1 00:00:06,760 --> 00:00:08,590 - [Instructor] Email footprinting 2 00:00:08,590 --> 00:00:11,800 or email reconnaissance can be extremely beneficial 3 00:00:11,800 --> 00:00:15,270 for an attacker because of many different reasons. 4 00:00:15,270 --> 00:00:16,103 As a matter of fact, 5 00:00:16,103 --> 00:00:18,390 I'm actually in front of a tool called Maltego 6 00:00:18,390 --> 00:00:20,070 as you see is a community edition. 7 00:00:20,070 --> 00:00:22,770 There's two versions of Maltego, 8 00:00:22,770 --> 00:00:24,730 the professional version and the community edition, 9 00:00:24,730 --> 00:00:25,810 which is free. 10 00:00:25,810 --> 00:00:27,690 And that's what I'm using right now. 11 00:00:27,690 --> 00:00:30,248 And basically this tool is extremely popular 12 00:00:30,248 --> 00:00:32,470 for penetration testing. 13 00:00:32,470 --> 00:00:33,303 And of course, you know 14 00:00:33,303 --> 00:00:37,860 for open source intelligence or OSINT reconnaissance. 15 00:00:37,860 --> 00:00:41,380 In this case to find very interesting emails 16 00:00:41,380 --> 00:00:44,230 related to any type of company or domain, 17 00:00:44,230 --> 00:00:48,420 for example, I just searched for a domain that I own, 18 00:00:48,420 --> 00:00:50,540 h4cker.org with the number four. 19 00:00:50,540 --> 00:00:53,120 And then you actually immediately were able 20 00:00:53,120 --> 00:00:58,120 to obtain my email address in that domain, Omar@h4cker.org. 21 00:00:58,770 --> 00:01:01,620 So why can this be beneficial for an attacker? 22 00:01:01,620 --> 00:01:03,221 Well, an attacker can use this email 23 00:01:03,221 --> 00:01:07,290 for sending a spear phishing attack or, you know 24 00:01:07,290 --> 00:01:11,443 any phishing type of attack to lure the user 25 00:01:11,443 --> 00:01:13,512 to either click on a malicious link 26 00:01:13,512 --> 00:01:16,010 or follow that link to a malicious website 27 00:01:16,010 --> 00:01:17,750 or click on a malicious attachment 28 00:01:17,750 --> 00:01:20,861 and perhaps install a back door, manipulate the system, 29 00:01:20,861 --> 00:01:22,880 and so on. 30 00:01:22,880 --> 00:01:26,120 Another way that the attacker can leverage this email 31 00:01:26,120 --> 00:01:30,950 is because nowadays we use email addresses like this one 32 00:01:30,950 --> 00:01:35,950 to log into other sites specifically with single sign on, 33 00:01:36,110 --> 00:01:39,240 and you know, things like SAML authentication 34 00:01:39,240 --> 00:01:41,610 and you know, many other implementations. 35 00:01:41,610 --> 00:01:44,060 Now, the attacker can then use this email address 36 00:01:44,060 --> 00:01:47,620 to potentially find login pages 37 00:01:47,620 --> 00:01:51,380 or any type of systems related to h4cker.org. 38 00:01:51,380 --> 00:01:55,840 Let's say that website may have a slash admin account 39 00:01:55,840 --> 00:01:57,190 or area. 40 00:01:57,190 --> 00:02:00,220 Then it may actually use this email address 41 00:02:00,220 --> 00:02:03,410 to perform a brute force attack 42 00:02:03,410 --> 00:02:06,143 or to attempt to, of course, you know, log in 43 00:02:06,143 --> 00:02:08,540 as that user, of course, you know, 44 00:02:08,540 --> 00:02:11,742 taking advantage of other types of vulnerabilities 45 00:02:11,742 --> 00:02:14,440 or, you know, further reconnaissance. 46 00:02:14,440 --> 00:02:16,360 And as I mentioned, a brute force attack. 47 00:02:16,360 --> 00:02:20,315 So many different ways that you can leverage these emails 48 00:02:20,315 --> 00:02:22,140 for spear phishing attacks, 49 00:02:22,140 --> 00:02:23,900 social engineering attacks, 50 00:02:23,900 --> 00:02:24,860 and of course, you know, 51 00:02:24,860 --> 00:02:27,840 to leverage them in other authentication 52 00:02:27,840 --> 00:02:30,063 and authorization attacks as well.