Your SlideShare is downloading. ×
A fresh new look into Information Gathering - OWASP Spain
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

A fresh new look into Information Gathering - OWASP Spain


Published on

A review of the new ways to obtain information about a target using public Internet sources.

A review of the new ways to obtain information about a target using public Internet sources.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. A fresh new look into Information GatheringChristian MartorellaIV OWASP MEETING SPAIN
  • 2. Who am i ?Christian Martorella Manager Auditoria S21sec CISSP, CISA, CISM, OPST, OPSA OWASP WebSlayer Project Leader OISSG, Board of Directors FIST Conference, Presidente
  • 3. Information Gathering “Denotes the collection of information before the attack. The idea is to collect as much information as possible about the target which may be valuable later.”
  • 4. OSINT:Open Source INTelligence “Is an information processing discipline that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.”
  • 5. Penetration test anatomy Information Gathering Discovery / Fingerprinting Vulnerability analysis Exploitation Reporting
  • 6. Types of I.G Passive Active
  • 7. I.G - Types of informationDomain, subdomain/host names names jdoeEmail Accounts jdoe@target.comPerson names John Doe
  • 8. I.G what for? Infraestructure: Information for discovering new targets, to get a description of the hosts (NS,MX, AS,etc), shared resources People and organizations: For performing brute force attacks on available services, Spear phishing, social engineering, investigations, analysis, background checks, information leaks
  • 9. How can we obtain this kindof info?
  • 10. Obtaining host and Domains info -Classic Zone Transfer (active) Whois (passive) Reverse Lookup (active) BruteForce (active++) Mail headers (active) smtp (active++)
  • 11. Zone-Transfer - DIG request: dig @srv.weak.dns weak.dns -t AXFR DNS Tester server
  • 12. DNS bruteforce Domain: host DNS Tester has serverDictionary Discoverd hosts: afrodita ... afrodita hermes x .. neo matrix x neo ...
  • 13. Mail Headers
  • 14. Obtaining user info - Classic Search engines (passive) Web pages (active)
  • 15. New sources for I.G ...
  • 16. Obtaining host and Domains info Search Engines (passive) Public PGP key servers (passive) and others (passive)
  • 17. Obtaining host and Domains -Search engines Passive subdomain
  • 18. Obtaining host and Domains info The PGP public key servers are only intended to help the user in exchanging public keys search=domain
  • 19. Obtaining host and Domains info subdomains
  • 20. Obtaining host and DomainsSubdomainer Demo subDomainer
  • 21. Obtaining host and DomainsSubdomainerOnce we have some host names, we can improve ourdictionary using Google sets, and then try a brute forceattack on the dns.
  • 22. Obtaining host and DomainsSubdomainer
  • 23. WikiScannerCompany IP rangesAnonymous Wikipedia edits, from interestingorganizations
  • 24. WikiScanner - IP ranges
  • 25. WikiScanner - Wikipedia edits
  • 26. Obtaining user info - New sources PgP key servers (passive) Social Networks (passive) Metadata (passive)
  • 27. Obtaining user info - New sources Social networksLinkedIn is an online network of more than 15 millionexperienced professionals from around the world,representing 150 industries.
  • 28. Obtaining user info -New sources Current Job Pasts Jobs Education Job description Etc...
  • 29. Obtaining user info -New sources
  • 30. Obtaining user info - theHarvester
  • 31. Obtaining Emails - theHarvester
  • 32. Online tools • NameServers reports (NS) • Autonomous Systems reports (AS) • Virtual hosts
  • 33. Serversniff MX and NSGraphs
  • 34. Obtaining more data - New sourcesMetadata: is data about data.Is used to facilitate the understanding, use andmanagement of data.
  • 35. Obtaining more data - New sources - MetadataProvides basic information such as the author of awork, the date of creation, links to any relatedworks, etc.
  • 36. Metadata - Dublin Core (schema)Content & about the Intellectual Property Electronic or Physical Resource manifestation Title Author or Creator Date Subject Publisher Type Description Contributor Format Language Rights Identifier Relation Coverage
  • 37. Metadata - example logo-Kubuntu.png logo-Ubuntu.pngsoftware - Adobe ImageReady software - www.inkscape.orgsize - 1501x391 size - 1501x379mimetype - image/png mimetype - image/png :/
  • 38. Metadata - ImagesEXIF Exchangeable ImageFile Format• GPS coordinates• Time• Camera type• Serial number• Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  • 39. Metadata - EXIF- Harry Pwner Deathly EXIF?
  • 40. Metadata So where can we get interesting metadata?
  • 41. Metadata Ok, I understand metadata... so what?
  • 42. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 43. Metagoofil Workers User names Server names names Software Paths versions + Date Mac Address
  • 44. Metagoofil filetype:ppt
  • 45. MetagoofilDownloaded files ppt 1 ppt 2 libextractor / Results.html ppt 3 filtering ppt n
  • 46. Metagoofil - results
  • 47. Metagoofil - results
  • 48. Metagoofil - results
  • 49. Metagoofil - results
  • 50. Metagoofil - results
  • 51. Metagoofil - results
  • 52. Metagoofil & Linkedin results Now we have a lot of information, what can i do? • User profiling • Spear Phishing / Social Engineering • Client side attacks
  • 53. Using resultsUser profiling• Dictionary creation John Doe john.doe jdoe j.doe johndoe johnd ATTACK! john.d jd doe john
  • 54. Metadata - The Revisionist Tool developed by Michal Zalewski, this tool will extract comments and “Track changes” from Word documents.
  • 55. Target information: Email account Google Finance, Reuters
  • 56. Google Finance & Reuters
  • 57. Searching for a target
  • 58.
  • 59. Using resultsPassword profilingDictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon Brute force elf ATTACK brainstorm ... ...
  • 60. There are more ways to getinfo
  • 61. Facebook Phone in sick and treat himself to a day in bed.Kyle Doyles Facebook profile makes it quiteobvious he was not off work for a valid medicalreason
  • 62. All together - Maltego Maltego is “the only” professional Information Gathering tool. “Information is power Information is Maltego”
  • 63. Maltego
  • 64. Maltego
  • 65. ConclusionsClean your files before distributionWeb applications should clean files on upload (if it’s notneeded)Web applications should try to represent theinformation in a non parseable way :/Be careful what you post/send
  • 66.
  • 67. ?
  • 68. Thank you for coming