Owasp modern information gathering


Published on

OWASP is een wereldwijde non-profit organisatie, met een Nederlandse vestiging, die onder meer richtlijnen voor beveiliging biedt. IT Security Specialist Dave van Stein van KZA heeft op 26 juni een presentatie gegeveven

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Owasp modern information gathering

  1. 1. Modern informationgathering Onderwerp: Modern Information Gathering Datum: 26-JUN-2012Aanwezigen: OWASPClassificatie: Public
  2. 2. Who Am IDave van Stein38 yearsTester > 11 years(Application) Security Testing“Certified Ethical Hacker”
  3. 3. AgendaGoal of the presentationWhat is Information Gathering ?Domain scanningSearch engine ‘abuse’Other toolsSome Social EngineeringRemediesConclusions
  4. 4. Goal of this presentation Give insight in amount of information anonymously available on internet about your system (and users) Give insight in the amount and possibilities of tools freely availableIdentify entrypointGain accessSecure accessDo stuffClear up the messCome back another time(simplified procedure)
  5. 5. ‘Classic’ Domain ScanningSteps involved: Get network information with ping and traceroute Get DNS information with WHOIS and LOOKUP Do DNS zone transfer for subdomains Download website for extra info Scan serversProblems: DNS zone transfers often not authorized Active connection with target => detectable
  6. 6. Modern Information GatheringInteresting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities) Usernames and passwords Sensitive informationPassive As little contact as possible with target No direct scanning, no intrusion No logging and no alarm triggering !
  7. 7. Sources of informationPublic records WHOIS: information about owner DNS : information about IP adressesSearch engines Often little restrictions on websites Cache all information gathered Tweaking provides additional informationVarious websites Anonymous Combine above techniques Sort results for nice presentationAdvanced and Automated Specialized (offline) Toolsscanning
  8. 8. Shodanhq.comShodan IP adresses Server banner X-Powered-by banner CookiesSearch filters City, Country, Geo Hostname, ip address / net block Os, port date (before / after) ssl cert version, bits, issuer ssl cipher support, bit support , protocol
  9. 9. ServerSniff.netServer Sniff NS reports Domain reports Subdomains Various (trace)routes Various ping types Shows robots.txt Anonymous !
  10. 10. Domain Scanning: Server Sniff
  11. 11. Robtex.com
  12. 12. Domain Scanning: RobtexDomain ‘Swiss Army Knife’ Provides ALL information linked to a domain
  13. 13. Domain scanning: Robtex
  14. 14. Google Advanced searchfiletype: (or ext:) Find documents of the specified type. E.g. PDF, XLS, DOCintext: The terms must appear in the text of the page.intitle: The terms must appear in the title of the page.inurl: The terms must appear in the URL of the page.
  15. 15. Google Hacking Databasewww.johnny.ihackstuff.com(edit: http://johnny.ihackstuff.com/ghdb.php)Collection of queries for finding ‘interesting’ stuffNo longer updatedPossible results of GHD: Identify systems in use (including version) Identify known exploits Locations of sensitive information User-id’s & passwords Logging files Many other things
  16. 16. The NEW and IMPROVED GHDB
  17. 17. Bing.comFinds subdomains with ‘IP:x.x.x.x’
  18. 18. Baiduinurl:intitle:site:
  19. 19. Example
  20. 20. SearchDiggity
  21. 21. Stach & Liu
  22. 22. SEO Tools
  23. 23. Domain Scanning ‘on-the-fly’Passive Recon (Firefox add-on)
  24. 24. FOCA
  25. 25. MaltegoIntelligence and forensics toolConnects many different sources of infoRepresents in graphical wayVery extensive capabilities
  26. 26. MaltegoCan also be used for social engineering- Facebook & twitter- Email adresses- Phone numbers- etc
  27. 27. theHarvester
  28. 28. ConclusionsWhat search engines see, hackers can abuseAnonymous, online and offline, Highly automatedMany tools are freely availableNetworks can be mapped with much detail in minutesMuch information about your company, systems and users available on internet
  29. 29. Remedies (1/2)Limit access • Allow search engines only to see what they need to see. • Make sure unauthorized users are not able to look into or even see files they do not need to see. • Force possible intruders to use methods that can be scanned and monitored.Use the tools of hackers • Scan your systems with the tools hackers use and check the information that is found. • Scan for error messages and other things that reveal information about the system and services and remove them.Check what spiders can see • Use a spider simulator to check what spiders can see and if your application still functions correctly.
  30. 30. Remedies (2/2)Awareness • Be aware of all possible sources of information. Create awareness among employees. Assume all information will possibly abusedClean documents • Remove al metadata from documents before publishing.Audit frequently • Keep your knowledge up-to-date and scan regularly for information that can be found about your systems or hire professionals do to it for you.
  31. 31. Interesting books on the subject