We were recently hired to perform an interesting Advanced Stealth Penetration test for a mid-sized bank.The goal of the penetration test was to penetrate into the bank’s IT Infrastructure and see how far we could get without detection.This is a bit different than most penetration tests as we weren’t tasked with identifying risks as much as we were with demonstrating vulnerability.
The first step of any penetration test is reconnaissance.Reconnaissance is the military term for the passive collection of intelligence about an enemy prior to attacking that enemy.It is technically impossible to effectively attack an enemy without first obtaining actionable intelligence about the enemy. Failure to collect good intelligence can result in significant casualties, unnecessary collateral damage and a completely failed attack.In penetration testing, damages are realized by downed systems and a loss of revenue.
Because this engagement required stealth, we focused on the social attack vectors and Social Reconnaissance.We first targeted FaceBook with our “FaceBook from the hackers perspective” methodology.That enabled us to map relationships between employees, vendors, friends, family etc.It also enabled us to identify key people in Accounts Receivable / Accounts Payable (“AR/AP”).
In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank.That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.
Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn.To do that, we created a fake resume that was designed to be the “perfect fit” […]