Thursday 5 July 2018

The Ins and Outs of OSINT

The industry consensus is that manual penetration testing is the best way to test your networks and web applications, finding vulnerabilities you didn’t know you had, and helping you protect your most valuable assets. This is justified, of course, but if you are looking for something that is just as important, then look no further than your physical security. It doesn’t always spring to mind, however information about your physical security (in the wrong hands) can be just as much of a chink in your armour as a failure in your coding can.  How easy is it to get into your building? Is there adequate security around your servers? Are your employees too trusting of strangers in their workplace? The hackers' weapon of choice to exploit these vulnerabilities is Open Source Intelligence (OSINT). Here we discuss some of the techniques hackers will use and how you can being to protect against them.      

If you are not already familiar with the concept of open-source intelligence, or OSINT, it refers to any information about a target that can be gathered from public sources, and has been a staple of government operations, hacking - both ethical and unethical - as well as criminal investigations for many years. But OSINT can be incredibly valuable to a physical security tester as well. In this blog  post, we will demonstrate how it is possible to enumerate everything from the type of elevator and alarm system present in a building and who installed and serviced it, to pictures of employee badges and photographs of the target building from multiple angles. In addition, you can find sources and detailed information about people who work in that building, all from the comfort of your home office. This blog post will highlight some of the ways we leverage open-source intelligence for physical security testing at a very high level. It is important to note, however, that none of the techniques in this article are intended to replace proper onsite reconnaissance. 

Geotagged social media posts
In many ways platforms such as Twitter, Facebook, YouTube, Flickr, and Picasa are the OSINT goose that lays golden eggs, both in the amount of valuable intelligence they produce and the ease in which their APIs make this information available. Often without the user being made aware, these platforms allow anyone with API access to query for content created in the vicinity of a specific area based on embedded geographic metadata, and this is also true for all the smaller social media platforms that rely on them as a back end. Instagram once allowed such queries but they have sadly made changes to their API to prevent this.  Tools such as the Recon-ng framework automate querying the APIs of Twitter, YouTube, Flickr, Picasa and Shodan (we will come back to Shodan later) as simply as feeding it API keys, GPS coordinates, and a radius, and it will happily gather all the geotagged posts in the specified radius and overlay them over Google Maps for you. Unfortunately recon-ng currently is unable to query the Facebook Live API, however this information can still be gleaned as well as many other platforms. Geotagged social media posts are incredibly valuable not only because they reveal people who frequent a target area, but more importantly it gives us photos and videos of the target facility’s area from different perspectives, and can cut down the amount of time we need to spend onsite doing recon.

Sensitive information leaked via social media
A rather strange trend that seems to be focused around new hires and exiting employees is to post pictures of their employee badge on social media. This not only simplifies the process of forging an employee badge, but often the badge ID number can be seen written on the badge which often is all that needs to be written to a RFID credential to be granted access by a reader. This kind of exposure is trivial to exploit with Google and Twitter’s own search engine. However the Twitter account @NeedAnIDBadge ( does a great job of archiving many of these posts. Besides pictures of employee IDs, it is often easy to identify corporate language, terms and organisational unit names from social networks like LinkedIn that can be extremely useful when assuming the pretext of an employee. Posts made by corporate social media accounts can also be used to gauge corporate culture and dress code, as well as events that can offer new pretexts as well. For example, if a major R&D lab announces that it is hosting a press conference that coincides with the engagement on Twitter, masquerading as a blogger or freelance journalist is a simple and effective pretext to gain access to the facility.

Open Government Records
In many countries, but the United States especially, most if not all building permits and inspection records are a matter of public record. Cities like New York City and sometimes at a state level have Building Information System (BIS) portals where anyone can query what fire/burglar alarms were permitted in that building and who installed them. There should also be inspection records for elevators which often reveal the make, model and installer of a building’s elevator, something that can speed up the elevator attack process. A tester can also query similar portals to identify whether the target has a permit for armed or unarmed security guards. It is, however, important to note that if security guards are contracted to an agency as opposed to being proprietary they might not show up. It is also worth noting that not every company feels the need to hire licensed security guards or to go through official channels to contract them. Checking FCC filings can also reveal what radio frequencies security staff are utilising for their radios.

Satellite and other imagery sources
Probably one of the most useful and least known assets in doing remote recon on a building is Mapillary. Mapillary is like Google Street View but instead of gathering photos with a car, Mapillary utilises crowd-sourced photographers with mobile phones and GoPros, which results in street-level photos of areas a car, and therefore Google Street View wouldn’t be able to access. I often find that if Google Street View can’t give me a good shot of a building, Mapillary can do the job. But besides Street View and Mapillary, Google Earth is a powerful tool not just for OSINT, but managing data gathered onsite as well. Not only can it ingest output from GPS-enabled tools or anything that outputs a KML. Sadly, I have not yet found an easy way to get Google Earth to ingest Recon-ng’s output yet, but it can parse geotagged photos as well, meaning that if you import photos taken with a GPS-enabled camera, it will become a pushpin on Google Earth. What also adds to the versatility of Google Earth is the wide array of overlays that can be imported into it; everything from weather satellite imagery to Bing maps.

This brings us to OpenStreetCam and Shodan. While there are many sources like OpenStreetCam and Shodan, these two I have found to be the best at what they do. OpenStreetCam offers us the ability to identify and access security and traffic cameras that are exposed to the internet. While it’s a bit hit and miss (missing more often than not), OpenStreetCam, under the right circumstances, offers us the ability to recon a building and, if the stars align, monitor it from the comfort of our own home office (and did I mention you can use it as a Google Earth overlay?). Shodan, on the other hand, offers us the same potential and so much more. While most people are familiar with Shodan, an internet scanning service that allows users to search the majority of the internet for connected devices, I don’t think anyone fully grasps its full utility for physical security testing. Using Shodan I have found countless security cameras, burglar alarm panels and other pieces of physical security equipment exposed to the internet and ripe for compromise. If you recall, I mentioned Shodan briefly in the context of recon-ng. Luckily for us physical security testers, Shodan allows us to filter our searches to a geographic area and, because it is supported by recon-ng, we can overlay its findings on the same map as our social media mining. I personally find it essential to check for internet exposed hardware whenever I do a physical security engagement.

ZeroDayLab is often engaged by our clients to carry out physical security penetration tests and site surveys on their various facilities. To ensure that we use our time onsite as efficiently as possible and that we deliver our clients as thorough and informative a report as possible, we have developed an open-source intelligence gathering methodology to gather as much pertinent information to a physical attacker as possible, before we even arrive on site. This blog should have helped you understand how operational security can have a huge impact on physical security and how much of a force multiplier OSINT can be when conducting physical security engagements.