Introduction
Any operator knows that prior to any penetration testing activity requires a solid recon phase. The more information you collect about your target, the wider your attack surface becomes and thus, increased chances in a successful infiltration. When your target is a company, you have a wide array of tools to extract information from and pretty much every country has some sort of registry where financials and board information is kept up to date. Sometime, it also include additional information such as incorporation documents, trademark renewals and so one.
In this post, we browse to the France’s registry, i.e. the “Registre du Commerce et des Societes” to extract information from the company and use this information to expand our attack surface. In this post, we used Huawei as an example, only because they are widespread and maintain multiple locations. All information extracted is publicly available and should not be used to conduct fraudulent or illegal activities.
Contents
The Système d’Identification du Répertoire des ÉTablissements (SIRET) Number
The SIRET stands for “système d’identification du répertoire des établissements” which is a unique number given to a physical commercial location (building, store, apartment etc…). The SIRET is 14 digits long. The first 9 digits is the SIREN, i.e. the “Système d’Identification du Répertoire des ENtreprises”, which uniquely identify the company owning the unit. The next four digits are the unit number and the last number is a checksum. The checksum is done using the Luhn algorithm. For example, let’s analyze the SIRET for Huawei Technologies France;
As you can see above, the SIRET for the Huawei Technologies France headquarters is 451 063 739 00119. What this number says is that Huawei Technologies France has been assigned SIREN 451 063 739 and that the headquarters is the 11th building Huawei Technologies France occupied in France. By observing the SIRET of each location, you can see the building numbers goes from 3 to 11, meaning the company had 3 buildings prior that they moved out from.
That being said, we could now purchase the KBIS report and get quite a lot of information about the board of Huawei Technologies France. But since we are cheap bastards, we’ll look somewhere else for this information. After all, CEOs and executive usually want to tell the world about their position. A quick search for “SIRET ‘451 063 739 00119′” on Google will yield three results only, but that’s all we need for now. The first one on verif.com will provide the list of the executives.
In all honesty thought, just searching for “Huawei Technologies France” would have return another website with the same information. However, Infogrette, like every other national registry can be a valuable startign point to retrieve additional details and expand your recce.
And actually, this site is even more generous, as it gives the month and year of birth of every executive in the company:
We can validate this information using the advanced search engine of the Infogreffe web site. There is a functionality included to search companies using names of executives including their birth information. For example, let’s make sure Mr. Wang is still on the board of the company. From the front page, click on “Recherche Avancée” (Advanced Search) and then select the second tab: “Recherche par Dirigeant” (Search by Director). Type the name using the “Lastname, Firstname” format and the birth year of the person. Then click the “Rechercher” (Search) button;
Once the results appear, we can see that Mr. Wang is still registered as being the director general of the company. Since any change must be registered to the tribunals, we can be confident that this information is valid.
Conclusion (So What?)
So what you may ask. What can I do with this. We found out the following about Huawei Technologies France:
- SIREN (ID)
- Physical locations in France
- The name of the president and birth information
- Names and birth information of most executives
- Financial data of the company
You have now 7 addresses you can physically recon, i.e. see if you can dumpster dive, gather information about physical security (HID cards, fences, cameras etc…) or people working at these locations, which can then lead to additional recce on individual targets. Recceing the individuals found will likely lead to information about their relations, employment and responsibilities, possibly even to email addresses.
This simple guide was meant to provide a quick and dirty “howto” guide to one of the many, many tools available online to conducting research on companies or individuals for any law enforcement purposes. The Infogreffe is a drop in the ocean to locate business information for a very specific region. In the upcoming weeks and months, we will develop on other tools for other regions, as well as techniques you can use to track down targets. Don’t forget that the most important part of the operation is the information gathering phase. The more you know about your target, the easier the later phases will become. Keep in mind that other countries also keep similar registries, although the quality of their website may differ greatly.
References:
[1] Conseil national des greffiers des Tribunaux de commerce. “Registre du commerce et des sociétés.” Infogreffe – Greffe du tribunal de commerce. https://www.infogreffe.fr/ (accessed September 3, 2013).