Talkin' Bout [Infosec] News — Episode Summary
Episode: Weaponizing Corporate Intel: This Time, It’s Personal!
Host: Black Hills Information Security (BHIS)
Date: May 10, 2019
Guests/Speakers: Mike Felch, Bo Bullock, and others from BHIS
Main Theme:
This episode explores the current state—and new frontiers—of open-source corporate reconnaissance (recon) and how attackers can link corporate intelligence with personal data to create highly targeted, sophisticated attacks. The team demonstrates how red teams can move from knowing nothing about an organization to collecting sensitive, personal details about employees and then weaponizing that data against individuals and companies.
Episode Overview
In this webcast podcast, the BHIS team deep-dives into the evolution of reconnaissance during pen-tests and red-teaming, highlighting how attackers are increasingly able to escalate from broad, impersonal scanning to highly tailored, relationship-based phishing and credential attacks. They break down each step of their methodology—from external recon to blending corporate and personal data—and discuss both the tools and techniques that make these attacks terrifyingly effective.
Key Discussion Points & Insights
1. Reconnaissance 101 Refresher (03:35–09:57)
- Traditional Recon:
- Understand the organization’s attack surface: domains, subdomains, hosts, tech stack, remote access points, email portals, and external security products.
- Techniques include Google/Bing/Baidu dorking, using tools like recon-ng, NetBlocks (bgp.he.net), MX Toolbox, Shodan, Censys, DNSDumpster, Hacker Target, and Threatcrowd.
- Quote (Bo, 03:44):
“I want to know, how are your employees remotely accessing your network?...what security products you’re using externally…All that information is really, really important to us as an attacker.”
- Bonus Tip:
- Leverage certificate transparency projects and Cert Sh (cert.sh) to uncover related domains and cross-domain certificates.
- Identify cloud resources (O365, SharePoint, Skype for Business, Google Suite) through public endpoints and behavior of login portals.
2. Cloud Service Recon and Zero Trust Talk (10:22–16:28)
- Enumerating Cloud Usage:
- Passive checking of login flows reveals if organizations use O365, SharePoint, Google, or other cloud providers and whether authentication ties back to Active Directory.
- Discussion about the efficacy of “Zero Trust” setups and hybrid environments.
- Challenges & Insights:
- Even with zero trust, misconfigurations—especially in hybrid AD / ADFS clouds—offer new attack surfaces.
- Conditional access (IP/location, time-based rules) is more effective than simple whitelisting.
- Quote (Bo, 12:32):
“If you don’t have Active Directory, it’s harder to manage from an administrative standpoint…without the Active Directory infrastructure in place, you have users who are now basically creating their own security policies…Obscurity alone can make it tougher to target.”
3. Brute-Forcing Files and Login Portals at Scale (18:49–24:29)
- After Recon:
- Move from passive intelligence to active probing—enumerate login portals and interesting files across thousands of endpoints.
- Tooling:
- Eyewitness: Take screenshots of mass web portals for quick visual triage.
- FindFruit: Multi-threaded PowerShell script to brute-force interesting files (e.g., Tomcat, ColdFusion) at scale, across thousands of assets.
- GitHub Links provided for open-source tools.
- Quote (Bo, 24:13):
“Instead of just taking each specific URL and running something like Derby or Dirbuster … we’re not doing this threaded across multiple sites.”
4. Brute-Forcing Usernames, Crucial Info Disclosures & Metadata (24:40–30:17)
- Username Enumeration:
- Info disclosures like domain names and username schemas are critical, not “informational” as many scanners rate them.
- Passive and active timing attacks (e.g., with Outlook Web Access) can reveal valid usernames through response time analysis.
- MailSniper: Tool for enumerating through timing differences.
- Metadata in public files (PDFs, docs) often contains internal usernames, hostnames, and tech details.
- Quote (Bo, 25:24):
"If I don't know what your internal domain name is, and if I don't know what your username schema is, how am I supposed to perform password attacks externally?"
5. Bypassing Detection: Rotating IP Proxies with AWS API Gateway (31:00–40:59)
- Challenges:
- Traditional password spraying and brute forcing are often thwarted by account lockouts or IP-based detection.
- Limiting to very few password attempts per user (password spraying) lessens risk of lockout.
- Solution:
- FireProx: Open-source tool using AWS API Gateway to rotate the source IP of each HTTP request, allowing large-scale, undetected brute-force attacks.
- Demo (35:56–40:59):
- Detailed walk-through of spinning up and using FireProx for scans and brute-force attacks; very low cost per request.
- Quote (Mike, 33:19):
"What you do is you spin up this API gateway proxy, you point it at a URL destination ... [and] it's actually using another IP address with every request."
6. Weaponizing Personal Data: Social Trust Attacks (41:02–51:03)
- From Corporate Recon to Personal Attacks:
- Scraping LinkedIn for employees' names and positions is old hat; combining with location and relationship data takes it next level.
- Aggregate personal info, emails, breach data via people-search data brokers (TruePeopleSearch, PeopleFinders, etc.).
- Personal emails and breached passwords are cross-matched for password reuse attacks. If employees reuse passwords between personal and corporate accounts, compromise becomes trivial.
- Custom Phishing Using Relationship Data:
- Advanced phishing campaigns can use info about employees' family, friends, addresses, and relationships, building hyper-personalized and more convincing lures.
- Quote (Mike, 47:39):
“What if we incorporated their personal information into a phish…leverage known relationships and then try to doppelgang as a contact? … Hey Bo, can you believe what happened to Jason? Man, I can't believe the news is covering him. Check this link out. Boom.”
7. The Data Broker Menace & Defensive Considerations (51:10–54:46)
- Data Brokers:
- Most personal data is freely, and often legally, for sale—making opt-outs crucial but challenging.
- Vermont’s Data Broker Registry is a starting point to identify and attempt opt-outs.
- GDPR (in Europe) provides the best hope for erasure, but enforcement in the US is limited. The “right to be forgotten” is more theoretical than practical for most Americans.
- Defensive Recommendations:
- Reduce digital footprint wherever possible.
- Don’t reuse passwords—especially between personal accounts and corporate credentials.
- Be vigilant for targeted and highly personalized phishing attacks, especially those using personal context.
- Organizations must expect attackers to have access to both professional and personal employee data during red teaming.
- Quote (Mike, 50:30):
"Watch out for personal emails coming at work or any personal stuff. So whether it's your tax collector emailing you at work—that would never happen. But when you start looking at the information, you start seeing how accurate it looks. It gets a little scary."
Memorable Moments & Notable Quotes
- On zero trust/hybrid IT:
“Just because it's a hybrid [cloud and on-premises] model... it makes it a little bit more difficult to manage.” (Mike, 13:27) - On information disclosures:
"I totally disagree... information disclosures can be critical, especially to an attacker…" (Bo, 24:40) - On the risks of personal data brokers: “They buy, sell, trade, they make our data for free and they aggregate it at scale…” (Mike, 43:25)
- On password reuse: "Quit reusing password. That's pretty much the nature of it." (Mike, 46:59)
Key Timestamps
- 03:35 — Recon 101 refresher: basics & tools
- 07:52 — Q&A: discovering all related domains & brands
- 09:21 — Advanced: finding more TLDs via Cert transparency / Cert SH
- 12:32 — Debating zero trust vs. AD architectures
- 18:49 — Moving from recon to active scanning: finding interesting portals & files
- 22:32 — Demo: Brute-forcing files at scale with FindFruit
- 24:40 — Importance of info disclosures and username enumeration
- 31:39 — Evading IP detection: FireProx demo and mechanics
- 41:02 — “Social trust attacks”: blending personal & corporate info
- 43:43 — People brokers: free personal data aggregation
- 47:39 — Personalizing phishing with social connections
- 51:10 — Defensive tips & reflections on data privacy
- 53:57 — The coming challenge: red teaming in the age of mega-clouds & data brokers
Closing Thoughts
This episode issues a stark warning to organizations: attackers can (and do) easily assemble detailed intelligence on your company—including its technologies, employees, and even the personal lives of those employees—by combining open company data, public cloud reconnaissance, personal information brokers, and breach data. Defensive security must now account for the fact that for attackers, “this time, it’s personal.”
If you want to try these tools or techniques, or check if you’re listed on a people search broker, the episode discusses multiple open-source tools and opt-out resources.
Want more? Check out the full episode on YouTube and follow the presenters on Twitter for updates and tools.
![BHIS Podcast: Weaponizing Corporate Intel: This Time, It’s Personal! - Talkin' Bout [Infosec] News cover](/_next/image?url=https%3A%2F%2Fimg.transistor.fm%2FAukI425sRBc3M3UIa9lVng7qjeNeYEQ8BZfzCEXhALs%2Frs%3Afill%3A0%3A0%3A1%2Fw%3A1400%2Fh%3A1400%2Fq%3A60%2Fmb%3A500000%2FaHR0cHM6Ly9pbWct%2FdXBsb2FkLXByb2R1%2FY3Rpb24udHJhbnNp%2Fc3Rvci5mbS8xZTA1%2FZWZhNDcxZGM4ZTFj%2FZGJhMTMwNmYzMmJj%2FZjBkNi5wbmc.jpg&w=1200&q=75)