A new coding toolset has emerged to assist in social engineering attacks that seek to gain access to sensitive sources of open source intelligence on human targets.
Datasploit was showcased at Black Hat Arsenal in Las Vegas as an example of the kind of phishing technology that would be invaluable to penetration testers, cyber-investigators, security researchers – and, of course, cyber-criminals.
The Datasploit toolset is available on GitHub and was created independently by InfoSec-focused data engineers from three separate companies. The threesome in this case being Shubham Mittal of NotSoSecure, Nutan Kumar Panda of eBay and Sudhanshu Chauhan of Octogence.
Stuff not to leave around on the web
The tool itself works to try and discover user credentials, software application API-keys, tokens, old unpatched subdomains, domain history and legacy portals related to the target.
Utilising various open source intelligence (OSINT) tools and techniques, DataSploit brings them into one place, correlates the raw data captured and gives the user all the relevant information about the domain, email, phone number, person and so on.
According to the team, “It allows you to collect relevant information about a target which can expand your attack/defence surface very quickly. Sometimes it might even pluck the low hanging fruits for you without even touching the target and give you quick wins.”
How DataSploit works
DataSploit simply requires the bare minimum data (such as domain name, email ID and person name) before it goes out on a mining spree. Once the data is collected, firstly the noise is removed, after which data is correlated and after multiple iterations it is stored locally in a database, which could be easily visualised on the UI provided.
Jim Hartnett, security consultant at Cigital told SCMagazineUK.com that Domain Whois and other public records are easily searched and indexed. “The release of a more stable tool has been inevitable, but there are ways to dampen its effect. Domains can be registered with either Whois proxies, or with a non-individual entity such as an LLC or a registered agent,” added Hartnett.
According to Hartnett, using similar tactics for public registries reduces the efficacy of these tools. “Furthermore, individuals should always be conscious of what they post on social media, blogs and career sites such as LinkedIn as even a small amount of information, if not locked down to only authorised users or properly sanitised, can build a vast identify profile on the target,” he said.
Dangerous, in the wrong hands
Stephen Gates, chief research intelligence analyst at NSFOCUS told SC that although tools like this can certainly help pen testers, when these types of tools fall into the wrong hands, they can be used for all sorts of malicious purposes.
“Most social-engineering hackers likely possesses similar tools. What the public doesn't understand is that hackers can piece together someone's life by mining their online activity. From there, it's open season on their victims. The more hackers know about their intended target, the more likely they'll be at duping their victim into taking some sort of action; which we all know is the chink in everyone's armour,” said Gates.
Ronnie Tokazowski, senior researcher at PhishMe told SC: “Datasploit takes data gathering a step further than similar tools such as recon-ng and SET by adding automation, providing another example of how hackers are evolving their techniques to gain access to specific assets within a network. Although geared towards hacking personal accounts, Datasploit allows criminals to easily gather information that can be used to penetrate any network or database linked to that particular person in order to steal business assets. Once the human layer has been breached and a system is compromised, hackers can easily manoeuvre around the network and exfiltrate whatever data they need for the given attack.”