October 4, 2023
Webinar Series: Purple Teaming - Validating Detection & Response Capabilities
Open-source intelligence (OSINT) is often the first step used by hackers to breach systems. OSINT is the collection and analysis of data gathered from publicly available sources. In the context of an unauthenticated attack scenario, OSINT is critical for breaching an organization’s external surface. Attackers need large lists of employee usernames to launch password spraying or social engineering attacks. Despite most organizations obfuscating their employee directories, a persistent attacker skilled in OSINT techniques can usually enumerate dozens, if not hundreds, of valid usernames within days.
Enumeration of employee usernames is an iterative process with two major phases: discovery of potential usernames and validation of usernames. During the discovery phase, attackers query databases of leaked usernames and mine public webpages for patterns and keywords.
Querying databases of millions of usernames and company affiliations can be performed in minutes at little to no computational cost. The Czech-based company Intelligence X provides much of their data for free. Dehashed, considered an industry leader in the collection and curation of publicly disclosed data breaches, charges a nominal fee for access to their databases.
In tandem with database queries, attackers leverage automated tools to mine the internet for exposed user information which can be used to derive usernames. While some of these tools are site-specific and require a high level of expertise to utilize effectively, other techniques require little to no training. One of these easily leveraged tools is known as Google Dorking.
Google dorking is a technique used to find information on the internet that is not easily accessible through regular searches. Google dorks are specific search queries that use advanced operators and keywords to find hidden data. By creating a profile of keywords associated with a specific organization and judicious use of operators, an attacker can enumerate employee full names, employment history, geographic location, and other information as desired.
Through the discovery techniques described above, attackers are able to generate large lists of potential employee usernames. However, the newly discovered list is not usable without the second step of employee username enumeration: validation. Attackers must accurately identify the service associated with a list of usernames and leverage appropriate methods to perform validation.
One exceptionally consistent and long-standing validation method targets usernames associated with Microsoft Outlook services. By interacting with Microsoft Graph API, attackers can test thousands of potential usernames for validity within hours. Once an attacker has validated even one or two usernames, they can return to the discovery phase of employee username enumeration with a more targeted set of parameters to increase the effectiveness of their searches.
Through this iterative process of discovery and validation, attackers can generate large lists of active, valid usernames for targeted social engineering attacks, password spraying, or further enumeration of sensitive company information. Moreover, because this process uses only OSINT techniques, it is difficult to detect or prevent.
To protect your company, NetWorks Group strongly recommends assuming your organization’s usernames are publicly exposed and implementing strong password policies with 2 factor authentication enabled across all public-facing infrastructure. Additionally, even when OSINT techniques are unable to uncover valid usernames, attackers may bypass external protections by physically compromising network infrastructure, directly purchasing valid credentials from illegal sources, or exploiting web server vulnerabilities to gain internal network access. It is imperative to periodically check that all external systems require 2 factor authorization and to implement internal safeguards that prevent an attacker from leveraging a single breach point into complete control of a network.
NetWorks Group has been helping customers secure their environments for over 25 years. Our Full Scope Penetration Tests simulate modern tactics, techniques and procedures used by threat actors today to demonstrate the real world impact of a breach in your environment. OSINT techniques are just one element of our holistic methodology designed to help you understand your security risk. We bring a proven method, a highly-experienced team, and the ability to communicate findings clearly and concisely at the management and technical level, so you can take the steps that will most benefit your organization.
If you’re interested in learning more about what information is exposed, how that information might be used by an attacker, or getting a holistic view of your security, NetWorks Group can help. Schedule a call with one of our experts to discuss whether a Full Scope Penetration Test is right for you.
###
Published By: Rachel Park, Penetration Tester
Publish Date: October 4, 2023
Security news, tips, webinars, and more straight to your inbox.
