Black Hat A security trio has brewed a toolset to help attackers find sensitive open source intelligence on human targets.
Shubham Mittal of NotSoSecure, Nutan Kumar Panda of eBay, and Sudhanshu Chauhan of Octogence released their Datasploit toolset to help social engineers find phone numbers, email addresses, and account information of human targets.
The tool, demonstrated at Black Hat Arsenal, will also locate any API keys, old unpatched subdomains, and possible logins for domains a target holds.
It is a powerful asset for penetration testers and criminals alike, serving to help wade through the oceans of information most users deliberately and inadvertently post online.
"Datasploit is an automated tool customised for pen-testers need which automatically performs correlation," Mittal says.
Users need only input basic information on a target such as their name, domain, or email address for the mining to begin.
Noise is removed from results before correlation between pieces of information is made and stored so that it can be seen through a user interface.
"We have used them previously during different offensive as well as defensive engagements and found them helpful," the hackers say.
The team is working on new features including geo-location and a cleaner user interface, and integration with popular hacker tools Maltego and Burp Suite.
Datasploit is created with Python and is built on MongoDb, Django, Celery and RabbitMq.
One Australian hacker recently showed The Register how he used one random home address to fully identify a US man, his family, income, and family business, finding vulnerabilities in the web site of the latter that could completely compromise and wreck the company. ®