Where This All Started (for me)
• Inspiration: Myspace private picture leak
• Automation grabbed 560,000 images marked as private from 44,000 profiles
• That’s 17GB of pictures!
• I figured there was a bunch I could learn from the metadata... (gps data on those sexy pics?)
Wednesday, March 11, 2009
What I Learned
• Processing 560,000 images is a nightmare
• Those “sexy” images often weren’t so sexy
• Myspace truly is the “Wretched hive of Scum and Villainy”
• Images uploaded to Myspace are converted and sanitized of metadata!
Wednesday, March 11, 2009
So what is this metadata stuff?
• Found in all sorts of documents!
• Additional data for searches, filing, routing info, and even items for file processing
• Typically not revealed to the user
• Can contain very interesting data!
Wednesday, March 11, 2009
Word!$ strings Test_Metadata_Document.docThis is a test.Test Metadata DocumentWhat shows up in word metadata?Larry Pescemedtadata pauldotcom goolag metagoofil maltegoThis is a test of the emergency metadata system! Please return your tray tables and seat backs to thier full and upright position.Larry PesceMicrosoft Word 12.0.1Potential exploitPaulDotCom EnterprisesTest Metadata DocumentTitleTelephone [email protected] Word 97-2004 Document
Wednesday, March 11, 2009
Doublespeak?
• Office metadata can also reveal revisions
• Even Microsoft can fail
• The Revisionist
Wednesday, March 11, 2009
Acrobatics!
$ strings Test Metadata.pdf<pdf:Producer>Acrobat Distiller 7.0 (Windows)</pdf:Producer><pdf:Keywords>metadata goolag acrobat metagoofil maltego<photoshop:CaptionWriter>Larry Pesce</photoshop:CaptionWriter><xap:CreatorTool>PScript5.dll Version 5.2.2</xap:CreatorTool><xap:ModifyDate>2008-04-18T19:35:38-04:00</xap:ModifyDate> <xap:CreateDate>2008-04-18T19:33:01-04:00</xap:CreateDate><xap:MetadataDate>2008-04-18T19:35:38-04:00</xap:MetadataDate><rdf:li xml:lang="x-default">Test Metadata Document.doc</rdf:li> <rdf:li xml:lang="x-default">What info shows up in PDF metadata?</rdf:li>/Author(Larry)/Creator(PScript5.dll Version 5.2.2)
Wednesday, March 11, 2009
A pretty picture
• President Obama’s official photo
• First taken with a digital camera
• First to contain metadata!
• Let’s analyze...
Wednesday, March 11, 2009
• So, what can we learn? Strings doesn’t cut it!
• What are the possible risks and potential for something interesting?
• So, who would you attack? The BlackBerry or the photographer?
exiftool -a -u -g1 -b obama-officialportrait.jpg
---- ExifTool ----ExifTool Version Number : 7.23---- File ----File Name : obama-officialportrait.jpgDirectory : .File Size : 785 kBFile Modification Date/Time : 2009:01:15 10:12:02File Type : JPEGMIME Type : image/jpegExif Byte Order : Big-endian (Motorola, MM)---- IFD0 ----Image Description : Official portrait of President-elect Barack Obama on Jan. 13, 2009...(Photo by Pete Souza)..Make : CanonCamera Model Name : Canon EOS 5D Mark IISoftware : Adobe Photoshop CS3 MacintoshModify Date : 2009:01:13 19:35:18Artist : Pete SouzaCopyright : ¬© 2008 Pete Souza---- ExifIFD ----Date/Time Original : 2009:01:13 17:38:39Create Date : 2009:01:13 17:38:39---- Photoshop ----Photoshop 0x0425 : Ó\¯ıG›%œrè.ë+finºXML Data: (Binary data 6160 bytes, use -b option to extract)---- ICC-header ----Profile CMM Type : ADBEProfile Version : 2.1.0Profile Class : Display Device ProfileColor Space Data : RGBProfile Connection Space : XYZProfile Date Time : 1999:06:03 00:00:00Profile File Signature : acspPrimary Platform : Apple Computer Inc.CMM Flags : Not Embedded, Independent
Wednesday, March 11, 2009
Even newer... exiftool -a -u -g1 -b First_Lady_Michelle_Obama_Official_Portrait_2009-red.jpg
---- ExifTool ----ExifTool Version Number : 7.23---- File ----File Name : First_Lady_Michelle_Obama_Official_Portrait_2009-red.jpgFile Size : 57 kBFile Modification Date/Time : 2009:02:28 20:02:03Exif Byte Order : Big-endian (Motorola, MM)---- IFD0 ----Camera Model Name : Canon EOS-1D Mark IISoftware : Adobe Photoshop CS3 WindowsModify Date : 2009:02:27 10:39:12---- ExifIFD ----Date/Time Original : 2009:02:18 12:08:02Create Date : 2009:02:18 12:08:02---- XMP-xmp ----Metadata Date : 2009:02:27 10:39:12-05:00Creator Tool : Adobe Photoshop CS3 Windows---- XMP-crs ----Raw File Name : P021809JB-0046.dng---- XMP-xmpMM ----
History When : 2009:02:24 21:22:09-05:00, 2009:02:24 21:22:09-05:00, 2009:02:24 21:22:54-05:00, 2009:02:24 21:32:51-05:00, 2009:02:27 09:49:50-05:00, 2009:02:27 09:49:50-05:00, 2009:02:27 09:53:47-05:00History Software Agent : Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh---- ICC-header ----Profile CMM Type : ADBEProfile Version : 2.1.0Profile Class : Display Device ProfilePrimary Platform : Apple Computer Inc.
Wednesday, March 11, 2009
Too revealing?• How about the
embedded Preview/Thumbnail?
• Cat Schwartz of Tech TV found this out the hard way...
• These photos appeared on her website
• It was noted that they were cropped oddly...
Wednesday, March 11, 2009
Too revealing?
• Download and dump the EXIF embedded Thumbnails
• Photoshop 7.0 bug that didn’t update thumbnails!
exiftool -b -ThumbnailImage original.jpg > output.jpg
exiftool -a -u -g1 original.jpg---- IFD0 ----Software : Adobe Photoshop 7.0
Wednesday, March 11, 2009
Picture this!$ strings 0x80_cracker_with_laptop.jpgSLUG: mag/hacker DATE: 12/20/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OKPICTURED: Canon EOS 20DAdobe Photoshop CS2 Macintosh2006:02:16 15:43:01
Wednesday, March 11, 2009
Speaking of location
• How about GPS info?
• Geotagging photos anyone?
• This is only getting easier!
• Phones, Cameras, Software, Web
• Maybe employee personal information, but...
Wednesday, March 11, 2009
Adding GPS up
• We now know:
• Person
• Possible platform (windows, OSX, laptop?)
• Location: Home, work and coffee shop...
Wednesday, March 11, 2009
A few scary examples
• Eliot
• Work, home, homestead
• Tina
• Home, ..
• This is how we can begin to build an attack profile!
Wednesday, March 11, 2009
Trust?
• We can even make some assumptions
• Other collaborators
• Co-workers
• TRUSTED acquaintances!
Wednesday, March 11, 2009
How do we know?• PGP Keysigning information!
• Let’s find out who Roger Dingledine is...
Wednesday, March 11, 2009
Direct e-mail exampleDelivered-To: [email protected]: by 10.65.40.11 with SMTP id s11cs103281qbj; Fri, 5 Sep 2008 06:46:28 -0700 (PDT)Return-Path: <[email protected]>Received: from johnnymo.paul.com ([74.14.86.36]) by mx.google.com with ESMTPS id p27sm274252ele.0.2008.09.05.06.46.15 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 05 Sep 2008 06:46:20 -0700 (PDT)Message-ID: <[email protected]>Date: Fri, 05 Sep 2008 09:46:09 -0400From: Paul Asadoorian <[email protected]>User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707)
Wednesday, March 11, 2009
Mailing list exampleReceived: from lists.securityfocus.com (lists.securityfocus.com[205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQPid 6C53A237376; Sun, 14 Sep 2008 16:35:39 -0600 (MDT)Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C916BA.781F8E05"user-agent: Thunderbird 2.0.0.16 (Macintosh/20080707)list-post: <mailto:[email protected]>list-id: <pen-test.list-id.securityfocus.com>delivered-to: moderator for [email protected]: contact [email protected]; run by ezmlmContent-class: urn:content-classes:messageSubject: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]Date: Sun, 14 Sep 2008 16:19:23 -0400Message-ID: <[email protected]>In-Reply-To: <00db01c9169c$53315120$f993f360$@com>Thread-Topic: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]Thread-Index: AckWungd3zHVyhdvRauRbYpXN6N07Q==From: "Tom Anderson" <[email protected]>Sender: <[email protected]>To: "Jack Sparrow" <[email protected]>, [email protected]
Wednesday, March 11, 2009
OOOSubject: [Email Tips] The Keymaker is out of the office.Auto-Submitted: auto-generatedFrom: The Keymaker <[email protected]>To: [email protected]: <OF7E98F610.C0EF2284-ON852574E2.002DB5F6-852574E2.002DB5F6@matrix.com>Date: Tue, 14 Oct 2008 04:19:17 -0400X-MIMETrack: Serialize by Router on D01ML076/01/M/IBM(Release 8.0.1|February 07, 2008) at 10/14/2008 04:19:18
Wednesday, March 11, 2009
Too cool for tool
• Sure, there’s strings...
• manual download
• manual search
• manual extract
• Lets talk a little automation
Wednesday, March 11, 2009
Fill ‘er up.
• Metagoofil - Edge Security
• Automated Google query
• Common document types
• Automated extract and reporting
• IDs, Paths, even MAC addresses!
• Downloads direct from site
• OSX does not support office document
Wednesday, March 11, 2009
Analyzing Word
• Metagoofil
• Exiftool
• Larry’s Scripting for Custom User lists
Wednesday, March 11, 2009
MetaGooFil 1.4a
usage: metagoofil options
-d: domain to search
-f: filetype to download (all,pdf,doc,xls,ppt,odp,ods, etc)
-l: limit of results to work with (default 100)
-o: output file, html format.
-t: target directory to download files.
Example: metagoofil.py -d microsoft.com -l 20 -f all -o micro.html -t micro-files
Use me, abuse me
Wednesday, March 11, 2009
Exiftool
• It turns out that Exiftool can analyze Word Pre-2007
• Metadata storage based on FlashPix standard
• Not compatible with Office 2007
exiftool -r -h -a -u -g1 * >output.html
Wednesday, March 11, 2009
Office 2007
• Changed metadata storage format to XML
• XML parsing with shell scripting is like herding cats
• New document is just a ZIP archive
• The best goodies for are typically located in docProps/core.xml
• Wrote my first Perl script to extract author metadata
• Yes, the zip can be completed in Perl as well...
unzip -e -j TestingMetadata2007.docx docProps/core.xml | perl ./2007XMLextract.pl core.xml | tr '[:space:]' '\n' | sort | uniq > 2007users.txt
http://www.pauldotcom.com/2007XMLextract.pl
Wednesday, March 11, 2009
Custom user lists
• So, lets take some word docs and pull out the user names and first and last names!
• Tedious process? Script it!
• What about Web?
• local disk?
wget -r -l1 --no-parent -A.doc http://www.somewebsite.com | exiftool -r -a -u -Author -LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" |
tr '[:space:]' '\n' | sort | uniq >cleanusers.txt
exiftool -r -a -u -Author -LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" | tr '[:space:]' '\n' | sort | uniq >cleanusers.txt
Wednesday, March 11, 2009
PDFs• I didn’t think a good command
line tool existed until I found pdfk
• I haven’t had much time to play
• Not only good for metadata, but good for other PDF manipulation too!
• Not nearly as revealing as strings, but it is a start...
pdftk metadata.pdf dump_data
Wednesday, March 11, 2009
My pwn SANS Paper
InfoKey: CreatorInfoValue: SANS Institute InfoSec Reading RoomInfoKey: TitleInfoValue: Document Metadata, the Silent Killer...InfoKey: ProducerInfoValue: PDFlib+PDI 7.0.2 (PHP5/Linux)InfoKey: CreationDateInfoValue: D:20090202201331ZPdfID0: 6e469b8e315bc7573edf7290fd45825dPdfID1: 6e469b8e315bc7573edf7290fd45825dNumberOfPages: 69
Wednesday, March 11, 2009
JPEGs?
• Wget and EXIFtool for the win!
• A little scripting can repeat the test and e-mail us results in HTML
wget -r -l1 --no-parent -A.jpg http://www.pauldotcom.com | exiftool -r -h -a -u -g1 * >output.html
Wednesday, March 11, 2009
JPEG GPS Data
• Google maps is your friend!
• Marker placement for GPS data
• Mind your measurements, you may need to convert
• Firefox Greasemonkey Script for Flickr, Flickramio
http://userscripts.org/scripts/show/27101
http://www.cosports.com/index.php/tool/tools/latlong
Wednesday, March 11, 2009
A malt beverage?
• Maltego - Paterva
• Information gathering made easy
• You give it a starting point
• Automated!
• Document finding and (limited) metadata extraction
• Great for filling in the “softer” bits
Wednesday, March 11, 2009
What do we know?• Determination on an attack vector
• Word, and even a possible version with a certain timeframe
• Creates PDFs, timeframes and output DLL
• Additional client applications: E-mail client, image processing, etc
• E-mail address
• Login IDs
• Website
• Some previous contacts to spoof
• I’m sure we can find some exploits for what we know!
Wednesday, March 11, 2009
How can this be used?• Determine internal architecture through Server names and
paths
• Find opportunities for B&E, hardware “acquisition”
• Usernames to brute force other services
• Internal patching practices for both OS and/or Desktop applications
• Deliver a specific, targeted attack based on username and/or e-mail address and utilize a recent vulnerability in software likely still in use on client systems with a high degree of confidence, leveraging trust and social engineering
Wednesday, March 11, 2009
Clean up your act!
• Limit your exposure!
• If it is already on the internet, it is probably too late
• At least limit everything new!
Wednesday, March 11, 2009
Consider this...• Remember this metadata stuff is still useful!
• Maintain documents in internal repository with Metadata intact
• Maintain secondary repository for external communications
• Slicks, marketing information, public postings
• Educate and develop procedure on non-population?
• Run removal tools across your organization
• Yes, it is a lot of work...
Wednesday, March 11, 2009
Cleanup Tool Selection
• Tons of tools exist, some free, some minimal cost
• This list is far from all inclusive
• Use of free or existing tools
• Use of likely prior investments
• Looking to include some command line automation at a later date
Wednesday, March 11, 2009
Microshafted!• For prior to Office 2007 Microsoft Remove
Hidden data add-on
• Tools | Options:
• Office 2007 Document Inspector is better!
C:\Offrhd.exe C:\documents /R
Wednesday, March 11, 2009
Microshafted! (2)
• Office 2007 is a different animal
• Microsoft Office Button | Prepare | Inspect Document
• Select options
• Inspect | Remove All
Wednesday, March 11, 2009
PDF!• Acrobat Standard/Pro
• Good for new, and existing documents
• File | Document Properties
• Select the Description tag | Additional Metadata
• PDF Properties parent item | Delete
Wednesday, March 11, 2009
JPEG cleanup
• Exiftool!
• Delete all for a single file
• Delete for multiple files
exiftool -All= <jpeg filename>
exiftool -All= *.jpg
Wednesday, March 11, 2009
A note on cleanup...
• Some information will still be left behind!
• Information usually related to output tool and format
• When opening, the client tool needs to know how to process
• Version compatibility, color spaces, format...
• This info can still reveal information useful for an attack
Wednesday, March 11, 2009
Litany of Metadata
I must not fear.Metadata is the network-killer.Metadata is the little-death that brings total obliteration.I will face my Metadata.I will not permit it to pass over networks by me.And before it has gone past I will turn the inner eye to see its server path.Where the Metadata has gone there will be nothing.Only emptiness will remain.
Wednesday, March 11, 2009
EOF
http://www.pauldotcom.com
http://twitter.com/haxorthematrix
Wednesday, March 11, 2009