Dumpster diving is a method of obtaining information about a company just by examining their trash.This technique was very popular especially back in the 90’s where many old school hackers like Kevin Mitnick had managed to hack major companies just by discovering critical information through their garbage.This proves that companies and organizations must take into their consideration how they manage and destroy their trash in order to mitigate this threat.
In nowadays dumpster diving can be a part of physical penetration test.The information that the penetration tester should collect will help him to construct his attack scenario.In this article we will examine what a penetration tester should look for when he is performing a dumpster diving for his engagement.
Documents that contain information about employee’s names,departments etc are very important as they can be used during the physical penetration test as information which is valid.Knowing already information from inside will allow you to establish more easily the trust as you will appear as someone valid.
Obviously you can find corporate emails and from other sources like Linkedin,official website etc. but also papers containing some email address is always a good finding as you will be able to discover internal information and also the structure of the emails accounts inside the company.
Diagrams about the internal network of the company can also be found in the trash.Network diagrams in many cases contain IP addresses,server names,network ranges and IP’s of routers which can allow the penetration tester to have a better understanding about network and which assets are important.
These kind of papers can help penetration testers to create forgeries of the documents.This is essential for any social engineering engagement as you can cheat the employees to perform the action that you want.
Invoices unveil information about the company’s clients and partners.This can prove very handy as the penetration tester can use this information in order to masquerade himself as an employee of the company that the target is doing business which in this scenario will give him an easy access to the target premises.
Usernames And Passwords
It is quite common for many company employees to keep their usernames and passwords in sticky notes.This piece of information can be often found in the garbage as administrators are enforcing passwords to be change every 2 or 3 months.Such a discovery will unveil how usernames and passwords are constructed and with a bit of luck some of them can be valid.
USB sticks,CD and DVD disks even hard drives can be found in the garbage.These can be collected and analyzed later off-site.Usually nobody would bother to delete the data from a USB stick or to destroy properly a DVD disk before he throws it to the trash so such a discovery means wealth amount of corporate information.
Handbooks,Manuals And Operating Procedures
Manuals and handbooks are often found in company’s trash.This is because these documents are get updated often and the older versions are no longer needed.Usually in these documents there is plenty of information regarding internal processes and systems which can have their own role in the engagement.
Papers that contain signatures especially from authorized people like CEO’s,Head of departments and Account Managers are also important as the signature can be easily copied and used in a variety of scenarios as a valid authorization document.
Even though that many companies are using shredder machines in order to destroy their documents effectively this in some occasions doesn’t seem enough.This is because some shredders doesn’t mix their blades when they are destroying the paper so the paper is shredded into strips.If you discover a piece of papers in strips then you can try to reconstruct the paper on your own or to use a software solution like the Unshredder.