Black-box Penetration Testing – How To Perform External in Organization
The objective was simple – see how susceptible the organization is from an external point of view and test the effectiveness of the security controls that are managed enterprise-wide. As such, asides, the company name, we were given “ZERO” information to perform an external black-box penetration Testing.
This black-box external penetration Testing Performing with a by a client called (Hackme)
OSINT 101
We kicked off with some Open Source Intelligence (OSINT) 101 :). There are quite a number of open source intelligence tools – to assist in gathering emails, subdomains, hosts, employee names, etc from different public sources like search engines and shodan. There is an exhaustive list of such awesome tools here .
Using quite a few open source intelligence tools, we obtained publicly available documents relating to the organization using Black-box Penetration Testing methods.
With Google dork to the rescue, we ran some basic search strings: “site:*.hackme.com ext:xls OR ext:docx OR ext:pptx” .
Of course, our aim was not to tirelessly search for documents. Rather, our objective was to understand the organization’s naming schema by examining the metadata of the documents which is found in the “properties section” of the document (most especially Microsoft Word, PowerPoint, and Excel). One can also useFOCA for this.
From this, I noticed that employees emails followed a particular naming convention – the first letter of the firstname + surname @ domain.com i.e. rakinyele@hackme.com.
Armed with this knowledge, we forked out from LinkedIn the list of all current employees of Hackme using the following google dork syntax:
site:linkedin.com -inurl:dir “at Hackme” “Current”. A typical example is shown below using Google Inc as a reference company.
By hacking a script to automate the process, we copied out the first names, last names and the roles of the current employees of Hackme.
A tiring approach is to manually crawl through the google pages in search for these names and role or one could also useGoogleScraper:
Again, I leave the possibilities to your imagination – but you can easily convert this to a .csv file using https://json-csv.com/ or any other converter that works for you.
