Publicly available information serves as a launching pad for attackers initial efforts to research potential areas of exploitation.
While your organization may be exercising efforts to reduce vulnerabilities, many times attackers are looking for weaknesses in your defenses and personnel that when combined with other methodologies, can serve as an initial vector of entry or further exploit.
In this video, Nate Drier, Secureworks Managing Principal Consultant, gives a demonstration of how an attacker would utilize Gitrob to conduct passive recon when profiling a target externally.
Another great tool to use for recon is called gitrob. What gitrob does is, it will run out and query public GitHub repos or GitHub projects that different people contribute too and pull out interesting information from those projects and all the different users commits. So we start off by doing a quick search on Google to see if Dell has and public GitHub repos and of course they do. You can see the first repo here for their open source stuff, main Dell repo, dell-asm, dell-esg, so there are quite a few we can feed into this gitrob tool. Let it run, it will pull everyone that has contributed to this repo. So we will click on this first one here. So it will pull the information for all users here, all the contributors and then it will look at any other repos that they contribute to see if there are any interesting files.
So, we can take a look at the output here after we have run the tool. We can see each one of these lines here is a different repo that we’ve looked at. So we can take a peek here, let’s take a look here at a better example. So we can see over here on the right, the repository the first word is the user that contributed. The second part is what repo they contributed too. Obviously, this isn’t part of a Dell repo. This is part of a personal repo, but we can see they’ve uploaded a bash profile we can look through and see some really interesting information if we were to target these users. Here’s another batch profile that we can look through. Sometimes there is really interesting information in profiles and dot files in general, some .ssh config files. So, we can see this user has a vps that they use. The port forwards that they setup. This all really rich and interesting information when your profiling a target externally.