Every year we train on Maltego at BlackHat USA in Las Vegas. This year we decided to submit a talk to Defcon – the notorious hacker conference right after BlackHat. For various reasons our talk was not accepted (Maltego being a commercial tool was right up there). At the last minute a slot opened up and since we were backup speakers Andrew MacPherson presented our work on the Saturday.
If you didn’t see the talk this blog post will go into a bit more detail on what Andrew presented. The talk had two main sections – a) finding useful information pertaining to Industrial Control Service (ICS) devices and b) finding embarrassing information. In this blog post I am going to focus on the latter.
We recently saw a talk from someone on using Maltego for infrastructure footprinting. We’ve been doing footprints in Maltego for many years and the tool is well geared towards working with structured data contained in DNS and related services – so it was big ‘told you so’ / ‘glad you could make it’ kind of thing. To read our blog post on the subject – click [here]. In the good old days of black box penetration tests an analyst would first perform an in-depth footprint of an organization to learn what networks belonged to it – and what services were exposed on it. These days this ancient art is almost forgotten since spear-phishing simply works better and more reliably (and is less work!).
In recent years a lot of data leaks occurred. Think back to the famous Ashley Madison dump and the chilling effect it had on people all around the world. When we looked at the data we saw that it also contained the IP address where the user signed up from (and yes, we know that email addresses were unverified…but transactions...less so). Combined with a verified network footprint we could connect leaked profiles to organizations – even when the user signed up with a non-related email address.
This is fairly mundane – unless you’re looking at interesting networks. Consider the following:
We can clearly see that one netblock stands out – so let’s concentrate on those IP addresses. We start by taking the network to its individual IP addresses:
Just out of curiosity let’s run the transform that checks for Wikipedia edits (from the IP address) against all of the IPs:
Turns out there are 473 Wikipedia edits made from 6 IP Addresses in the range. Some edits are pretty interesting, some less so:
Above just a sample - feel free to replicate this work at your own leisure.
Those 6 IP addresses are what we’ll call exit nodes for the organization – meaning those are where their browsing traffic is likely to come from.
Armed with this info we can go ask if anyone in the Ashley Madison database signed up from any of those IPs. And – someone actually did:
We blurred the personal info. Because we're nice.
This made us wonder– what if you could do it with ALL the leaks – e.g. where ever there are signup IPs or IPs used at login in a data breach? We spoke to our friends at SocialLinks and they were happy to build us a transform that did exactly that (at time of writing not public). We could now query multiple databases at once. When running it on the 6 IP addresses we have:
In total there are 43 instances of the organization’s IP addresses contained within leaks that were made public.
The implication of this research (if you want to call it that) is simple. Firstly - you may think your organization cannot be connected to your online profile because you’re not using a work email address – but if you’re doing it from a work computer your IP address is most likely a dead giveaway.
Secondly – from an attacker’s side of things the following. Footprints are useful not only for attacking computers but as we've seen also in finding unlinked email addresses, contextual information, etc. In other words - for crafting proper email payloads to targets - fit for a high yield phishing attack. And you can email them at home. When their guard is down. In the dark. Sneaking from behind. 😉