A Guide to Digital Reconnaissance

WHAT IS DIGITAL RECONNAISSANCE?

Digital reconnaissance is a way of collecting intelligence about an organization or target without actively interacting with their systems. It’s a critical first step in most red team exercises, as it allows red teamers to fly under the radar as they gather crucial information about their client or target.

In this article, we’ll walk through the key areas to focus on when conducting digital operations, but we aren’t providing an exhaustive list here. While there are tactics and methodologies you’ll want to follow in every exercise, the creative art of digital reconnaissance work is in adapting those practices to each project to get all the data and information you need.

TECHNIQUES AND KEY CONCEPTS

To start, we’ll define and quickly explain a few core concepts here before we jump into the actual mechanical practice of performing digital reconnaissance.

Before we dive in, it’s important to remember to wait for the most opportune time to act upon the information you’re gathering. It will be tempting to start your social engineering operations as soon as you begin gathering intel, but this can result in you revealing your hand without fully knowing your enemies.

When conducting reconnaissance, you will want to gather information passively first. This allows you to build a picture of your target(s) without alerting them to your activities. Lack of awareness on their part exposes them and leaves them in a weakened defensive posture. Active reconnaissance involves overt actions that intentionally interact with your human or system targets, which can alert them to your activities, which will start their hunt procedures to identify who is targeting them. The goal is to build a picture of the target; whether it’s an organization as a whole, subsidiary, or an individual. The more you know prior to actively engaging your target will ensure you are set up with a higher chance of success.

You will notice that I have separated out organizations and individuals as possible targets. I did this for several reasons that affect the way to approach reconnaissance for each:

1. Often an organization will focus first and foremost on technical security controls. However, little to no efforts are spent on ensuring they have a hygienic “footprint” from a security perspective.
2. Organizations rely on the training and awareness of employees; however, the organization’s individuals are usually its weakest link and are susceptible to social engineering tactics.
3. On the other hand, there are times that you will want to target a very specific individual or set of individuals that have nothing to do with an organization from a client perspective.

When it comes to targeting individuals, you can employ similar techniques that the intelligence community and military use, called human intelligence gathering or HUMINT. Often this includes an aspect of social media intelligence gathering or SOCMINT/SMI.

Human intelligence gathering and psychological operations (PSYOPS) mean that you’re digging deeper into each individual’s life, including interests, connections, weaknesses, and activities. With that information, you can use social engineering tactics to exploit any vulnerabilities or areas of weakness to get access to information you’re seeking to then pivot into new business areas/functions/employees to explore. To start, we’ll focus on passive techniques like human intelligence gathering, which are used to launch social engineering and similar attacks.

Important: Remember to exercise tight operational security (OPSEC) while performing these activities. Utilize anonymous connection tools such as Tor and VPNs, your browser's private mode (incognito), and anonymous prepaid wireless hotspots.

Organizational Charts

A great first step is to gain visibility into the employees of your target organization to comprehensively understand its human landscape and exploitability. Eventually what you’re hoping to do here is to understand the “threat landscape” that the employees and other key players present for a company – whether it’s the potential for social engineering attacks and what exploiting that ‘persona’ will yield, exploits against employee devices and software/applications, how secure their own work and personal habits are, and risks in their work behavior, such as where and how they do their work. (Are they using public Wi-Fi often while traveling for work?) In intelligence and military applications, as you develop your target(s) over time, you analyze the value of exploitation and what can be gained. Typically, this is through applying target selection standards (TSS) and identifying the high-payoff and high-value targets (HPTs and HVTs respectively) also known as key players.

Once you start to better understand the players, you can start to connect the dots of internal reporting structures as well as the more esoteric bits of information about the HVTs like their social circles and level of influence within the company and their industry.

After collecting that information, you can start specific targeted open source intelligence gathering techniques (OSINT) and social media intelligence (SOCMINT/SMI) to discover more about each individual. The ability to walk into a key player’s favorite coffee shop to casually chat them up about their interests can be an extremely powerful tactic in both information gathering and social engineering. At Bishop Fox, we’ve been on operations where we’ve actively participated in activity groups with some of our targets in order to befriend them and learn more about their work via casual conversations. These are the tactics that attackers use regularly, and it’s your job as a red teamer to go to those same extreme measures in order to test an organization’s defenses.

Individuals

From an organizational standpoint, after getting to know the critical key players, you can start moving a level below them to the individual layers – think of this layer as the individual contributors and managers within a company. Collect a list of all those soft targets within an organization and then start digging into more investigative reconnaissance work to get the same type of information you gathered about the executives and management above them. Due to the size of this list, your real goal here is to narrow down your list of targets to just those who require action or further investigation on your part.

Social Networking and Dating Profiles

While this can certainly be a grey area, social media and dating profiles are prime targets for human intelligence gathering, as they not only include personal data and interests, but also the geolocation of an individual. While intelligence gathering on social media about individual employees, you’re really trying to understand their personas and their connections. We won’t get into the depths of active intelligence gathering in this article, but once you get a decent understanding of your targets through the methodologies we’re outlining in this article, you have the seeds of what you’ll need for the active intelligence gathering phase (building rapport and gaining influence with your target). The key thing we always come back to is that people are the weakest link in any organization.

While this is more of an extreme example; in a previous life, there were several occasions where I was tasked with finding out who an individual was based off an attribute. For example, by being able to trace an email back to a sender, getting a real name, finding their social media profiles and building my own “profile” of an individual, I was able to directly influence our response strategy by offering several suggested courses of action. This activity is akin to what is known as skip tracing, and is not very different from some of the activities used while performing reconnaissance against an individual.

Corporate Communications

Moving away from a focus on individuals, if your target is an organization, their communication strategy is another useful tool to explore. With that information, you can home in on not just how much information they voluntarily release to internal employees and contractors, but also how much trust they put in their public relations and corporate communications teams. Often, this business function is outsourced to a PR or marketing agency, and the amount of business information shared between the organization and those firms (albeit under non-disclosure agreements) can be massive.

By identifying these partners, you can pinpoint weaknesses to indirectly exploit. You might ask:

• How do these marketing and PR firms communicate with the public?
• Do they use third-party mail services? (think MailChimp)
• Does the organization or its partners publish annual reports publicly? What information do they include? Is private information shared in the process of creating these reports that the organization may not want leaked to the public?
• How is their marketing done? Do they provide content to a third-party firm to develop campaigns?
• What other applications and services do their outside marketing and PR agencies use? Are any of them risky or often insecure?
• What does their public content say without saying? By downloading PDF, Word, PowerPoint, and other collateral documents, you’ll be able to mine document metadata for information including publishing software and versions (e.g., Adobe Acrobat), internal usernames, and file paths. Unless they have a metadata wiping process, this can potentially provide another view into their tech stack to leverage during exploitation.

Public Job Boards

An often-overlooked information-gathering space are publicly posted jobs. In those jobs, you can find out a lot of information about an organization’s technology stack and many of its business strategies. You can also infer a company’s growth, which can help you prepare for events that you can use to your advantage. An example would be when you can spot that there are 30% new hires within the company who are getting onboarded at once and who may be easy targets for the next few months. Or if you see a jump in job postings for your target, they may have recently received funding that has not yet been announced. Information technology job postings may be particularly illuminating in that they’ll often describe not only the entire organization’s tech stack, but also internal processes and reporting structures.

Other intel you can gather from job postings:

• How tech-savvy is the organization (are they using cloud-based, modern applications or legacy systems?)
• How advanced are their internal processes and reporting structures?
• What are their inner business processes and how do they work on a surface, day-to-day level?

Those internal processes and reporting structures can be extremely valuable for your HUMINT operations and social engineering activities. Knowing how the process of information flows and understanding the approvals process, you can engage human targets and more easily convince them that you’re a legitimate colleague or contractor to get access to the information you want.

Whenever I’m asked what my favorite method for gathering intelligence is, I reply with “applying for a job!” If you apply for a job with a carefully crafted resume, you will often get a response from recruiting or maybe even the hiring manager directly. This can lead to deeper conversations into what they’re looking for in the role, why they are looking, and information about the organization itself. While this is not an article on exploitation, I would be remiss not to mention that I like to couple this technique with on-site job interviews, which gives a much more personal view into an organization, its people, the dynamic within the office, and if the opportunity presents itself, even a way into the internal network.

Food for thought: How many organizations think about their insider threat problem from a pipeline perspective? How many only consider the threat from insiders after they’ve been hired?

You can apply this concept to tech forums as well. Many employees use their work emails (or have associated their personal and work accounts together) on developer and engineering forums where they ask questions about how to implement new technologies. Use these developer and engineer-focused forums to your advantage and mine them for both big picture information and details about applications and version numbers.

Lawsuits

There’s a chance that during your reconnaissance you find civil and criminal records involving your target. Legal records and the news articles about them reveal a wealth of information about an organization that you would not normally be able to dig up in a short time period. Determining which firm – or even better, pinpointing individual legal counsel, their aides, and their specialties – can help in your social engineering activities down the road.

If an organization is tied up in lawsuits, they’re in a somewhat vulnerable state, which could make a red team’s job both easier and harder. More organizational information will be exposed than normal, but the organization may be operating in a state of high alert, which can shut down normal social engineering avenues. If it’s an internal conflict, it may have caused strife between the company and its employees. If the lawsuit is with an outside party, it may have left employees paranoid and unsettled because their company isn’t able to be fully transparent with them.

Digital Footprinting

This is the more technical portion of the article where we’ll move from passive techniques to active. With that said, below is only a light list to get you started. However, remember that being passive is the preferred method of collection until you are ready for moving toward direct action against targets.

The following methods are a good starting place to begin your footprinting:

• Analyzing WHOIS information for domains
• Reviewing website content via Google Dorks (filetypes, subdomains, and sitemap)
• Brute-forcing DNS and subdomains
• Identifying IP address ranges
• Ping sweeps, probing for open ports and services
• Collecting SMTP information, confirming user accounts through malicious use of VRFY and EXPN
• Identifying SaaS/IaaS service providers and any public/Internet facing applications and services

These activities will start off your intelligence-gathering process on your target. Using these methods, you can collect the necessary technical information to further technical attacks against externally facing supporting infrastructure (should you decide to go down that path). Before, you identified weaknesses within an organization’s policies, processes, and people; now you will want to do the same for its technical aspects.

Physical Locations and Assets

Discovering all physical locations that your targets own and operate is imperative. This includes residences, storage units, vehicles (land, sea, air) and other significant assets. For corporate entities, this includes all primary and secondary business locations, off-site and backup storage, data centers, and other corporate assets that an organization might own, rent, or otherwise occupy.

Metadata to collect:

• Locations
• Property owners
• Land and tax records
• Imagery

You can usually find office locations on an organization’s website, job postings, or through search engines. Other times, you will need to identify third-party supply chain services that may provide services such as collocation and archiving (think data centers and off-site tape backups). Additionally, looking up the builder or owner of a specific location can yield photographs and building plan layouts of its exterior and interior, which is extremely helpful for any physical components.

Imagery

When performing discovery on these locations and assets, we recommend that you use multiple sources for imagery. Google Maps has street and satellite views to get a decent lay of the land, but mixing in Microsoft's Bing Maps for its Bird's Eye View may give you better angles, imagery resolution, and potentially more recently updated satellite imagery. On the level down from that, you can research public records to find zoning maps, architectural blueprints, and more. Investigate in a way that works best for you.

You can also combine the imagery you find with technical overlays, such as wireless networks. Long gone are the days where you need to war-drive around your target to identify potential wireless networks. Although sniffing for exposed public SSIDs will identify the current wireless networks, you can also use services like WiGLE that map and cache wireless networks to overlay KML data points over geographic locations. This is a great way to understand the lay of the land before any on-site component.

If your subject is a large corporate entity, your intelligence gathering could (and most likely should) extend into subsidiaries. It's a fine line between collecting more information than you need; however, it's better to have more information than not enough — it's critical to create chronologies and timelines and sort your data based on ranking, scoring, and prioritization. Understanding the order of events and the impacts they’ve had on a target help you understand the potential state of the target when crafting your strategy and courses of action. Misunderstanding the state of the target can have detrimental effects on the success of your operation if you end up prioritizing the wrong means toward successful exploitation.

NEXT STEPS: DIGITAL TO PHYSICAL COLLECTION

Once you've collected remotely (you made a list and double-checked it twice, right?), it's time to conduct surveillance in person.

To get you started, here are a few questions you'll want to learn the answers to:

Physical location comparison

• How does reality compare with the satellite imagery or online imagery you already collected?

Environmental design (CPTED principles)

• CCTV camera placement and lighting
• Where are the dark corners? Is the line of sight compromised by both poor CCTV and lighting design choices?

Security guards

• Placement
• Patrol paths
• Guard “kit”
  - Are they armed?
  - Do they have radios?
  - What about key cards?

Badge usage, locks and alarms

• Signal emanations (RF, wireless, other)
• Are wireless routers and repeaters exposing the network from outside the building?
• Can you create a general map of where connectivity is located along the perimeter of the building?
• Are you able to analyze Bluetooth and identify any wireless keyboards or mice through sniffing to intercept?
• Are you able to identify IoT devices?
• Can you capture the content of CRT monitors through intermediate-frequency (IF) impulse response analysis or flat-panels through UHF spectrum analysis?

Delivery and supply chain

• Where is the loading dock?
• What controlled access is there from the bay into the building?
• Which office supply company do they use?
• Do they leverage external “secure” shredding companies? Do they shred on site or take to a centralized shredding facility?
• Do they use a service (like Iron Mountain) for off-site backups?

Foot traffic patterns

• When is the office busiest?
• What are the most used entryways and exits?
• Are there opportunities for tailgating?
• Adjacent buildings and field of vision (FOV)
• Are there nearby buildings you could use to expand your field of vision of the target’s building or campus?

Dumpsters

• Are they locked?
• What is the schedule for emptying them?
• Are there opportunities to dumpster-dive?

Once you gather the data needed, decide on your plan of action — will your operation continue to be digital, or will you move toward the more physical route? The end goal should be what determines your angle of approach. Having collected the information above, you've now narrowed down how best to strike, now you just have to decide when to do it.

RECOMMENDED TOOLS

Taking a step back in time, let’s discuss some tools and resources that can aid you when conducting digital reconnaissance activities. This is not an exhaustive list, but should be a useful starting point:

• Bishop Fox attack tools
• Leverage Google, Bing, and other popular search engines
• Maltego
• TheHarvester
• Fierce2
• NMAP
• Google Dorks
• ReconNG
• Jigsaw
• Shodan
• Censys
• FOCA (Fingerprinting Organizations with Collected Archives)
• The Wayback Machine / Archive.org

CONCLUSION

While there are many tools at your disposal for performing digital reconnaissance, you’ll need to be creative in thinking about what will work best for your specific target. This list is meant to get you started, but it’s by no means exhaustive. Part of the fun of red teaming is in the art of the work. There’s no set list of things you need to do with every target. In fact, any red teamer worth their salt knows that an adaptable and fluid approach is necessary. Just never forget your ABC’s (Always Be Collecting). Go forth, collect meaningful intelligence on your target, and help them protect themselves against attacks.