Series on Hacker Logic, Part One: How Hackers Do Reconnaissance on Organizations

David Wolpoff (moose)
6 min readOct 15, 2020

--

Doing surveillance on organizations takes time and persistence, but isn’t overly sophisticated. Tools that make things more usable, make you more of a target, and organizations have to make this risk trade-off daily.

Screenshot from OSINT.

As someone regularly hired to hack Fortune 500 companies, I’ve gone up against many different types of organizations — some are adept at stopping me from achieving my objective, others leave the door wide open. What I’ve found is that the most challenging organizations to break into are the ones anticipating my every move. They have experience protecting what matters most.

This blog post series is designed to take you through the hacker logic used to break into organizations. The goal isn’t to scare you into buying a new security product — there is plenty of that already. Instead, I want organizations to understand the attacker’s perspective — a hacker’s logic — because once you see your environment the way a hacker does, your security strategy will change. You’ll prioritize like an attacker does, and figure out how to protect what matters most.

The reality is that if your organization is a target, a determined adversary will get in. They are patient and persistent, and have time on their hands. When an attacker decides which targets to pursue (or is given a target), their first step is to map the org’s attack surface by conducting reconnaissance and surveillance to find a way in. Doing recon on an organization can be bucketed into two categories:

  • Social recon involves examining the human element: how many employees, how do they interact with work online, where they are based, and who’s a good phishing target.
  • Tech recon is an audit of the software and hardware that makes up the tech stack and environment that’s accessible from the internet.

Neither of these is particularly difficult to do, but they can be time-consuming. The questions for an organization looking to mitigate risk of a cyberattack are “How easy is it for would-be intruders to get the information they need to orchestrate an attack?” and “What can my attacker see that I can’t?”

Build a company blueprint with Google

Most of the information needed to break into an organization can be found with a simple Google search, from a laptop sitting at a desk at home. An attacker’s first step (recently found to be done by Chinese hackers) is to use publicly available “open source intelligence” (OSINT — thanks @jnordine for a cool website!) to build a profile of a company. This requires gathering information like the network registration records, domain registrations, Wi-Fi network names, screenshots, and HTTP banners, etc., to build a picture of the assets a company is sitting on. An attacker learns how many employees a company has, how they interact with customers, and if there are any leaked passwords available that may provide access.

Once a blueprint of an organization is in place — lists of domains, networks, hostnames, IPs, and used services and technologies, the next step is to figure out the easiest and cheapest way in. In some cases, it’s better to use a social engineering trick (more on that below). In others, attacking company assets sitting on their perimeter is a better option. Any attacker worth their salt spends time prioritizing which “targets” (aka technology assets, networks, software instances, people, etc.) to pursue. In part two of this series, I’ll take you deep into how a hacker stack ranks tech targets.

Social recon: Publicly available employee portals

Employee portal found with a Google search. With a little digging and password reset, I’m in.
Publicly available employee portal login page.

To increase employee productivity, many employee login portals are publicly accessible, which makes them accessible to an attacker too. Anything that makes a company more usable or more accessible, also makes you an easier target. Not only do many corporate websites have convenient links to employee email and login pages, but most also come with a plethora of information about how to reset passwords in case of a lockout. The solution for a hacker may be as easy as using employees’ social media pages to get answers to a couple of mundane security questions. That, coupled with a publicly available email address, could be enough to get through the first door.

Social engineering new “friends”

If an organization’s employees don’t appear to have a lot of information publicly available, another option for attackers is quite simply to ask employees. Often, social engineering (exploiting or forcing errors in human judgement), is far easier than exploiting technology. “Friending” an employee on Facebook or LinkedIn and striking up a conversation with them to suss out answers to their security questions has worked for plenty of hackers in the past. You’d be amazed what people will tell you if you simply ask. In fact, a 2016 study from the University of Luxembourg found that 30% of people tracked down on the street would tell you their password in exchange for a piece of candy.

Social engineering sounds harder than it really is. A simple Facebook scroll and you’re finding answers to banking questions.

If the personal approach is too daunting, attackers may also drop an unsuspecting employee a phishing link in an email or direct message to bypass the security questions altogether.

Tech recon: Finding the easiest target in the attack surface

Attackers don’t have time or the money to look at every asset in depth — as the number of targets can often run in the tens of thousands for a large enterprise. So they’ll search for the path of least resistance that also won’t get them caught. An attacker might ask themselves:

  • How well do I know and understand the asset on the attack surface?
  • Is there a known vulnerability? If so, how easy would it be to build an exploit?
  • If I get in, how easy will it be to escalate privileges?
  • Is this something that might trigger monitoring, or can I go undetected?
  • Is this piece of technology known to be buggy?
  • Do I already have an exploit I can use?

As an example, I’ll often opt to attack a security appliance (i.e., firewall or VPN) before other assets because if you pwn that box, you own everything. I once popped a VPN that was part of a larger security appliance that was also the firewall, monitoring, and logging solution. After I broke into the VPN, the entire security infrastructure was compromised, and I was in.

Your move

Breaking into a system can take anywhere from a couple of hours to several months or more. But eventually, I will find a flaw on your attack surface, and if I am patient — which I am — when you mess up, I’ll get in. There is a reason why retail stores factor a certain amount of loss to shoplifting into their profit projections. It will never be worthwhile to attempt to make a public service impenetrable: it’s designed to be usable. The real game is to control and mitigate what intruders gain access to. Tools that make things more usable, make you more of a target, and organizations have to make this trade-off daily to ensure productivity.

No system will ever be fully secure, but limiting the information attackers can get their hands on out of the gate goes a long way toward taking the wind out of their sails. This means burying the truly crucial information behind so many fail safes that it isn’t worth the effort for an attacker. For security purposes, an organization’s job is simply to be more complex and intricate than a hacker can be bothered to wade through.

--

--

David Wolpoff (moose)

temporarily unemployed. previously co-founder @randori. once upon a time a red-teamer.