A fresh new look into Information Gathering - OWASP Spain

  • 521 views
Uploaded on

A review of the new ways to obtain information about a target using public Internet sources.

A review of the new ways to obtain information about a target using public Internet sources.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
521
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
32
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. A fresh new look into Information GatheringChristian MartorellaIV OWASP MEETING SPAIN
  • 2. Who am i ?Christian Martorella Manager Auditoria S21sec CISSP, CISA, CISM, OPST, OPSA OWASP WebSlayer Project Leader OISSG, Board of Directors FIST Conference, Presidente Edge-Security.com
  • 3. Information Gathering “Denotes the collection of information before the attack. The idea is to collect as much information as possible about the target which may be valuable later.”
  • 4. OSINT:Open Source INTelligence “Is an information processing discipline that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.”
  • 5. Penetration test anatomy Information Gathering Discovery / Fingerprinting Vulnerability analysis Exploitation Reporting
  • 6. Types of I.G Passive Active
  • 7. I.G - Types of informationDomain, subdomain/host names dev.target.comUser names jdoeEmail Accounts jdoe@target.comPerson names John Doe
  • 8. I.G what for? Infraestructure: Information for discovering new targets, to get a description of the hosts (NS,MX, AS,etc), shared resources People and organizations: For performing brute force attacks on available services, Spear phishing, social engineering, investigations, analysis, background checks, information leaks
  • 9. How can we obtain this kindof info?
  • 10. Obtaining host and Domains info -Classic Zone Transfer (active) Whois (passive) Reverse Lookup (active) BruteForce (active++) Mail headers (active) smtp (active++)
  • 11. Zone-Transfer - DIG request: dig @srv.weak.dns weak.dns -t AXFR DNS Tester server
  • 12. DNS bruteforce Domain: target.com host afrodita.target.com DNS Tester afrodita.target.com has 192.168.1.1 serverDictionary Discoverd hosts: afrodita ... afrodita hermes x .. neo matrix x neo ...
  • 13. Mail Headers
  • 14. Obtaining user info - Classic Search engines (passive) Web pages (active)
  • 15. New sources for I.G ...
  • 16. Obtaining host and Domains info Search Engines (passive) Public PGP key servers (passive) serversniff.net and others (passive)
  • 17. Obtaining host and Domains -Search engines Passive subdomain
  • 18. Obtaining host and Domains info The PGP public key servers are only intended to help the user in exchanging public keys http://keyserver.veridis.com/ http://pgp.rediris.es:11371/pks/lookup? search=domain
  • 19. Obtaining host and Domains info subdomains
  • 20. Obtaining host and DomainsSubdomainer Demo subDomainer
  • 21. Obtaining host and DomainsSubdomainerOnce we have some host names, we can improve ourdictionary using Google sets, and then try a brute forceattack on the dns.
  • 22. Obtaining host and DomainsSubdomainer
  • 23. WikiScannerCompany IP rangesAnonymous Wikipedia edits, from interestingorganizationshttp://wikiscanner.virgil.gr/
  • 24. WikiScanner - IP ranges
  • 25. WikiScanner - Wikipedia edits
  • 26. Obtaining user info - New sources PgP key servers (passive) Social Networks (passive) Metadata (passive)
  • 27. Obtaining user info - New sources Social networksLinkedIn is an online network of more than 15 millionexperienced professionals from around the world,representing 150 industries.
  • 28. Obtaining user info -New sources Current Job Pasts Jobs Education Job description Etc...
  • 29. Obtaining user info -New sources
  • 30. Obtaining user info - theHarvester
  • 31. Obtaining Emails - theHarvester
  • 32. Online tools ServerSniff.net: • NameServers reports (NS) • Autonomous Systems reports (AS) • Virtual hosts
  • 33. Serversniff MX and NSGraphs
  • 34. Obtaining more data - New sourcesMetadata: is data about data.Is used to facilitate the understanding, use andmanagement of data.
  • 35. Obtaining more data - New sources - MetadataProvides basic information such as the author of awork, the date of creation, links to any relatedworks, etc.
  • 36. Metadata - Dublin Core (schema)Content & about the Intellectual Property Electronic or Physical Resource manifestation Title Author or Creator Date Subject Publisher Type Description Contributor Format Language Rights Identifier Relation Coverage
  • 37. Metadata - example logo-Kubuntu.png logo-Ubuntu.pngsoftware - Adobe ImageReady software - www.inkscape.orgsize - 1501x391 size - 1501x379mimetype - image/png mimetype - image/png :/
  • 38. Metadata - ImagesEXIF Exchangeable ImageFile Format• GPS coordinates• Time• Camera type• Serial number• Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  • 39. Metadata - EXIF- Harry Pwner Deathly EXIF?
  • 40. Metadata So where can we get interesting metadata?
  • 41. Metadata Ok, I understand metadata... so what?
  • 42. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 43. Metagoofil Workers User names Server names names Software Paths versions + Date Mac Address
  • 44. Metagoofil site:nasa.gov filetype:ppt
  • 45. MetagoofilDownloaded files ppt 1 ppt 2 libextractor / Results.html ppt 3 filtering ppt n
  • 46. Metagoofil - results
  • 47. Metagoofil - results
  • 48. Metagoofil - results
  • 49. Metagoofil - results
  • 50. Metagoofil - results
  • 51. Metagoofil - results
  • 52. Metagoofil & Linkedin results Now we have a lot of information, what can i do? • User profiling • Spear Phishing / Social Engineering • Client side attacks
  • 53. Using resultsUser profiling• Dictionary creation John Doe john.doe jdoe j.doe johndoe johnd ATTACK! john.d jd doe john
  • 54. Metadata - The Revisionist Tool developed by Michal Zalewski, this tool will extract comments and “Track changes” from Word documents.http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc
  • 55. Target information: Email account Google Finance, Reuters pipl.com Usercheck.com
  • 56. Google Finance & Reuters
  • 57. Searching for a target
  • 58. Usercheck.com
  • 59. Using resultsPassword profilingDictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon Brute force elf ATTACK brainstorm ... ...
  • 60. There are more ways to getinfo
  • 61. Facebook Phone in sick and treat himself to a day in bed.Kyle Doyles Facebook profile makes it quiteobvious he was not off work for a valid medicalreason
  • 62. All together - Maltego Maltego is “the only” professional Information Gathering tool. “Information is power Information is Maltego”
  • 63. Maltego
  • 64. Maltego
  • 65. ConclusionsClean your files before distributionWeb applications should clean files on upload (if it’s notneeded)Web applications should try to represent theinformation in a non parseable way :/Be careful what you post/send
  • 66. Referenceswww.edge-security.comblog.s21sec.comwww.s21sec.comcarnal0wnage.blogspot.comwww.gnunet.org/libextractorlcamtuf.coredump.cx/strikeout/www.paterva.com
  • 67. ?
  • 68. Thank you for coming cmartorella@s21sec.comcmartorella@edge-security.com