Running Head: EXTERNAL VULNERABILITY

External Vulnerability Assessment First StepsRobert HofIT AuditingErnest EugesterOctober 18, 2012AbstractThis paper outlines a series of methods for gleaming useful intelligence on your target organization utilizing publicly accessible information. When applied properly, these techniques will improve your external vulnerability testing results without attracting negative attention.

External Vulnerability Assessment First StepsPrior to the initial client meeting, one of the first tasks that I would perform is footprinting of the real estate companys Internet presence. This might include reading over the main public website for the real estate company. I would then look for any sub-websites or websites that were not intended to be public facing which were being operated by the real estate company. Some of the things I would be looking for on the public website would be an employee directory. Other things might include links to social networking pages for the company or the companies employees. When looking for employee details, I would be most interested in technical employees or executive employees. Using this information, I may be able to already gas usernames in order to connect to company resources across the Internet. I might also be able to use this information to break into non-real estate company accounts, such as apples iCloud, and use elevated access to technical/employee iCloud accounts to pivot into real estate company resources. I would also be looking for technical instructions and other items designed to help employees connect over the Internet to real estate company resources. To further my efforts I might use advanced Google queries to look for these sub websites for nonpublic facing websites ran by the real estate company. Some of these websites might include a employee portal, including: Outlook web access or a remote access product such as web-based VPN.I would also look for other services being offered over the Internet by the real estate company. These other services might include email or file transfer. Once I have a list of all of the obvious and non-obvious Internet facing services from the real estate company that I could discover, I would begin to collect more detailed information about each. This would start with IP addresses, which would be used to determine an IP address range being used by the real estate company. I would also love to look at the type of software accessible over the Internet, such as Web server versions, FTP server versions, email server versions, operating systems, encryption libraries (SSL), and more. This information is commonly contained in obvious places like HTTP headers, or may be TCP fingerprinted through more advanced means. If any of these services were being hosted by a hosting provider instead of the company itself, I would then take note of all of the hosting providers being utilized by the real estate company. I would analyze the public facing DNS servers being utilized for Internet resources provided by the real estate company - which could at times disclose very sensitive details about the internal companies network.Lastly I would use some in person fingerprinting, if you will. I would check local coffee shops restaurants and other hangouts near the real estate companys office to determine if any of the real estate companys employees, contractors, or clients would frequent these venues. If I was able to spot some stakeholders, I will then begin to observe them to see if I could obtain any more sensitive details. I would be listening in and also potentially shoulder surfing their screens. Most importantly I would be recording all traffic on the unencrypted Wi-Fi to determine what sort of connections were being made back to the real estate companies infrastructure on what protocols, etc. I would also be looking for the use of strong two factor authentication products, such as RSA tokens.I would use these techniques to gain the most complete picture of all real estate company exposure to the Internet that I possibly could (prior to the client meeting, because steps might be taken to enhance security after the meeting). During the initial meeting I would request a complete list of all Internet facing services, which I would combine to my existing list. During testing, I would use scanning tools to probe all of the companys Internet addresses in an automated fashion. Information security is such that all vulnerabilities must be mitigated and monitored, or else they might be exploited. I would guess that the primary public website would have some security attention being paid to it. However, an unused FTP server that does not receive much attention might not be fully patched or configured correctly. Once I know the details of the systems that I would be attacking, I could begin to research vulnerabilities and techniques which might be used to exploit them. The more detailed my reconnaissance results are, the more focused/targeted and effective my penetration testing will be.ConclusionThe described techniques are good first steps for improving vulnerability testing results without attracting negative attention. Preparation will enhance the value of your deliverable. Creativeness is key.