A fresh new look into         Information GatheringChristian MartorellaIV OWASP MEETING SPAIN
Who am i ?Christian Martorella   Manager Auditoria S21sec   CISSP, CISA, CISM, OPST, OPSA   OWASP WebSlayer Project Leader...
Information Gathering “Denotes the collection of information before the attack. The idea is to collect as much information...
OSINT:Open Source INTelligence “Is an information processing discipline that involves finding, selecting, and acquiring inf...
Penetration test anatomy        Information Gathering       Discovery / Fingerprinting         Vulnerability analysis     ...
Types	 of I.G    Passive     Active
I.G - Types of informationDomain, subdomain/host names   dev.target.comUser names       jdoeEmail Accounts   jdoe@target.c...
I.G what for? Infraestructure:   Information for discovering new targets, to get a   description of the hosts (NS,MX, AS,e...
How can we obtain this kindof info?
Obtaining host and Domains info -Classic Zone Transfer (active) Whois (passive) Reverse Lookup (active) BruteForce (active...
Zone-Transfer - DIG request: dig @srv.weak.dns weak.dns -t AXFR                                                DNS Tester ...
DNS bruteforce                      Domain: target.com                      host afrodita.target.com                      ...
Mail Headers
Obtaining user info - Classic  Search engines (passive)  Web pages (active)
New sources for I.G ...
Obtaining host and Domains info  Search Engines (passive)  Public PGP key servers (passive)  serversniff.net and others (p...
Obtaining host and Domains -Search engines Passive                  subdomain
Obtaining host and Domains info   The PGP public key servers are only intended to   help the user in exchanging public key...
Obtaining host and Domains info                   subdomains
Obtaining host and DomainsSubdomainer         Demo subDomainer
Obtaining host and DomainsSubdomainerOnce we have some host names, we can improve ourdictionary using Google sets, and the...
Obtaining host and DomainsSubdomainer
WikiScannerCompany IP rangesAnonymous Wikipedia edits, from interestingorganizationshttp://wikiscanner.virgil.gr/
WikiScanner - IP ranges
WikiScanner - Wikipedia edits
Obtaining user info - New sources   PgP key servers (passive)   Social Networks (passive)   Metadata (passive)
Obtaining user info - New sources Social networksLinkedIn is an online network of more than 15 millionexperienced professi...
Obtaining user info -New sources    Current Job     Pasts Jobs     Education   Job description        Etc...
Obtaining user info -New sources
Obtaining user info - theHarvester
Obtaining Emails - theHarvester
Online tools ServerSniff.net: • NameServers reports (NS) • Autonomous Systems reports (AS) • Virtual hosts
Serversniff MX and NSGraphs
Obtaining more data - New sourcesMetadata: is data about data.Is used to facilitate the understanding, use andmanagement o...
Obtaining more data - New sources - MetadataProvides basic information such as the author of awork, the date of creation, ...
Metadata - Dublin Core (schema)Content & about the   Intellectual Property   Electronic or Physical     Resource          ...
Metadata - example                                        logo-Kubuntu.png      logo-Ubuntu.pngsoftware - Adobe ImageReady...
Metadata - ImagesEXIF Exchangeable ImageFile Format• GPS coordinates• Time• Camera type• Serial number• Sometimes unaltere...
Metadata - EXIF- Harry Pwner     Deathly EXIF?
Metadata So where can we get interesting metadata?
Metadata Ok, I understand metadata... so what?
Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt...
Metagoofil                       Workers User names                              Server names                       names  ...
Metagoofil      site:nasa.gov filetype:ppt
MetagoofilDownloaded files     ppt 1     ppt 2                  libextractor /                                   Results.htm...
Metagoofil - results
Metagoofil - results
Metagoofil - results
Metagoofil - results
Metagoofil - results
Metagoofil - results
Metagoofil & Linkedin results Now we have a lot of information, what can i do? • User profiling • Spear Phishing / Social En...
Using resultsUser profiling• Dictionary creation John Doe                john.doe                     jdoe                 ...
Metadata - The Revisionist         Tool developed by Michal Zalewski, this tool will         extract comments and “Track c...
Target information: Email account Google Finance, Reuters pipl.com Usercheck.com
Google Finance & Reuters
Searching for a target
Usercheck.com
Using resultsPassword profilingDictionary creation: words from the different user sites                 magic              ...
There are more ways to getinfo
Facebook Phone in sick and treat himself to a day in bed.Kyle Doyles Facebook profile makes it quiteobvious he was not off ...
All together - Maltego Maltego is “the only” professional Information Gathering tool.       “Information is power       In...
Maltego
Maltego
ConclusionsClean your files before distributionWeb applications should clean files on upload (if it’s notneeded)Web applicat...
Referenceswww.edge-security.comblog.s21sec.comwww.s21sec.comcarnal0wnage.blogspot.comwww.gnunet.org/libextractorlcamtuf.co...
?
Thank you for coming  cmartorella@s21sec.comcmartorella@edge-security.com
Upcoming SlideShare
Loading in …5
×

A fresh new look into Information Gathering - OWASP Spain

1,004
-1

Published on

A review of the new ways to obtain information about a target using public Internet sources.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,004
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
43
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

A fresh new look into Information Gathering - OWASP Spain

  1. 1. A fresh new look into Information GatheringChristian MartorellaIV OWASP MEETING SPAIN
  2. 2. Who am i ?Christian Martorella Manager Auditoria S21sec CISSP, CISA, CISM, OPST, OPSA OWASP WebSlayer Project Leader OISSG, Board of Directors FIST Conference, Presidente Edge-Security.com
  3. 3. Information Gathering “Denotes the collection of information before the attack. The idea is to collect as much information as possible about the target which may be valuable later.”
  4. 4. OSINT:Open Source INTelligence “Is an information processing discipline that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.”
  5. 5. Penetration test anatomy Information Gathering Discovery / Fingerprinting Vulnerability analysis Exploitation Reporting
  6. 6. Types of I.G Passive Active
  7. 7. I.G - Types of informationDomain, subdomain/host names dev.target.comUser names jdoeEmail Accounts jdoe@target.comPerson names John Doe
  8. 8. I.G what for? Infraestructure: Information for discovering new targets, to get a description of the hosts (NS,MX, AS,etc), shared resources People and organizations: For performing brute force attacks on available services, Spear phishing, social engineering, investigations, analysis, background checks, information leaks
  9. 9. How can we obtain this kindof info?
  10. 10. Obtaining host and Domains info -Classic Zone Transfer (active) Whois (passive) Reverse Lookup (active) BruteForce (active++) Mail headers (active) smtp (active++)
  11. 11. Zone-Transfer - DIG request: dig @srv.weak.dns weak.dns -t AXFR DNS Tester server
  12. 12. DNS bruteforce Domain: target.com host afrodita.target.com DNS Tester afrodita.target.com has 192.168.1.1 serverDictionary Discoverd hosts: afrodita ... afrodita hermes x .. neo matrix x neo ...
  13. 13. Mail Headers
  14. 14. Obtaining user info - Classic Search engines (passive) Web pages (active)
  15. 15. New sources for I.G ...
  16. 16. Obtaining host and Domains info Search Engines (passive) Public PGP key servers (passive) serversniff.net and others (passive)
  17. 17. Obtaining host and Domains -Search engines Passive subdomain
  18. 18. Obtaining host and Domains info The PGP public key servers are only intended to help the user in exchanging public keys http://keyserver.veridis.com/ http://pgp.rediris.es:11371/pks/lookup? search=domain
  19. 19. Obtaining host and Domains info subdomains
  20. 20. Obtaining host and DomainsSubdomainer Demo subDomainer
  21. 21. Obtaining host and DomainsSubdomainerOnce we have some host names, we can improve ourdictionary using Google sets, and then try a brute forceattack on the dns.
  22. 22. Obtaining host and DomainsSubdomainer
  23. 23. WikiScannerCompany IP rangesAnonymous Wikipedia edits, from interestingorganizationshttp://wikiscanner.virgil.gr/
  24. 24. WikiScanner - IP ranges
  25. 25. WikiScanner - Wikipedia edits
  26. 26. Obtaining user info - New sources PgP key servers (passive) Social Networks (passive) Metadata (passive)
  27. 27. Obtaining user info - New sources Social networksLinkedIn is an online network of more than 15 millionexperienced professionals from around the world,representing 150 industries.
  28. 28. Obtaining user info -New sources Current Job Pasts Jobs Education Job description Etc...
  29. 29. Obtaining user info -New sources
  30. 30. Obtaining user info - theHarvester
  31. 31. Obtaining Emails - theHarvester
  32. 32. Online tools ServerSniff.net: • NameServers reports (NS) • Autonomous Systems reports (AS) • Virtual hosts
  33. 33. Serversniff MX and NSGraphs
  34. 34. Obtaining more data - New sourcesMetadata: is data about data.Is used to facilitate the understanding, use andmanagement of data.
  35. 35. Obtaining more data - New sources - MetadataProvides basic information such as the author of awork, the date of creation, links to any relatedworks, etc.
  36. 36. Metadata - Dublin Core (schema)Content & about the Intellectual Property Electronic or Physical Resource manifestation Title Author or Creator Date Subject Publisher Type Description Contributor Format Language Rights Identifier Relation Coverage
  37. 37. Metadata - example logo-Kubuntu.png logo-Ubuntu.pngsoftware - Adobe ImageReady software - www.inkscape.orgsize - 1501x391 size - 1501x379mimetype - image/png mimetype - image/png :/
  38. 38. Metadata - ImagesEXIF Exchangeable ImageFile Format• GPS coordinates• Time• Camera type• Serial number• Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  39. 39. Metadata - EXIF- Harry Pwner Deathly EXIF?
  40. 40. Metadata So where can we get interesting metadata?
  41. 41. Metadata Ok, I understand metadata... so what?
  42. 42. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  43. 43. Metagoofil Workers User names Server names names Software Paths versions + Date Mac Address
  44. 44. Metagoofil site:nasa.gov filetype:ppt
  45. 45. MetagoofilDownloaded files ppt 1 ppt 2 libextractor / Results.html ppt 3 filtering ppt n
  46. 46. Metagoofil - results
  47. 47. Metagoofil - results
  48. 48. Metagoofil - results
  49. 49. Metagoofil - results
  50. 50. Metagoofil - results
  51. 51. Metagoofil - results
  52. 52. Metagoofil & Linkedin results Now we have a lot of information, what can i do? • User profiling • Spear Phishing / Social Engineering • Client side attacks
  53. 53. Using resultsUser profiling• Dictionary creation John Doe john.doe jdoe j.doe johndoe johnd ATTACK! john.d jd doe john
  54. 54. Metadata - The Revisionist Tool developed by Michal Zalewski, this tool will extract comments and “Track changes” from Word documents.http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc
  55. 55. Target information: Email account Google Finance, Reuters pipl.com Usercheck.com
  56. 56. Google Finance & Reuters
  57. 57. Searching for a target
  58. 58. Usercheck.com
  59. 59. Using resultsPassword profilingDictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon Brute force elf ATTACK brainstorm ... ...
  60. 60. There are more ways to getinfo
  61. 61. Facebook Phone in sick and treat himself to a day in bed.Kyle Doyles Facebook profile makes it quiteobvious he was not off work for a valid medicalreason
  62. 62. All together - Maltego Maltego is “the only” professional Information Gathering tool. “Information is power Information is Maltego”
  63. 63. Maltego
  64. 64. Maltego
  65. 65. ConclusionsClean your files before distributionWeb applications should clean files on upload (if it’s notneeded)Web applications should try to represent theinformation in a non parseable way :/Be careful what you post/send
  66. 66. Referenceswww.edge-security.comblog.s21sec.comwww.s21sec.comcarnal0wnage.blogspot.comwww.gnunet.org/libextractorlcamtuf.coredump.cx/strikeout/www.paterva.com
  67. 67. ?
  68. 68. Thank you for coming cmartorella@s21sec.comcmartorella@edge-security.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×