After independently verifying the acquisitions, we had gained a list of additional target domains that ultimately led to the first foothold inside the target’s network. On a recent unrelated red team engagement, we were able to find a list of subsidiary companies that had been acquired by our target. We would typically track down each of these companies to check for additional external attack surface. In the case of the selected company, Wikipedia indicates a history of acquisitions. Using this list of affiliated companies, an attacker can potentially find additional domains associated with the target. Entries on Wikipedia will often have a biography of the company including associated domains and can also contain histories of mergers, acquisitions, and subsidiary companies. The first stop for gathering information about a company is Wikipedia. Recon Methods Part 5 – Traffic on the Target Recon Methods Part 3 – OSINT Employee Discovery Recon Methods Part 2 – OSINT Host Discovery Continued While all the information in this post is public, we have chosen to redact the company name from the remainder of the post. UPDATE 2/6: The company we selected for this recon is apparently not 100% dead. As an example, we will take a look at a company that recently restructured. We will further break this down into completely open-source intelligence sources and ramp up to light interactions with the target’s external assets. During this series of articles, we will demonstrate different methods of gathering actionable intelligence on a target focused first on infrastructure and then on employees. During an external assessment (be it a penetration test or red team), we here at Red Siege begin by investigating the target as completely as possible before accessing the target’s external assets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |