Social engineering is a broad term applied to an ill-defined list of activities, and many of the techniques that criminals and white hats both use are developed ad hoc. But a new tool called DataSploit aims to pull together many of the reconnaisance activities into one framework that will gather large amounts of data on a target in a single place.
The tool is meant to help researchers and penetration testers gather intelligence on a given person or company, using things such as email addresses, domains, phone numbers, and other identifiers as the starting point. DatSploit automates the process of pulling together this information, which typically is a laborious manual task.
“Sometimes it might even pluck the low hanging fruits for you without even touching the target.”
“Utilizing various Open Source Intelligence (OSINT) tools and techniques that we have found to be effective, DataSploit brings them all into one place, correlates the raw data captured and gives the user, all the relevant information about the domain / email / phone number / person, etc. It allows you to collect relevant information about a target which can expand your attack/defence surface very quickly,” the tool’s documentation says.
“Sometimes it might even pluck the low hanging fruits for you without even touching the target and give you quick wins.”
DataSploit, unveiled at the Black Hat conference earlier this month, is the work of a group of contributors, and is written in Python. It uses MongoDb and Django, and the authors say that it can be used to weed out a lot of the garbage that’s collected during open source intelligence operations.
“Once the data is collected, firstly the noise is removed, after which data is correlated and after multiple iterations it is stored locally in a database which could be easily visualised on the UI provided. The sources that have been integrated are all hand picked and are known to be providing reliable information. We have used them previously during different offensive as well as defensive engagements and found them helpful,” the DataSploit documentation says.
Pen testers, as well as attackers, often conduct the kind of activities that DataSploit automates during the reconnaissance phase of their work. Looking for all of the publicly available information on a target, whether it’s a person, company, or other organization, helps an adversary get a picture of the target’s strengths and weaknesses.