Tactical Surveillance
Look at me now
THANK YOU
My Credentials?
-me
▪ Not a L33t H4x0r
▪ Old
▪ Loudmouth Security Punk who talks $hit
▪ Tells lies (professionally)
▪ Is called all sorts of bad words.. That I will likely say throughout this talk
▪ Cant code well
▪ I’ve done PenTesting and security work for the last 14+yrs
▪ Has a bunch of certs
▪ Helped create PTES
▪ Worked for Sprint, KPMG and others in InfoSec
▪ My opinions are my own (but also my companies)
▪ And…
What the F*ck is this talk about?
Corporate Surveillan
ceBusines
s ProfilingPersonn
el Profiling
Work 2.0
Individual Surveillan
ce
Social Profile
Doxin Like a boss
Gettin’ all up in it
24x7
Show Me
Onsite
Corporate Surveillance
Watching an entire company isn’t feasible so lets boil it down
▪ Employees
▪ Partners
▪ Competitors
▪ Adversaries
▪ Trustees
▪ Financials
▪ Sensitive Info Leakage
▪ Electronic Threat surface
▪ Social Threat surface
▪ Corporate communications
▪ Key relationships and individuals of influence
▪ Corporate events
▪ Manipulation points or general shadiness =)
Business intel goes a LONG wayHoovers
I’m a bit more of a visual learnerMARKETVISUAL.COM
Mucking around
Ask yer Littlesis
Linked IN anyone?
Jigsaw contact (target) listing
News and other fun with ENTITY CUBE
Personnel Intelligence
• Collusion• Relationship strengths• Relationship Age• Com. Patterns
• Raw Intel leakage• Tone• Timing• Key Terms
• Interaction Clients• Web Apps used• Type of hardware• Physical Locations• Carriers
• Names• Aliases• Emails• IM• Screen names• Social Landscape
Who What
WhyHow
Simon Says…
Who Am I?
Who am I?
Who Am I?
What am I doing??
If you are going to drink the ocean, you may as well have a straw
▪ Manipulations points
▪ Interests/ Habits
▪ Leverage areas
▪ Points of similarity
▪ Date Specific events (wedding,bday, etc)
▪ Religion
▪ Race
▪ Creed
▪ Affiliations
▪ Clubs / Hobbies
▪ Haunts
▪ Personal Relationships
▪ Business Relationships
▪ Photos
▪ Family Heritage
▪ Socioeconomic class
▪ Affinities
▪ Travel schedules & Physical movement patterns
Maps are awesome
Mapping relationships (this is an entire talk by itself, so I’ll go
fast)
▪ The ideas are simple– Find yow who you are– Who you know– Why you know them– Then do magic and build your relationship profile.
▪ We want to use them like a Vuln scanner– Get all of the info that is relevant to target ocmpany– Find all People– Target a few– Find the gaps– Exploit them ▪ *ex. Social Net vs IRL
And TONS of people are trying to use them to figure out how a person is connected to a company or another human
Finding the MASSESSalesForce Apps
http://appexchange.salesforce.com/category/intelligence
Who is talking to who?
Touchgraph
Ps.. If all the graphical stuff doesn’t work. GO MANUAL
Other fun relationship maps generated from current content
LinkedIn Maps
There are TONs more, but remember you can “Roll your own”
Underlying Maps (Geo and some data)
▪ Map Data with API access – ESRI– UMAPPER– ArcGIS– Bing Maps– Openscales– Yandex (with facial
recognition)– MapQuest– OpenStreetMap
Overlay and analysis
▪ Flickr
▪ Banjo
▪ Tripit
▪ 4square
▪ (everything u can get for free or “find free” api keys on github)
▪ Mo da bettah
NodeXL (omfgwtfBBQ awesome)
http://nodexl.codeplex.com/
NodeXL (omfgwtfBBQ awesome)
Now to pick a target using the Relationship paths identified
Yep… the big maps will now get to smaller maps =)
Finding People of SIGNIFIGANCE not just someone on higher influence
Maltego Casefile
Immunity Stalker
Snoopy
Snoopy (because “Eye of Saron and Big Brother” were taken) since its distributed sniffing and tracking network for wireless attack.
Figure out who u wanna go after yet?
If information is power, you now have a BIG ASS ARMY! Let’s get em some weapons!
Individual Surveillance
We Know who we want, so let’s take down the easy ones first
▪ Phishing
▪ External compromise
▪ Onsite Attack
▪ Creating spys & Intel leaks
▪ Corporate manipulation
▪ Creating Shell companies and potential partners
▪ Just get in… U have a whole con to learn how to do that.
How do you get all this $h1T near the person you REALLY want?
▪ Compromise the badge system
▪ Compromise the camera systems
▪ Find out where their boxxen is and OWN IT
▪ Bug all the things
▪ Make sure to own all of their closest relationships in the office and business
▪ Once ya get all that you think you want…. Stay in… you can never have too much root =)
Automate finding stuff
▪ Whip up some python (or whatever u write in) to import your nessus scan of the ports u are going after and open them all in a tab in the browser…remember.. LOOK at the results. Don’t just assume u know whats on the port
▪ Try logging ALL the banners in the scan and then pasre for the google dorks u would use if it was external
▪ Update frequently for new manuals u download =)
I WANNA SEE
▪ LOOK at anything that is running a website *allports* people rarely change defaults.
http://www.exoticliability.com/profiles/blog/show?id=3125850%3ABlogPost%3A15590&commentId=3125850%3AComment%3A18834
Make sure ya KNOW their passwords. Wouldn’t want ya to miss anything
meterpreter > run smartlocker[*] Found WINLOGON at PID:644[*] Migrating from PID:2532[*] Migrated to WINLOGON PID: 644 successfully[*] System has currently been idle for 12 seconds[*] Current Idletime: 12 seconds[*] Current Idletime: 42 seconds[*] Current Idletime: 73 seconds
[*] Starting the keystroke sniffer...[*] Keystrokes being saved in to /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt[*] Recording[*] They logged back in! Money time![*] Stopping keystroke sniffer...meterpreter > backgroundmsf > cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt[*] exec: cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txtdesign4life$uper12#07#76!
If u get impatient be smart =)
Also… don’t forget the obvious stuff
▪ Search for “password”
▪ Make password lists based on profiles
▪ Search for “keepass” and LOOk at all XML * edit config to unhide and decrypt too =)
▪ Batch updates to send keylogger traffic to you
▪ .purple = Pidgin shit
▪ Watch their MAIL! xfce4-mailwatch,Gwatch..etc
▪ If the AV fu is strong… don’t be embarrassed to use hardware. U HAVE to see it all.
Get up in it
Plan to watch them 24x7
Getting the target
Bug All the things
It’s ok to be cheap. Make stuff. Like a laser mic.
http://www.lucidscience.com/
Ewwweee…. bugs
GPS TRACKING
Geo Fencing.
Sometimes it’s better to be alerted when they leave the area for you to follow.
On Star
If you know where they are why not get a view from EVERY angle?
Wireless Data drive / podslurping GSM Cracked, Cloned,
spoofed
RFID Cloning / AttackingWireless SD Cards
BarCode Attacks
Transponder Cloning, trunk code rolling, bluetooth car jacking
RealID, Verichip, Wireless ID Theft
Mobile Computers, iPad, eReaders, UltraPortables. Let’s not go there…
Bluetooth Hijacking, Rogue pairing, Interception, sniffing, Cloning
Autonet In car internet. WiFi, 3g/4g, LTE, VoIP
Wireless headset Eavesdropping
Cordless Keyboard / Mouse sniffing
GPS Hacking and Forgery +OnStar
2.4ghz, 5.8ghz, x10 Wireless security systems
DECT Hacks
HID, RFID, Proxcard Badge system Hacking
http://www.youtube.com/watch?v=f3zUOZcewtA
-----THIS is an AWESOME listening device.
Go watch the ccc talk on the Thingpwner
Speaker: Ang Cui, Michael CostelloEventID: 5400Event: 29th Chaos Communication Congress (29c3) by the Chaos Computer Club [CCC]
Get the KIES to the kingdom
@cron_ talk at HackMiami http://mcaf.ee/pt5sy Yum
Use a GOOD Cellphone bugging kitwww.mobistealth.com www.flexispy.com
More cellphone bugging
▪ USRP (Software defined Radio Platform)– Set up a cell tower (OpenBTS), identify as the relevant cell
provider, either transmit stronger, or cause other towers to drop the targets…
– Associated targets still get connectivity (cell + data), just through YOU
– Push updates? – OsmocomBB, aeroprobe, etc..
Or… You can do it for free =)
Don’t forget to make it AWESOME
PS. Get a good Lawyer
And know the laws. Many states are 1 party and with a good lawyer it is 100% admissable if you do all of this stuff to prove your wife was cheating on ya. ;)