IT technology

Targeted attacks: intelligence based on open sources (OSINT). Column of Denis Makrushin

The content of the article

  • Finding Unclosed Doors
  • From Editorial Conversations
  • Scan, mark, repeat
  • OSINT without interactivity
  • Collecting information for social engineering
  • Recon as art
In one of the last columns I talked about the stages of purposeful attacks (kill chain). The first stage, the “exploration” stage, begins long before the attacker touches the victim’s first car. The amount and quality of the data collected at this stage determines the success of the attack and, most importantly, the cost of conducting it.

Of course, it is possible to knock exploits on vulnerable services available on the perimeter (and, for example, to lighten the network and its presence in the logs protection systems), but you can use spear phishing and gain a foothold on the workstation inside the perimeter. The result will be achieved in both cases, but the cost of the attack is completely different.

The reconnaissance stage is the key to choosing tactics, techniques and procedures (TTPs) to be used to achieve the goal. However, most often the task of reconnaissance is to find as many potential entry points as possible to access the target and estimate the cost of implementing the detected vectors. In order to complicate the life of the attacker who conducts reconnaissance, it is necessary to understand which TTPs he is using at this stage.


All information is provided for informational purposes only. Neither the editorial board nor the author is responsible for any possible harm caused by the materials of this article.

Searching for Uncovered Doors

Many attack points depend on the number of attack points available to an intruder. You can formally classify the entry points:

• information systems located on the perimeter and having access to the Internet (servers, workstations, administrative panels of special equipment, etc.);
• mobile devices used by employees inside the perimeter and beyond
• accounts in the cloud services of employees (including those used for personal purposes).

The last paragraph often requires the attacker to “interact” with the victim (for example, communication with the object of a phishing attack ), which increases the risk of detecting an attack. Therefore, in some cases priority is given to exploitable entry points located on the perimeter.

The network perimeter is a concept that, with the development of technology and the widespread introduction of clouds, is gradually disappearing. The concept of Bring your own device (BYOD), which allows employees of companies to use personal devices for business processes, as well as the appearance of clouds (hello, office365!) Blur the perimeter. It is incredibly difficult to monitor the flow of data between the corporate network and the outside world. And this also makes life easier for intruders – the variety of options for penetration grows.

In large organizations, the perimeter is full of services that the admins have forgotten (or do not know) and who have not patched for a long time already. I propose to look for such services in your organization. On the example of my favorite medical organizations, we will consider many vectors of penetration. Subsequently, you can use this knowledge to inventory the perimeter of the networks that belong to you.

From editorial conversations

– Denis, let’s analyze ten interesting penetration scenarios on real examples from ART!

– I studied the topic, scratched the scenarios of target attacks and honestly say that there is nothing in them that would inspire me : almost all begin with the stage “threw a phishing letter” … 🙂

Scan, mark, repeat

Obviously, to understand what is located on the network perimeter, you need to get the range of IP- addresses belonging to the target organization. In this list, it is possible that there are IP addresses of third parties (service providers, contractors, etc.) – the attacker will accurately include them in the Osprey, and you, as an auditor of your network, can not do this. The resulting IP range can be entered into the port-scanner. Instead of Nmap I recommend using Masscan or ZMap – this will greatly shorten the scan time.

So, to assess the entry points to medical corporate networks, you can unload from RIPE ranges of IP addresses of all organizations in the name of which there are keywords:

• healthcare;
• medic;
• clinic;
• surgery;
• hospit;
• dental;
• pharmacist.

After that, you can start the port scanner and wait a few days for it to be issued.

 Fragment of the Masscan scan report
Report fragment Masscan scanning

If the scan using ZMap, then later you can use the utility ZTag for tagging each service discovery. Tags are placed on the basis of the collected banner database. In the case of medical scans, the services received are classified as follows:

 Top services on the perimeter of the medical infrastructure
Top services on the perimeter of the medical infrastructure

Among the trivial things like web applications and mail servers are interesting applications: building management systems building management systems, by the way, we have a whole series of articles written on this topic, for example), printers (often without any authorization to the admin panels), NAS stores (and even specialized PACS servers), the mind s kettles and so on. Using each of the services found, the attacker can determine attack vectors and evaluate the complexity (read – the cost) of their implementation.

 An example of information about a device using the Niagara Fox protocol
An example of information about a device using the Niagara Fox protocol
 Panel for example, a list of neighboring wireless networks
A printer control panel that, for example, shows a list of neighboring wireless networks
 An example of an vulnerable medical portal leading to medical data
Example of a

OSINT without interactivity

Another well-known way to get information about the perimeter and at the same time not to interact with it is to study the logs of Shodan and similar search engines, whose robots kindly did everything for the attacker .

As it was seen from the logs above, in public access are all kinds of servers that can carry the specific nature of the activities of the target organization and store valuable information. For example, speaking of medical companies, their perimeter contains DICOM-devices and PACS-servers (picture archiving and communication system). These are medical systems based on the DICOM standard (digital imaging and communications in medicine, the industry standard for the creation, storage, transfer and visualization of medical images and documents of patients surveyed) and consisting of the following components:

• DICOM client – medical device with the possibility of transferring information to DICOM-north;
• DICOM-server – a hardware and software complex that provides receiving and storing information from clients (in particular, such devices include PACS servers);
• diagnostic I DICOM-station and DICOM-printers – a hardware-software complex responsible for processing, visualization and printing of medical images.

A distinctive feature of most of these systems is the availability of a web interface for managing them through the Network. Here, vulnerabilities can be discovered that an attacker can use to gain access to valuable information and processes. It is worthwhile to consider these systems in more detail and check whether they are accessible from the Internet, that is, serve as a potential entry point for an attacker.

DICOM devices can be searched with the simplest query in the Shodan search engine: DICOM port: 104 .

 List of DICOM servers
List of DICOM servers

You can also try to find diagnostic DICOM stations – specialized PACS-systems that are used for data processing, diagnostics and visualization. Example request for the Censys search engine: pacs and autonomous_system.organization: [hospital or clinic or medical or healthcare] .

 Login-panel diagnostic stations
Login-panel diagnostic stations

Using standard requests to Shodan to obtain information on available resources on port 445 (SMB), the attacker can sometimes find out the names of internal resources (servers and workstations), through which to determine which nodes on the network are further of interest and which are not.


Collecting information for social engineering

Fixing within the corporate perimeter effectively allows the use of various scenarios of social engineering. For example, sending phishing messages that contain malicious attachments or links leading to phishing resources.

In order to implement these scenarios, the attacker must also collect information about the attack object in order to increase the likelihood that the addressee will follow the link in the email or open the attachment. Currently, the security services of large organizations are trying to raise their employees’ awareness of malicious mail, which obviously does not benefit the attackers. Now the villains need not only to circumvent the victim’s spam filters and deliver the “payload” to Inbox, but also to motivate the attack object to perform the necessary actions and, most importantly, not to cause suspicion.
The abundance of social networks, as well as the “emancipation” of their typical user, gives the attacker the opportunity to extract information about his victim and compose a convincing context of the “payload”: the text of the cover letter, the style of communication.

This is a creative task, and it depends on the concrete situation, but as a general example, you can use a resource that uses the public APIs of popular social networks to extract valuable account information.


For example, an attacker, by contacting LinkedIn, was able to identify key employees for organizing a spear-phishing attack, their names, surnames, contact information (e-mail). Using this data, it is easy to find the accounts of these employees in other social networks, for example, on Facebook. With the help of a web service, an attacker can collect interesting statistics of his victims, for example, where and in which hotels they “jumped”. Further on behalf of the hotel the villain can send a message with a reminder about the payment of some Resort Fee and an attached invoice as a PDF-document. Profit!

Recon as art

The topic of extracting data about the object of attack is very extensive, and there is more than one book written about exploration alone based on open sources. For this reason, I also focused on gathering technical information about the perimeter – it often contains unclosed doors that are not patched for years and which the owner may not know about.

In addition to this, an attacker, wading through external resources, does not interacts with a person (as is the case with social engineering), which means that the only obstacle is all kinds of IDS / IPS, WAF and everything that fixes activity on the perimeter. If these funds are there at all.