Offensive OSINT

transcript

OFFENSIVE OSINT CHRISTIAN MARTORELLA

OSIRA SUMMIT 2014

LONDON, UK

About me

Chris&an Martorella: –  I work in Skype (MS), Product Security team

–  Founder of Edge-‐security.com

–  Developed open source projects like theHarvester, Metagoofil, Wfuzz and Webslayer

–  Presented in many Security conferences (Blackhat Arsenal, Hack.lu, WhaNheHack, OWASP, Source)

–  Over 12 years focusing on offensive security

Disclaimer

Any views or opinions presented in this presentation are solely those of the author and do not necessarily represent those of the employer

OSINT - Intro Open-‐source intelligence (OSINT) is intelligence collected from publicly available sources.

•  “Open" refers to overt, publicly available sources (as opposed to covert or clandes&ne sources)

•  It is not related to open-‐source soUware or public intelligence.

What is Threat Intelligence / Cyber Intelligence ?

OSINT PROCESS Source Identification

Data harvesting

Data Analysis

Data processing and Integration

Results Delivery

Source Identification

Data Harvesting

Data processing

Data Analysis

Results Delivery

Offensive OSINT

Offensive vs. Defensive OSINT

From the security perspec&ve we can separate OSINT: Offensive: Gathering informa&on before an aNack. Defensive: Learning about aNacks against the company

Offensive OSINT

•  Finding as much informa&on as possible that will facilitate the aNack

•  S&ll now, many Penetra&on Tes&ng companies skip this phase

•  ANackers usually spend more &me than testers on this phase

Typical Pentesting Methodology

I.G Scan Enumerate Exploit Post-Exploit

Cover Tracks

Write report

What everyone focus on:

I.G Scan Enumerate Exploit

Post-‐Exploit

Cover Tracks

Write report

Attacker Methodology

Discover what makes the company money

Discover what is valuable to the aNacker

Do whatever it takes... Steal it

Informa&on Gathering

Data Harves:ng

Data Harvesting A.K.A: •  Informa:on Gathering:

The act of collec&ng informa&on •  Foot prin:ng:

Is the technique of gathering informa&on about computer systems and the en&&es they belong to.

•  Web mining: The act of collec&ng informa&on from the web

Data Harvesting – How? Techniques: •  Scraping (raw) •  Open APIs •  Commercial APIS •  Network Scanning •  Purchasing data •  Open source Data sets •  Databases •  Logfiles

Data Harves&ng -‐ Passive vs Ac&ve

•  Passive data harves:ng: Our ac&ons can’t be detected by the target (Non aNribu&on)

•  Ac:ve data harves:ng: our ac&ons leave traces that can be detected by the target

Offensive OSINT targets

Offensive OSINT – end goals

•  Phishing •  Social Engineering •  Denial of Services •  Password brute force aNacks •  Target infiltra&on

What data is interesting?

Emails Users / Employees names

-Interests -People relationships -Alias

Emails

•  PGP servers •  Search engines •  Whois

Employees / Usernames / Alias

linkedin.com jigsaw.com people123.com pipl.com peekyou.com Google Finance / Etc. Usernamecheck.com checkusernames.com

Glassdoor.com Hoovers.com Corpwatch.org intelius.com

Username checks

Social Media

•  Employees of a company •  Profile picture •  Special&es •  Role •  Country •  Emails

Simon LongboNom Simon.LongboNom@amazon.com Product defini&on, proposi&on research, pricing, product marke&ng, product promo&on, market research, new product introduc&on pictureUrl': 'hNp://m.c.lnkd.licdn.com/mpr/mprz/’}

Google+

GRAPH SEARCH: “People who work at Amazon.com” “People who work at Amazon.com and live in SeaNle Washington”

@google. News and updates from Google. Mountain @googlenexus. Phones and tablets from Google @GoogleDoodles @googlewmc. News and resources from @googleindia @GoogleChat. Twee&ng about all things Google @googleaccess. The official TwiNer @googleglass. Geing technology out of the way. @googlenonprofit. News and updates from @googlewallet. News @googlereader. News @googlefiber @googleio. Google @googledevs for updates. San Francisco @GoogleIO for ... If you @GoogleMsia. Official Google Malaysia on TwiNer. Kuala @googlejobs. Have you heard we

@googleapps. Google Apps news for ISVs @GooglePlay. Music @GoogleAtWork. The official TwiNer home of Google Enterprise. Mountain View @FaktaGoogle. Googling Random Facts. Don @googlemobileads. Official Google Mobile @googlepoli&cs. Trends @ericschmidt. Execu&ve Chairman @GoogleMobile. News @googledownunder. Google Australia and @AdSense. News and updates from the Google AdSense @googlecalendar. The official TwiNer home of @googledevs. News about and from @googlenews. Breaking news @GoogleB2BTeam. @GoogleB2BTeam Google @Jus&nCutroni

Google query: site:twiNer.com in&tle:"on TwiNer" ”Google"

Domain name

Geo-location

•  People loca&on •  Servers loca&on •  Wireless AP loca&on

Geo-location

Social media posts Foursquare Pictures TwiNer Facebook

Twitter - Creepy

Images

Reverse image search Face iden&fica&on Exif Metadata analysis: Profile pictures ANachments

Images

•  Pic from “Novartis” search on TwwepSearch

INFRASTRUCTURE IP Hostnames Services Networks Geo-location Software version CDN Multitenant Hosting

Infrastructure

Internet Census project Whois ServerSniff Jobsites Search engines ShodanHQ

Infrastructure

•  Once we have iden&fied the Infrastructure components, what can we do?

ShodanHQ

Bugs databases

INDICATORS OF COMPROMISE (IOC)

IP addresses Domains URLs Hashes Stolen Passwords

Collec&ve Intelligence Framework sources (70) Abuse.CH Shadowserver.org Nothink.org Virustotal.com Malwr Seculert

DATA LEAKS Pastebin.com @pastebindorks Pastebin clones

Infrastructure •  DNS

o  Bruteforce o  Zone Transfer

•  SMTP o  Header analysis o  Vrfy, expn

•  Web sites o  Hidden files / directories bruteforce

•  Network scanning •  Metadata

Metadata

•  Office documents •  Openoffice documents •  PDF documents •  Images EXIF metadata •  Others

Metadata: is data about data. Is used to facilitate the understanding, use and management of data.

Cat Schwartz - Tech TV

Washington Post Botmaster location exposed by the Washington Post

SLUG: mag/hacker!DATE: 12/19/2005!PHOTOGRAPHER: Sarah L. Voisin/TWP!id#: LOCATION: Roland, OK!CAPTION:!PICTURED: Canon Canon EOS 20D!Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin!

There are only 1.500 males in Roland Oklahoma

Metagoofil - Results

Metagoofil - results

INFORMATION GATHERING TOOLS

•  FOCA •  Spiderfoot •  Tapir •  Creepy •  theHarvester •  Metagoofil

This tool is intended to help Penetra&on testers in the early stages of the penetra&on test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an aNacker can see about their organiza&on and reduce exposure of the company.

-‐ Sources

google googleCSE bing bingapi pgp linkedin

people123 jigsaw twiNer GooglePlus

shodanhq

•  Open source soUware •  Command line •  Extendable

•  python theHarvester.py -‐d lacaixa.es -‐b googleCSE -‐l 500 -‐v -‐h

- Intelligence

Implement en&&es Cross reference en&&es Image reverse search / profile pictures Geo-‐loca&on Iden&fy vulnerable services Username search in other services Target priori&za&on

Challenges

•  Source availability (APIs) •  Changes in Terms of Use •  Genera&ng valid intelligence

? TwiNer: @laramies Email: cmartorellaW@edge-‐security.com