belong to the organization. 10 00:00:23,282 --> 00:00:24,865 And there's a lot of useful information 11 00:00:24,865 --> 00:00:26,203 within those documents. 12 00:00:26,203 --> 00:00:29,036 So if you do site:example.com pdf, 13 00:00:30,299 --> 00:00:32,914 you type that in Google and you'll find out 14 00:00:32,914 --> 00:00:36,612 PDF documents that are on the example.com domain. 15 00:00:36,612 --> 00:00:38,669 So obviously you'll change example.com 16 00:00:38,669 --> 00:00:41,383 to whatever organization that you're targeting. 17 00:00:41,383 --> 00:00:43,794 And you'll find out that information. 18 00:00:43,794 --> 00:00:45,461 You can change a PDF 19 00:00:46,992 --> 00:00:48,659 to XLSX and find out 20 00:00:50,086 --> 00:00:52,974 Excel documents belonging to that organization. 21 00:00:52,974 --> 00:00:54,926 Sometimes you'll find more results 22 00:00:54,926 --> 00:00:58,069 if you use the file type switch. 23 00:00:58,069 --> 00:00:59,486 So filetype:xlsx. 24 00:01:01,929 --> 00:01:04,254 Or sometimes you find out more just 25 00:01:04,254 --> 00:01:07,222 with typing in the extension by itself. 26 00:01:07,222 --> 00:01:09,354 Either way, Google will return results 27 00:01:09,354 --> 00:01:12,421 for that organization for those file types. 28 00:01:12,421 --> 00:01:15,877 Password files for better or worse. 29 00:01:15,877 --> 00:01:18,335 There are password files that are available 30 00:01:18,335 --> 00:01:20,662 on the internet belong to organizations. 31 00:01:20,662 --> 00:01:23,861 This often happens when servers are misconfigured. 32 00:01:23,861 --> 00:01:27,596 Google goes through and indexes those systems 33 00:01:27,596 --> 00:01:31,163 and unfortunately puts password files 34 00:01:31,163 --> 00:01:33,946 directly on the internet. 35 00:01:33,946 --> 00:01:35,483 This has happened for many organizations, 36 00:01:35,483 --> 00:01:38,450 and it's quite easy to find this information as well. 37 00:01:38,450 --> 00:01:40,368 There's one thing that's important to do 38 00:01:40,368 --> 00:01:42,798 when you're actually performing penetration tests 39 00:01:42,798 --> 00:01:44,889 to see if sensitive information is 40 00:01:44,889 --> 00:01:46,806 actually available online. 41 00:01:46,806 --> 00:01:49,980 We'll proceed into a demo where we will show you how 42 00:01:49,980 --> 00:01:52,174 to grab files from an organization 43 00:01:52,174 --> 00:01:56,174 and actually pull sensitive information as well. 44 00:01:57,171 --> 00:01:59,275 There's a lot of research that has been done 45 00:01:59,275 --> 00:02:01,935 on what type of internet searches you can do 46 00:02:01,935 --> 00:02:04,200 to actually find out sensitive information 47 00:02:04,200 --> 00:02:06,761 belonging to an organization. 48 00:02:06,761 --> 00:02:09,226 Also remember the file contents is 49 00:02:09,226 --> 00:02:11,222 not only the most important thing. 50 00:02:11,222 --> 00:02:14,716 Metadata within these documents also 51 00:02:14,716 --> 00:02:17,551 contains really important information. 52 00:02:17,551 --> 00:02:19,102 Within the metadata in these documents, 53 00:02:19,102 --> 00:02:21,309 you could find out usernames and software. 54 00:02:21,309 --> 00:02:23,765 So if you ever open up a Word document, 55 00:02:23,765 --> 00:02:27,932 and Microsoft Word pops up and says enter your username 56 00:02:29,832 --> 00:02:33,314 or the author, people usually fill out that information. 57 00:02:33,314 --> 00:02:36,598 Well all that information gets stored within the file, 58 00:02:36,598 --> 00:02:40,610 so anybody that has access to those Word documents later 59 00:02:40,610 --> 00:02:44,177 can see who exactly was the author of that information. 60 00:02:44,177 --> 00:02:47,476 And you can discover usernames, 61 00:02:47,476 --> 00:02:50,434 and it also shows the version of 62 00:02:50,434 --> 00:02:52,869 software you're running as well. 63 00:02:52,869 --> 00:02:55,443 The version of software that's running is really important. 64 00:02:55,443 --> 00:02:58,145 Especially if you're going to perform any type 65 00:02:58,145 --> 00:03:01,129 of targeted attack on the victim machines 66 00:03:01,129 --> 00:03:02,834 or any type of phishing attack 67 00:03:02,834 --> 00:03:05,326 because you'll wanna know exactly what software 68 00:03:05,326 --> 00:03:09,126 that they're running to see if maybe they're running 69 00:03:09,126 --> 00:03:10,914 a vulnerable version of software 70 00:03:10,914 --> 00:03:13,098 that you can use to target and exploit for. 71 00:03:13,098 --> 00:03:16,613 Or you can craft a special phishing attack saying 72 00:03:16,613 --> 00:03:19,558 we realize you're using this type of software, 73 00:03:19,558 --> 00:03:22,975 and you can create your phishing campaign 74 00:03:24,210 --> 00:03:26,374 using that as well. 75 00:03:26,374 --> 00:03:28,729 So we discuss the importance of metadata 76 00:03:28,729 --> 00:03:31,069 and the types of information that you can pull 77 00:03:31,069 --> 00:03:33,201 from files belonging to an organization. 78 00:03:33,201 --> 00:03:35,669 Let's see how that actually looks. 79 00:03:35,669 --> 00:03:39,558 So we perform a Google search for example.com 80 00:03:39,558 --> 00:03:44,292 And we try to look for, let's say, Excel documents. 81 00:03:44,292 --> 00:03:45,961 In this case, we're not finding anything. 82 00:03:45,961 --> 00:03:48,116 It's just an example domain. 83 00:03:48,116 --> 00:03:51,275 But let's pretend that you actually do find 84 00:03:51,275 --> 00:03:55,120 a document belonging to this organization. 85 00:03:55,120 --> 00:03:59,287 We created a test docx file which is a Word document, 86 00:04:00,935 --> 00:04:03,035 and we want to see exactly what types 87 00:04:03,035 --> 00:04:04,949 of information you can pull from it. 88 00:04:04,949 --> 00:04:06,818 One really neat tool to use for this 89 00:04:06,818 --> 00:04:09,418 is the ExifTool by Phil Harvey. 90 00:04:09,418 --> 00:04:12,446 This tool can be used to pull all sorts 91 00:04:12,446 --> 00:04:15,438 of metadata from files and so let's see 92 00:04:15,438 --> 00:04:17,495 what types of information I can pull 93 00:04:17,495 --> 00:04:21,726 from this test Word document that we created. 94 00:04:21,726 --> 00:04:24,846 So if you run the tool on the employee handbook 95 00:04:24,846 --> 00:04:27,131 which is a pretty common name 96 00:04:27,131 --> 00:04:30,660 that you'll find on organizations, we can quickly see that. 97 00:04:30,660 --> 00:04:34,094 You see the title, the full filename, 98 00:04:34,094 --> 00:04:36,011 employee-handbook.docx. 99 00:04:37,121 --> 00:04:38,990 So it's a Word document. 100 00:04:38,990 --> 00:04:41,784 You can see when it was last modified. 101 00:04:41,784 --> 00:04:43,643 See the docx extension. 102 00:04:43,643 --> 00:04:45,101 Now you see a creator. 103 00:04:45,101 --> 00:04:48,268 We have a username, jsmith@example.com 104 00:04:49,708 --> 00:04:52,529 Sometimes you'll just see J Smith in there, 105 00:04:52,529 --> 00:04:54,808 or sometimes you'll see a different type 106 00:04:54,808 --> 00:04:56,951 of username if the organization is using 107 00:04:56,951 --> 00:04:59,399 a different type of naming convention. 108 00:04:59,399 --> 00:05:02,719 You can see that they put a description in here that says, 109 00:05:02,719 --> 00:05:05,886 "Send to hr@example.com for approval." 110 00:05:07,045 --> 00:05:10,837 So this means that you also know another email address, 111 00:05:10,837 --> 00:05:12,392 hr@example.com, 112 00:05:12,392 --> 00:05:15,366 in addition to the jsmith@example.com. 113 00:05:15,366 --> 00:05:17,878 And you know that there's some approval process 114 00:05:17,878 --> 00:05:22,511 that the HR team looks at for these type of documents. 115 00:05:22,511 --> 00:05:24,325 And you can see the person's full name, 116 00:05:24,325 --> 00:05:26,249 so the person is John Smith, 117 00:05:26,249 --> 00:05:28,734 so that's where they get J Smith from. 118 00:05:28,734 --> 00:05:32,088 So now you know that if you get a whole list 119 00:05:32,088 --> 00:05:34,730 of employees belonging to this organization, 120 00:05:34,730 --> 00:05:36,865 you know that they're using the first letter 121 00:05:36,865 --> 00:05:40,469 of their first name and then the last name @example.com 122 00:05:40,469 --> 00:05:42,572 as their naming convention. 123 00:05:42,572 --> 00:05:44,311 So all you need moving forward is a whole list 124 00:05:44,311 --> 00:05:47,521 of employee names, and you can actually get 125 00:05:47,521 --> 00:05:49,817 the usernames from that. 126 00:05:49,817 --> 00:05:51,250 We keep looking down. 127 00:05:51,250 --> 00:05:54,328 We actually see a manager field which is really interesting, 128 00:05:54,328 --> 00:05:58,015 so there's a manager called Martin Smith. 129 00:05:58,015 --> 00:06:02,016 So we know John Smith's manager is Martin Smith, 130 00:06:02,016 --> 00:06:05,610 and that is really useful for any type of phishing campaign, 131 00:06:05,610 --> 00:06:09,332 or as we're trying to build an attack scenario, 132 00:06:09,332 --> 00:06:11,167 we really want to know what type 133 00:06:11,167 --> 00:06:14,361 of reporting structure they have in the organization. 134 00:06:14,361 --> 00:06:17,293 We can also see the company's name as well. 135 00:06:17,293 --> 00:06:19,958 We also know that they use Macintosh Word, 136 00:06:19,958 --> 00:06:22,579 so we know that they have Macs in the organization. 137 00:06:22,579 --> 00:06:26,746 You'll often see Macs being used for the web developers 138 00:06:27,608 --> 00:06:30,471 or anyone posting information to the web, 139 00:06:30,471 --> 00:06:32,149 but maybe this organization uses Macs 140 00:06:32,149 --> 00:06:34,064 throughout their entire environment, 141 00:06:34,064 --> 00:06:35,836 so you wouldn't want to use a 142 00:06:35,836 --> 00:06:38,889 Windows-specific attack for this organization. 143 00:06:38,889 --> 00:06:42,363 You would want to use a Mac-specific attack 144 00:06:42,363 --> 00:06:44,461 for at least some of the individuals 145 00:06:44,461 --> 00:06:47,788 that are posting this information to the web. 146 00:06:47,788 --> 00:06:50,871 So right off the bat, we just pulled a Word document 147 00:06:50,871 --> 00:06:55,585 from the organization, and we found out three usernames. 148 00:06:55,585 --> 00:06:59,816 We found J Smith, we found HR, we found M Smith 149 00:06:59,816 --> 00:07:02,300 which is gonna be Martin Smith, 150 00:07:02,300 --> 00:07:04,379 and so we have three individuals. 151 00:07:04,379 --> 00:07:06,433 We know three email addresses, 152 00:07:06,433 --> 00:07:08,108 and we're starting to get an idea 153 00:07:08,108 --> 00:07:10,884 for the reporting structure in this organization. 154 00:07:10,884 --> 00:07:13,312 We also know that at least some individuals 155 00:07:13,312 --> 00:07:16,786 in the company use Microsoft Macintosh Word. 156 00:07:16,786 --> 00:07:20,502 So they have Macs in their environment as well.