Whilst teaching my recent OSI course we had spent a good deal of time mapping the online infrastructure of a company using Maltego. The footprinting ‘machines’ are really superb and if you haven’t played with the tool go get it now!
Later in the day we were extracting company employee data from resources such as Data.com and LinkedIn and one of the students tried mapping the data with the Import option in Maltego. He had mapped employee name to office location and the map provided an immediate view of the approximate physical infrastructure with larger numbers of employees naturally oriented to HQ’s and small numbers to sub-offices. It was interesting to see. We did some standard research and the ‘map’ had been correct in ID’ing the primary HQ and sub offices.
Of course, the output is only as good as the data but this is where a tool called Jigsaw comes in (http://www.pentestgeek.com/tools/). Jigsaw was a business style social network where, if you uploaded your Contacts database you had access to the huge online repository. It became so good, especially in the US that it was bought by SalesForce and re-branded Data.com. The Jigsaw tool was incredibly good as you could extract vast amounts of information from the Jigsaw database on company employees so the data was obfuscated by SalesForce to make it fairly useless to the researcher. However, it still provides a partial name, job role, office location and other useful data if we are purely looking for sets of information.
The Jigsaw tool is no longer available to the public by can be found on Kali (www.kali.org). I won’t talk you through running it, its pretty self-explanatory but you start with simply running a search on the company of choice.
jigsaw -s BankofAmerica
Searching for Bank of America provided over 9000 employee records which I duly downloaded to a csv file. Next, do a ‘data’ import into Excel, comma delimited, and save as an xls file.
Next use the import tool in Maltego and map the Employee field to a Person entity, Department to the Shop entity and the City to the Location entity. When I tried to import the entire 9000 records, Maltego tried to generate over 28000 nodes and edges and simply fell over, however I re-imported selecting every 3rd record which worked fine.
During the import process you are asked to map columns to eachother. Map Person to Location and Person to Shop.
Once imported select the bubble view and interactive organic mode. This will have the effect of clustering related data together. What is interesting is that employees are naturally ‘drawn’ to their City and departments primarily located in those Cities are also attracted.
We can straight away see the largest Yellow node (Location) bang in the middle of the cluster map is Charlotte, essentially most employees in the database say they work there.
A quick check online shows that Charlotte is indeed the BoA HQ. The next ones are New York and the surprising locations of San Francisco, Miami, Plano and Wilmington. This helps us to ID at a glance the primary locations.
Next, the grey nodes are Departments. Again the map shows that most work, unsurprisingly in Finance and Administration followed by IT & IS, Support Marketing and Operations. This can really help us to visually map out the organisation, giving us an idea of the comparative sizes of departments.
I am going to do a little more work on clustering Department to Location to help us know where primary departments are located. Im not suggesting that this leaks anything particularly bad or dangerous but is an interesting view for a social engineering attack to begin. It could be that a company hides (or at least doesn’t actively publish) its Research department locations but this approach could identify it.
OK, I’ve spent another hour playing around and there is some interesting data you can get from this view. I mapped purely Location to Department and it was immediately apparent that I could quickly see where departments were and more importantly were not.
We can see that IT & IS are in virtually every office, however:-
…we can see that Human Resources departments only appear to be represented in about 8 primary locations. This would be vital information for a social engineer who could make a simple error by saying in a Phishing phone call that they were in HR in Atlanta, but its possible that there is no (or at least not large) HR department in Atlanta.
Interesting stuff, have a play and let me know your findings.