Salesman turned security operative: Putting together my first OSINT report

Part 2: How a Salesman Infiltrated the World’s Largest Hacker Conference

By Blake Mitchell, Director of Sales at Cmd

First off, thank you so much for all of the positive feedback you gave on part one of this series.

(Didn’t get a chance to read part one yet? Read about how I managed to grab a spot in the SECTF competition here.)

Getting into this competition, and putting together these articles, has been an exciting process that’s stretched me in really interesting ways. This article (part two) will cover what the process was like to put together the OSINT (open source intelligence) report and how it set me up to feel ready to take the stage and tackle the final phase of the competition: the live calls.

Making the commitment

So when I left off last, I’d submitted my video and made it into the competition. Little did I know, the hardest part was still ahead of me. I got an email asking me for three commitments upfront:

1. Pay a $20.00 refundable deposit
2. Commit to get in a booth on stage and attempt to extract information from my target company
3. Commit to spend the time required to submit a thorough report on my target company ahead of the live event at DEF CON

Step one would be easy. A $20 paypal transfer and I was done. Step two was a slam dunk, too. I talk to people every day for a living. Piece of cake. Step three is where the panic kicked in. First off, I struggled in school. I could never focus and sit still (ADD), I never did my homework on time.

And on top of that, I run sales for a startup, where I have a hour-long commute each way. I have two active kids with extracurricular activities and a wife to consider. But I wanted to land that meeting with Robert Sell, and I knew that getting that phone booth was going to be a thrill I couldn’t pass up. So I submitted my money and started preparing.

In the report phase, here was my assignment:

1. Collect 30 “flags” (or key bits of information) from the target company I’d been assigned
2. Use only open source intelligence tools (meaning I could only use data that anyone can find publicly by searching things like social media, google maps, etc.)
3. Don’t contact the organization directly

Here are some of the kinds of flags I had to try and gather:

• Is wireless in use on site? (yes/no) If yes, ESSID Name?
• Name of employee and how long have they worked for the company
• What types of badges does the target company use (RFID, HID, etc) for company access?
• Name of their 3rd party or in house security guard company?
• What desktop operating system is in use?
• What is the name of the company responsible for the vending machines onsite?

How do I begin?

As a rookie, I had no idea where to start. With the core belief that learning and asking questions is always important, I started reaching out to my network of security pros. I have built a pretty solid network of infosec connections so I bugged most of them. I asked for hints and tips on how to best do an OSINT report. I got myself into slack channels like my local one MARS and the BrakeSec. (Thanks for the tip @HashtagCyber.) I heard about a tool called Hunchly which would help me to track all of my web activity automatically so I wouldn’t have to slow down. Doing a bit of digging, I realized I had actually worked with Justin, the founder of Hunchly, at my previous organization, so I reached out. I managed to get a license for Hunchly so I could use it to work on my OSINT. It was amazing.

I got my target company: an organization with a huge global presence. I basically came straight home from work that day, plopped down on the couch, turned on Hunchly, and got into hyper-focus mode. I first looked at the target website, searching for different executives with the goal to find out more about them on social media channels like LinkedIn and Twitter to dive deeper. My primary focus was to understand where some of these vulnerabilities might be and how much work I’d need to do to get this report together. With over 90,000 employees, I had to start narrowing the field. I managed to find a few executives that gave me a couple of breadcrumbs to follow, but honestly it was more about gaining the lay of the land. By the time I looked up from my computer it was 3am.

Finding my flags

My first real breakthrough came when I found a series of videos. Basically, an employee had walked through one of the target company’s offices wearing Google Glasses, recording everything they were seeing. It was a flag treasure land. I found information about their guest wifi network. I saw what their employee badges looked like. I learned employee names, confirmed the maker of their vending machines, discovered the office was open 24/7. They had multiple data centers spread throughout the country for disaster recovery. It was huge.

Looking into who does the in-house security for my target organization got me tons of great information. I tracked down the management company in charge of security for the building where my target company’s HQ is located. Once I figured out who their head of security was, I googled him and stumbled onto an interview he’d given where he basically gave away all of the information about their building’s operations. I grabbed a ton of relevant info there, around how they handle their mail service, where packages are received, all of these little details that set me up for finding information to the flags around logistics and operations.

Deadline fast approaching

Entering the last week to gather my information, I was feeling pretty good. I still had some hard work ahead of me but I’d found a ton of great info. Then two days before the report deadline, I get this email:

Folks,

The reports are due this Friday and we haven’t heard a peep from you all. Hopefully things are good. Please let us know and don’t forget — THIS FRIDAY they are due.

As soon as I read this email, the panic set in and my mind went racing. Do I have everything? What more could I do? What more can I find? I know I had done a lot and I was confident, but I was still missing a few items.

I didn’t give up and I kept on hunting. While poking around on Twitter I found what I was looking for: my golden goose. I’ll call her the social butterfly (SB). She just posted everything. She actually posted a picture of a corporate presentation that ordered the employees to post more on social media, even naming a specific hashtag the company wanted employees to use. As soon as I searched through Twitter for that hashtag, all of my missing items were right there. We’re talking direct dial numbers, contact information for the vending machine maintenance company, internal IPS’s and a whole bunch more. The lesson here is always be aware of what you are posting on social media. If it wasn’t for that last find, I’d have missed out on a ton of flags.

Turning in the report

I got my report in at 8:17pm on the day of the deadline (June 22). Considering the deadline was 9:00pm, I was cutting it kind of close. But I got it in. I was home by myself and felt instantly like a huge weight had been lifted off my shoulders. The hardest part was behind me. I’d done it. I’d spent probably 120–160 hours over the course of one month. Every waking minute not spent at work or with the kids I was combing through websites looking for info. It was one of the hardest things I’ve ever done but it was submitted. Now it was time to relax and wait for the results.

Getting the results

On July 16th, I got an email that the scoreboard had been updated with the results of the report. My pulse racing, I logged on to see that out of the 14 participants, my report had gotten me into the top five. Up against some professional social engineers and hackers, my hard-fought work had set me up in a great spot going into the final phase of the competition.

Once I’d let the fact I’d managed to knock the report part out of the park sink in, I looked at the top scores to see how close I’d come…only to see that the contestant in the top spot had managed to grab 220 points. Pretty sure that the highest possible score was only 218, I double-checked the initial email we’d all received and saw that I was right. I sent an email to the team at SECTF to see if possibly there’d been a mistake, or if there were bonus points I wasn’t aware of. I got a response from the team that they’d do some checking and get back to me.

I spent the next few hours wondering what they’d come back with and how long I’d have to wait. Finally, I received an email that they’d sent out to all of the contestants. Based on my tip, they checked their math to discover there had been an error in the scoring which meant that certain contestants’ scores had to be adjusted and they’d updated the public scoreboard with the new results. And now? I was in the top three.

The official scoreboard, anonymized to protect the innocent.

I hopped onto a slack group I was in to do some poking around to see if I could find out who the others in the top spots were and managed to uncover who was with me in the top four spots.

Getting this news made me feel ecstatic. I just beat out some stiff competition, people whose jobs revolve around hacking and social engineering. I was floating on air with this news. All the hard work was intense, but now the dopamine in my brain was flowing high. I’d done it. The hard part was over.

Next step: phase three

Now all that’s left is getting in that phone booth on August 11th to make my calls. I have a plan of attack. I know what kind of info I’m going to try to extract and who I consider most likely to give it up to me. I managed to social engineer my way into a list that included almost every direct dial number (we’re talking over a thousand) within the corporate IT department. Finally, by managing to get into the top three on the written report, the phase I was most out of my element in, I’ve set myself up with a nice cushion headed into the final phase.

At the end of the day, I’m a sales guy. Making people feel comfortable, even on a cold call, is like breathing to me. I know I have phase three in the bag. All I have to do is get on that stage and deliver.

. . .

Stay tuned for part three. After the conference, I’ll be sharing about what it was like to actually get into the booth and make the calls.

Curious what I actually spend my days doing when I’m not slaving over OSINT reports? Check out a bit about Cmd’s approach to protecting cloud servers in the video below. (Hey, I’m a sales guy. Sometimes I can’t help myself.)

We also have some cool Cmd/Def Con swag. If you can find me at Def Con, I’ll hook you up. Thanks for reading!

If you see someone wearing this shirt, give them a high five. And if you find the real Blake Mitchell, he might have a shirt with your name on it (or his).