3.6. Social Engineering

3.6.1. Corporate Information Collection

Some websites, such as Tianyancha, can provide information inquiries such as enterprise relationship mining, industrial and commercial information, trademark patents, enterprise annual reports, etc., and can provide more detailed information of enterprises.

The main website of the company will have information such as business direction and cooperation units.

3.6.2. Personnel Information Collection

Person-specific information collection considers the collection and analysis of target key personnel, organizational structures, and social relationships. Among them, important personnel mainly refer to personal computers of executives, system administrators, development, operation and maintenance, finance, personnel, and business personnel.

The easier entry point for the collection of personnel information is the website, which may contain information about the personnel who develop, manage and maintain the website. The names and e-mail addresses and other contact information of all developers and maintainers that may be obtained from the website contact function and from the comments in the code.

After obtaining this information, you can further search for all the information related to the target site published by these people on the Internet in social and recruitment websites such as Github/Linkedin, analyze and find useful information.

In addition, a password blasting operation can be performed on the obtained mailbox to obtain a corresponding password.

3.6.3. Fishing

Based on the previously collected information, you can use file formats such as Office/CHM/RAR/EXE/shortcut to create a phishing email and send it to the target to collect further information.

Among them, Office can use Office vulnerabilities, macros, OLE objects, PPSX and other methods to construct exploit files.

Exes can use special Unicode control characters such as RLO (Right-to-Left Override) etc. to construct confusing filenames.

RAR mainly uses self-extracting and other methods to construct malicious files, and the encrypted compressed package can also escape the detection of the mail gateway to a certain extent.

If the mailboxes of the operation and maintenance personnel are obtained from the previous information collection, you can use the mailboxes of the operation and maintenance personnel to send them. If the relevant information is not collected, you can send the emails by forging the sending source.

It should be noted that the phishing test also needs to pay attention to compliance issues. It cannot pretend to be a supervisory unit or send illegal information. For details, please refer to the “Telecommunication Regulations of the People’s Republic of China”, “Measures for the Administration of Internet E-mail Services of the People’s Republic of China” and other laws and regulations.

3.6.4. Additional information

The company’s official account, enterprise account, website, employee’s network disk, Baidu library, etc. may contain some sensitive information, such as VPN/bastion machine account, TeamViewer account, network device default password, server default password, etc.