Hacking Organizations One Document at a Time With Metadata
2021-02-03 22:41:46 Author: medium.com(查看原文) 阅读量:224 收藏

m8r0wn

Metadata is simply defined as data about data. In computer systems, this is used to correctly interpret files and store descriptive attributes. While not always visible, metadata provides far more information than content creators realize. Once a document and containing metadata is made public, it could unknowingly help an attacker infiltrate your organization.

Image for post

Photo by Josue Valencia on Unsplash

As a penetration tester, I am often given a week to target a client’s public facing environment with the goal of breaching their internal network. This form of testing allows the client to evaluate the effectiveness of their defensive solutions, assess the security team’s response to simulated threat activity, and identify vulnerabilities for remediation. However, with only one week and zero preexisting knowledge, this can be a daunting task.

The first step in penetration testing, or any offensive security engagement, is reconnaissance. Learning how your target operates. This includes everything from the software they use to their user account naming convention. All of which can be leveraged in subsequent attacks.

Metadata is a go-to source for this information and is easily overlooked during a company’s publishing process. Once posted on their website, or another public forum, it is possible to download the file and extract critical information using utilities such as Phil Harvey’s ExifTool. This is a platform-independent application written in Perl that can be used to read, write, and edit meta information in a variety of file types.

Image for post

Image depicting the types of information that can be extracted from metadata.

This process can be simplified even further with tools such as PyMeta, which uses search engine scraping to automatically find public documents released by an organization. Once found, it will download the files and create a neatly formatted report of the extracted metadata.

Image for post

Partial PyMeta report from a popular domain-wide bug bounty program.

Information such as user account naming conventions can be applied to generate a list of users for brute-forcing or social engineering style attacks. This data can also be used to make inferences about the environment or craft custom payloads based on the operating system(s), software, or application versions found.

Metadata can be removed in Microsoft office through modifying the document properties and enabling personal information removal in the privacy settings.

Image for post

Depending on the technologies employed by an organization, third party tools or plugins may exist to strip metadata during the upload process. Otherwise, this removal can also be done at the operating system level via File Explorer.

Using metadata to target organizations has been around for years. However, it remains an unrealized point of information for defenders that is still heavily leveraged by attackers today.


文章来源: https://medium.com/bugbountywriteup/hacking-organizations-one-document-at-a-time-with-metadata-1af2eb10f254?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh