Detecting the Undetectable: What You Need to Know

About OSINT

Hack all the things!

Jerod Brennen, CISSP, GWAPT

You can find me at:

Twitter: @slandailLinkedIn: /in/slandail

Hacker, hack

thyself.

Want Answers? Start With the Right Questions.

◉What the heck is OSINT?

◉What’s your process?

◉What OSINT tools should I know about?

◉How do I defend myself?

1.What the heck is OSINT?

Let’s begin at the beginning.

OSINTOpen Source INTelligence

Penetration Testing

OSINT is a key component of the Penetration Testing Execution Standard (PTES).

[Image from https://www.trustedsec.com/penetration-testing/]

2.What’s your process?

Wash. Rinse. Repeat.

EDGARU.S. Securities and Exchange Commission. Over 20 million filings for publicly traded companies.

You can also split your content

Google FinanceLeadership, performance, news stories, external links.

Step 1: Profile the Company

LinkedInCompany page. Products, services, 30k foot view.

Company WebsiteCareful, here. Visits from your laptop = a record of your IP touching their web infrastructure.

LinkedInEmployee names, titles, history with the company, and technologies that the IT staff uses.

You can also split your content

FacebookWhat do they eat for lunch? (More importantly, the answers to their secret questions.)

Step 2: Profile the People

TwitterWho do they talk to?What do they talk about?

Search EnginesGoogle, Bing, Duck Duck Go

Individual Internet footprint

In two or three columns

The Wall of ShameU.S. Department of Health and Human ServicesOffice for Civil RightsBreach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.

Breaches Affecting 500 or More Individuals

PrivacyRights.orgChronology of Data Breaches (2005 –present).

Filter by source (if known), industry, and/or year.

PasteBin / CryptbinDesigned to let programmers share and troubleshoot snippets of code, they’ve also become repositories for proof of breach.

For example. “Here are 1,000 passwords. Send xxx bitcoins to this address for the other 49,000.

Step 3: Research Previous Breaches

Mobile AppsStart with Google Play and iTunes.

Download the app file (.apk, .ipa) to your testing machine, unzip it, and start poking around.

If they have an app in Google Play, reverse the app back to it’s original Java source code.

You can also split your content

Web InfrastructureLots to cover here, folks. Let’s save the details for the next section.

Step 4: Profile the Internet-Facing Infrastructure

3.What OSINT tools do I need to know about?

Automation, folks. That’s where it’s at.

Tell Me About Your Web Apps

◉ Netcraft Site Reporthttp://toolbar.netcraft.com/site_report

◉ ICANN WHOIShttps://whois.icann.org/en

◉ ARIN WHOIS-RWShttps://whois.arin.net/ui/advanced.jsp

◉ Hurricane Electric BGP Toolkithttp://bgp.he.net/

◉ Robtexhttps://www.robtex.com/

These Are a Few of My Favorite Things

◉ Qualys SSL Labs – SSL Server Testhttps://www.ssllabs.com/ssltest/

◉ PunkSPIDERhttps://www.punkspider.org/

◉ UltraTools DNS Zone Transfer Lookuphttps://www.ultratools.com/tools/zoneFileDump

◉ SHODANhttps://www.shodan.io/

◉ FOCAhttps://www.elevenpaths.co

m/labstools/foca/index.html

◉ Google Hackinghttp://www.hackersforcharity.org/ghdb/

Passive Active

““Automation, folks. That’s where it’s

at.” – Jerod Brennen, just a few minutes ago

◉Maltegohttps://www.paterva.com/w

eb6/products/maltego.php

◉ recon-nghttps://bitbucket.org/LaNMaSteR53/recon-ng

Replace Yourself With a Very Small Shell Script

4.How do I defend myself?

Sitting under your desk and crying is not an option.

Riddle Me This, Batman…

How much of what we’ve discussed would trigger an alert in your IDS/IPS?

◉ Unauthorized ports open on Shodan? Close them.

◉ Web app vulnerabilities on PunkSPIDER? Fix them.

◉ Zone transfers were successful? Disable them.

◉ Passwords on Pastebin? Change them.

◉ Users oversharing on social media? Train them.

Let’s Not Overcomplicate Things

Would You Like to Know More?

◉Online Strategieshttp://www.onstrat.com/osint/

◉ Penetration Testing Execution Standardhttp://www.pentest-standard.org/index.php/Main_Page

◉ IT Security Careerhttp://www.itsecuritycareer.com/blog/what-you-dont-know-

about-osint-can-hurt-you/

Thanks!

ANY QUESTIONS?

You can find me at:

Twitter: @slandailLinkedIn: /in/slandail