| ||||||
|
| ||||||
|
Sponsored by: 
Affiliates:                
EC-Council ECSA Training Videos
Web Hosting: |
How To Cyberstalk Potential Employers This article is less diabolical than its title might imply. Essentially, I want to give the reader some tips for finding more information about a potential employer than the job listing may reveal. Sometimes the job description gives all of the information you could want, but often it may not say much about the organization's network or development environment. Sometimes job descriptions are written by people who don't even know what the terms they are using mean (10+ years of C# experience anyone?). You could scan their whole network with Nmap, but triggering a few thousand IDS alerts is probably not a good way to ingratiate yourself with an employer. So this article will cover more passive ways you can obtain information about their company infrastructure. This is going to be a mile high overview just to get your mind working in the creative ways it takes to investigate companies passively. Now, on with how to cyberstalk. Other job postings This is a big "duh!" so I won't spend much time on it. Sometimes the best way to find out more information about a company's environment is to look at job posting other than the one you are applying for. Just because your job posting lacks detail does not mean all of them do. Mail Headers Assuming you have had some correspondence with them, one of the first and most overlooked ways to find out more information about an employer is their e-mail's Internet headers. This will be the most technical part of the article so bear with me. What information you can gather from these headers is varied, and sometimes you won't find any useful information at all. Reading mail headers is sort of a black art, but I'll show you two header examples that will give you an idea of what to look for (I've tried to sanitize these headers as much as I can; when an IP is a valid one it may not be the IP shown in the original header). Not all mail systems will return all of the information shown, so your results may vary greatly. To view these headers in Gmail click on an individual message's dropdown menu and choose "Show original", in Outlook, go to View->Options and look at the Internet headers; in all other e-mail reader, figure it out.
So, what information can I gather from these e-mail headers? Well, assuming this is the first e-mail contact you have had with the company, you now at least have the name of someone working there (I've highlighted the name in orange). This will come in handy as a starting point for the Google searches I'll talk about later. Next, notice the text I highlighted in red. These are the IP addresses/hostnames of the people who sent the message originally. The one in E-mail 1 is a routable IP which I can put into a WhoIs query to pull up more information about the company that owns it (I like to use the site DNSStuff for this, but the *nix command line whois or Nirsoft's Windows tools IPNetInfo and WhoIsThisDomain are also very good). The IP may not belong directly to the company, but at least you will find out more about what ISP they are using. If the IP is owned by the company, you will hopefully find useful names and phone numbers in the contact information that will allow for further Google scrounging. Check out my article "What can you find out from an IP?" for more information on what you can do once you know an IP. Once you have their IP, you can use it to search your own website's logs to see if they have visited your site, and depending on your logging software you can find out what web browsers, operating systems and maybe even the screen resolution they are using. The IP in E-mail 2 starts with "172.16" which is a non-routable reserved IP. This tells me that E-mail 2's LAN is most likely behind a NAT box of some kind. From the host name in E-mail 2 I can tell what sort of naming conventions they use for their workstations. Another useful thing to try is a basic Google search for the IP or hostname listed. If you are lucky this may return public logs of sites that the workstation has visited. The text highlighted in blue tells me about what mail client they are using, including the OS and exact version. The green text gives me what type of mail server they have. Even if there's not much information in the headers, it should still give you a starting point for some Google scrounging. Google scrounging web sites/forums/Usenet posts Many companies leave information about themselves all over the public Internet. Johnny Long wrote a great primer on using Google to recover obscure information called "The Google Hacker's Guide" which is available at the following URL: http://johnny.ihackstuff.com/downloads/task,doc_download/gid,19/ Johnny's book "Google Hacking for Penetration Testers" is also very good, but the primer above should be enough to get you started. One of the most useful Google operands is "site:" which lets you specify the domain you want to search. For example, if I wanted to find mentions of a company on a certain site I could use the search: CompanyXYZ site:example.com and it would return all of the pages Google knows about ending with the domain name "example.com" and containing "ComanyXYZ" in the content/title/meta tags. I've also had great luck doing a Google search with my soon-to-be-interviewer's name and their city of residence. Using this method I've found the interviewer's blog or social network profile before, and using the information from those resources I've found more pages with useful information about the company. For example, searching for a person's name may take you to a site where they have used a certain screen name or email address, and searching for that screen name or email address may lead you to a forum, blog or usenet post that the person has made that reveals more information about them or their company. Another useful search to perform is: "companyxyz.com" -site:companyxyz.com Notice the minus symbol before the "site:" parameter. This query will return pages that contain the text companyxyz.com, but do not reside on a server with the companyxyz.com domain, thus filtering out a lot of noise. I've used this technique before to look for company e-mail addresses, found a post on a car forum by a former employee, did a search for the former employee's screen name and then found his current email address so I could ask him about his old company. It's all about taking one piece of info and building on it till you have gobs of information. I wish I could give better examples of Google hacking without dropping someone's docs (geek slang for revealing personal information). I've thought of doing a video on it, but I can't think of a good way of doing it without opening myself up to liability. Suffice it to say, reading Johnny Long's "The Google Hacker's Guide" should get you thinking in the right direction. Surfing the company's site Just surfing a company's website will give you tons of information. By looking at the URLs of their pages you can quickly tell if they use PHP, Active Server Pages, J2EE, ColdFusion or some other dynamic web sites language. If you want more passive information about a company's web environment, looking at the headers their site returns will give you a wealth of information. Most of you should know how to do a banner grab with telnet, but a better and more passive way is to use the LiveHTTPHeaders Firefox plug-in from: http://livehttpheaders.mozdev.org/ With LiveHTTPHeaders you can quickly looks at the headers HTTP requests return, like the following example I pulled from Irongeek.com:
From this example you can see my hosting server is running Apache 1.3.37, what version of PHP I use and what versions of various Apache mods are being used. It should be noted that many folks use NetCraft to find out this sort of information. Social Networking Sites I have to admit to being a MySpace hater (I much prefer FaceBook) but both social network sites can be useful to job searchers because their search functions will let you find other folks that already work at your target company. Reading someone's profile or blog entry may tell you about some of the tech in the company, but more than anything it's useful for finding more useful terms to use for Google scrounging. If nothing else it gives you a chance to ask a company insider about the work environment so you can decide if you want to work there are not. Just be careful how you talk to people so you don't come off as a creepy stalker (as oppose to a sweet and lovable stalker). If you have found your interviewer's personal site or profile it might have helpful information that lets you setup a good rapport with them during the interview, but try not to come off as creepy. Another social network site that's especially made for career advancement and networking is LinkedIn: Feel free to add me if you can find me :). Since people often post their resume and job experience on LinkedIn it's a great source of information about a company's IT environment. If you want to know about a company's "corporate culture" it's best to ask a former employee that no longer has a vested interest in the company. While I'm on the topic of Social Networking Sites, there are other "Web 2.0" sites that may yield useful information. Going to each one individually takes a lot of time, but there is a way to get many them in one swipe: Rapleaf.com. Rapleaf bills itself as an "email-based reputation lookup" service. After submitting a person's email address Rapleaf will return what information it has about the person. If the email address has never been queried before Rapleaf will ask you to login (registration is free) and will then scour the Internet looking for accounts linked to that email address. You will get an email when the report is ready. I did a search for one of my old email addresses and Rapleaf returned links to my Facebook, Friendster and MySpace profiles, along with links to my Flickr and Amazon Wishlist. Creepy. Also, by signing up with Rapleaf you can filter what people see when they search for your email address, but keep in mind this only protects you from people using Rapleaf, not folks Google stalking you by hand. (Note: Since I first published this Rapleaf has become far less useful, check out some of the other links I recommend at the end of this article.) Conclusion I hope this article has helped you think in new ways about researching prospective employers. As Tehbizz points out in the BinRev thread, you may want to be careful how much knowledge you reveal you have about a company's internal workings to an interviewer; it may make them paranoid about your intentions. Also, while I've focused on how to cyberstalk potential employers, potential employers can cyberstalk you in much the same way using these techniques. Those drunken pics of you on MySpace no longer seem like such a good idea, do they? I plan to expand this article over time, so if you have any good ideas email me or post them in the BinRev thread: http://www.binrev.com/forums/index.php?showtopic=31087 I'm especially interested in stories about how you have researched employers. Good luck with your job search. Useful links Since Rapleaf is no longer as useful as it once was, check out these
alternatives: Tools Maltego: Great GUI for connecting the dots or how people and organizations
are related. Metagoofil: Useful for searching a company's website and extracting metadata
from the files there that can lead you to more information about who works there
and how they set up their internal LAN. Further Research These links should be useful to you for further research on the subject of how to cyberstalk employers. First there's a video of Mubix's presentation from Dojo Sec on finding a job
in information security: Second there's a video of a class Brian and I did on Footprinting, Scoping
and Recon where we go into depth on how to find out more information about people
and organizations: Change Log:
blog comments powered by Disqus
Ten most recent posts on Irongeek.com:
| |||||
RSS
Printable version of this article
If
you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2010, IronGeek
Louisville / Kentuckiana Information Security Enthusiast