Your SlideShare is downloading. ×
0
OFFENSIVE OSINT
CHRISTIAN MARTORELLA
OSIRA SUMMIT 2014
LONDON, UK
About me
Chris&an	
  Martorella:	
  
–  I	
  work	
  in	
  Skype	
  (MS),	
  Product	
  Security	
  team	
  
–  Founder	
 ...
Disclaimer
Any views or opinions presented in this presentation
are solely those of the author and do not necessarily
repr...
OSINT - Intro
Open-­‐source	
  intelligence	
  (OSINT)	
  is	
  intelligence	
  
collected	
  from	
  publicly	
  availabl...
OSINT
	
  
	
  
	
  
What	
  is	
  Threat	
  Intelligence	
  /	
  Cyber	
  
Intelligence	
  ?	
  
OSINT PROCESS
Source Identification
Data harvesting
Data Analysis
Data processing and
Integration
Results Delivery
Source Identification
Data Harvesting
Data processing
Data Analysis
Results Delivery
Offensive OSINT
Offensive vs. Defensive OSINT
From	
  the	
  security	
  perspec&ve	
  we	
  can	
  separate	
  
OSINT:	
  
	
  
Offensive:...
Offensive OSINT
•  Finding	
  as	
  much	
  informa&on	
  as	
  possible	
  that	
  
will	
  facilitate	
  the	
  aNack	
 ...
Typical Pentesting Methodology
I.G Scan Enumerate Exploit
Post-
Exploit
Cover
Tracks
Write
report
What everyone focus on:
I.G	
   Scan	
  	
  
Enumera
te	
   Exploit	
  
Post-­‐
Exploit	
  
Cover	
  
Tracks	
  
Write	
  ...
Attacker Methodology
Discover	
  what	
  makes	
  
the	
  company	
  money	
  
Discover	
  what	
  is	
  
valuable	
  to	
...
Data	
  Harves:ng	
  
Data Harvesting
A.K.A:	
  
•  Informa:on	
  Gathering:	
  
The	
  act	
  of	
  collec&ng	
  informa&on	
  
	
  
•  Foot	
 ...
Data Harvesting – How?
Techniques:	
  
	
  
•  Scraping	
  (raw)	
  
•  Open	
  APIs	
  
•  Commercial	
  APIS	
  
•  Netw...
Data	
  Harves&ng	
  	
  -­‐	
  Passive	
  vs	
  Ac&ve	
  
•  Passive	
  data	
  harves:ng:	
  Our	
  ac&ons	
  can’t	
  b...
Offensive OSINT targets
Offensive OSINT – end goals
•  Phishing	
  	
  
•  Social	
  Engineering	
  
•  Denial	
  of	
  Services	
  
•  Password	
...
What	
  data is interesting?
Emails
Users / Employees names
-Interests
-People relationships
-Alias
	
  
	
  
	
  
Emails
•  PGP	
  servers	
  
•  Search	
  engines	
  
•  Whois	
  	
  
Employees / Usernames / Alias
linkedin.com	
  
jigsaw.com	
  
people123.com	
  
pipl.com	
  
peekyou.com	
  
Google	
  Fin...
Username checks
Social Media
	
  
•  Employees	
  of	
  a	
  company	
  
•  Profile	
  picture	
  
•  Special&es	
  
•  Role	
  
•  Country	
  
•  Emails	
  
Linkedin	
  
Simon	
  LongboNom	
  
Simon.LongboNom@amazon.com	
  
	
  
Product	
  defini&on,	
  proposi&on	
  research,	
 ...
Linkedin	
  
Google+	
  
 
GRAPH	
  SEARCH:	
  
	
  
“People	
  who	
  work	
  at	
  Amazon.com”	
  
	
  
“People	
  who	
  work	
  at	
  Amazon.co...
@google.	
  News	
  and	
  updates	
  from	
  Google.	
  Mountain	
  
@googlenexus.	
  Phones	
  and	
  tablets	
  from	
 ...
Domain	
  name	
  
Geo-location
•  People	
  loca&on	
  
•  Servers	
  loca&on	
  
•  Wireless	
  AP	
  loca&on	
  
	
  
	
  
Geo-location
Social	
  media	
  posts	
  
Foursquare	
  
Pictures	
  
TwiNer	
  
Facebook	
  
	
  
Twitter - Creepy
Images
Reverse	
  image	
  search	
  
Face	
  iden&fica&on	
  
Exif	
  Metadata	
  analysis:	
  
	
  Profile	
  pictures	
  ...
Images
•  Pic from
Novartis
search on
TwwepSearch
INFRASTRUCTURE
IP
Hostnames
Services
Networks
Geo-location
Software version
CDN
Multitenant Hosting
Infrastructure
Internet	
  Census	
  project	
  
Whois	
  
ServerSniff	
  
Jobsites	
  
Search	
  engines	
  
ShodanHQ	
  
...
Infrastructure	
  	
  
•  Once	
  we	
  have	
  iden&fied	
  the	
  Infrastructure	
  
components,	
  what	
  can	
  we	
  ...
ShodanHQ
Bugs databases
INDICATORS OF COMPROMISE
(IOC)
IP addresses
Domains
URLs
Hashes
Stolen Passwords
IOC
Collec&ve	
  Intelligence	
  Framework	
  sources	
  (70)	
  
Abuse.CH	
  
Shadowserver.org	
  
Nothink.org	
  
Virust...
DATA LEAKS
	
  
Pastebin.com	
  	
  
@pastebindorks	
  
	
  
Pastebin	
  clones	
  
	
  
Infrastructure
•  	
  	
  DNS	
  
o  Bruteforce	
  
o  Zone	
  Transfer	
  
•  SMTP	
  
o  Header	
  analysis	
  
o  Vrfy,...
Metadata
	
  
•  Office	
  documents	
  
•  Openoffice	
  documents	
  
•  PDF	
  documents	
  	
  
•  Images	
  EXIF	
  metad...
Cat Schwartz - Tech TV
Washington Post
Botmaster location exposed by the Washington Post
SLUG: mag/hacker!
DATE: 12/19/2005!
PHOTOGRAPHER: Sarah ...
Metagoofil - Results
Metagoofil - Results
Metagoofil - results
INFORMATION GATHERING
TOOLS
•  FOCA	
  
•  Spiderfoot	
  
•  Tapir	
  
•  Creepy	
  
•  theHarvester	
  
•  Metagoofil	
  
...
This	
  tool	
  is	
  intended	
  to	
  help	
  Penetra&on	
  testers	
  in	
  the	
  early	
  
stages	
  of	
  the	
  pen...
 -­‐	
  Sources	
  
	
   	
   	
  	
  	
  	
  	
  google	
  
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	...
•  python	
  theHarvester.py	
  -­‐d	
  lacaixa.es	
  -­‐b	
  
googleCSE	
  -­‐l	
  500	
  -­‐v	
  -­‐h	
  
- Intelligence
Implement	
  en&&es	
  
Cross	
  reference	
  en&&es	
  
Image	
  reverse	
  search	
  /	
  profile	
  pictu...
Challenges
•  Source	
  availability	
  	
  (APIs)	
  
•  Changes	
  in	
  Terms	
  of	
  Use	
  
•  Genera&ng	
  valid	
 ...
?
TwiNer:	
  @laramies	
  
Email:	
  cmartorellaW@edge-­‐security.com	
  
Offensive OSINT
Offensive OSINT
Offensive OSINT
Offensive OSINT
Offensive OSINT
Offensive OSINT
Offensive OSINT
Upcoming SlideShare
Loading in...5
×

Offensive OSINT

1,863

Published on

Offensive OSINT - Presented at OSIRA Summit in London 2014. Overview of OSINT process, and how attackers are using it to prepare their cyber attacks.

0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,863
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
135
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Transcript of "Offensive OSINT"

  1. 1. OFFENSIVE OSINT CHRISTIAN MARTORELLA OSIRA SUMMIT 2014 LONDON, UK
  2. 2. About me Chris&an  Martorella:   –  I  work  in  Skype  (MS),  Product  Security  team   –  Founder  of  Edge-­‐security.com   –  Developed  open  source  projects  like  theHarvester,   Metagoofil,  Wfuzz  and  Webslayer   –  Presented  in  many  Security  conferences  (Blackhat  Arsenal,   Hack.lu,  WhaNheHack,  OWASP,  Source)   –  Over  12  years  focusing  on  offensive  security    
  3. 3. Disclaimer Any views or opinions presented in this presentation are solely those of the author and do not necessarily represent those of the employer
  4. 4. OSINT - Intro Open-­‐source  intelligence  (OSINT)  is  intelligence   collected  from  publicly  available  sources.   •  “Open"  refers  to  overt,  publicly  available  sources   (as  opposed  to  covert  or  clandes&ne  sources)   •  It  is  not  related  to  open-­‐source  soUware  or   public  intelligence.  
  5. 5. OSINT       What  is  Threat  Intelligence  /  Cyber   Intelligence  ?  
  6. 6. OSINT PROCESS Source Identification Data harvesting Data Analysis Data processing and Integration Results Delivery
  7. 7. Source Identification
  8. 8. Data Harvesting
  9. 9. Data processing
  10. 10. Data Analysis
  11. 11. Results Delivery
  12. 12. Offensive OSINT
  13. 13. Offensive vs. Defensive OSINT From  the  security  perspec&ve  we  can  separate   OSINT:     Offensive:  Gathering  informa&on  before  an   aNack.     Defensive:  Learning  about  aNacks  against  the   company  
  14. 14. Offensive OSINT •  Finding  as  much  informa&on  as  possible  that   will  facilitate  the  aNack   •  S&ll  now,  many  Penetra&on  Tes&ng   companies  skip  this  phase   •  ANackers  usually  spend  more  &me  than   testers  on  this  phase  
  15. 15. Typical Pentesting Methodology I.G Scan Enumerate Exploit Post- Exploit Cover Tracks Write report
  16. 16. What everyone focus on: I.G   Scan     Enumera te   Exploit   Post-­‐ Exploit   Cover   Tracks   Write   report  
  17. 17. Attacker Methodology Discover  what  makes   the  company  money   Discover  what  is   valuable  to  the   aNacker   Do  whatever  it   takes...   Steal  it   Informa&on  Gathering  
  18. 18. Data  Harves:ng  
  19. 19. Data Harvesting A.K.A:   •  Informa:on  Gathering:   The  act  of  collec&ng  informa&on     •  Foot  prin:ng:     Is  the  technique  of  gathering  informa&on  about   computer  systems  and  the  en&&es  they  belong  to.     •  Web  mining:     The  act  of  collec&ng  informa&on  from  the  web        
  20. 20. Data Harvesting – How? Techniques:     •  Scraping  (raw)   •  Open  APIs   •  Commercial  APIS   •  Network  Scanning   •  Purchasing  data   •  Open  source  Data  sets   •  Databases   •  Logfiles    
  21. 21. Data  Harves&ng    -­‐  Passive  vs  Ac&ve   •  Passive  data  harves:ng:  Our  ac&ons  can’t  be   detected  by  the  target  (Non  aNribu&on)   •  Ac:ve  data  harves:ng:  our  ac&ons  leave   traces  that  can  be  detected  by  the  target  
  22. 22. Offensive OSINT targets
  23. 23. Offensive OSINT – end goals •  Phishing     •  Social  Engineering   •  Denial  of  Services   •  Password  brute  force  aNacks   •  Target  infiltra&on    
  24. 24. What  data is interesting? Emails Users / Employees names -Interests -People relationships -Alias      
  25. 25. Emails •  PGP  servers   •  Search  engines   •  Whois    
  26. 26. Employees / Usernames / Alias linkedin.com   jigsaw.com   people123.com   pipl.com   peekyou.com   Google  Finance  /  Etc.     Usernamecheck.com   checkusernames.com     Glassdoor.com   Hoovers.com   Corpwatch.org   intelius.com  
  27. 27. Username checks
  28. 28. Social Media  
  29. 29. •  Employees  of  a  company   •  Profile  picture   •  Special&es   •  Role   •  Country   •  Emails  
  30. 30. Linkedin   Simon  LongboNom   Simon.LongboNom@amazon.com     Product  defini&on,  proposi&on  research,  pricing,   product  marke&ng,  product  promo&on,  market   research,  new  product  introduc&on     pictureUrl':  'hNp://m.c.lnkd.licdn.com/mpr/mprz/’}  
  31. 31. Linkedin  
  32. 32. Google+  
  33. 33.   GRAPH  SEARCH:     “People  who  work  at  Amazon.com”     “People  who  work  at  Amazon.com  and  live  in   SeaNle  Washington”  
  34. 34. @google.  News  and  updates  from  Google.  Mountain   @googlenexus.  Phones  and  tablets  from  Google   @GoogleDoodles   @googlewmc.  News  and  resources  from   @googleindia   @GoogleChat.  Twee&ng  about  all  things  Google   @googleaccess.  The  official  TwiNer   @googleglass.  Geing  technology  out  of  the  way.   @googlenonprofit.  News  and  updates  from   @googlewallet.  News   @googlereader.  News   @googlefiber   @googleio.  Google   @googledevs  for  updates.  San  Francisco   @GoogleIO  for  ...  If  you   @GoogleMsia.  Official  Google  Malaysia  on  TwiNer.  Kuala   @googlejobs.  Have  you  heard  we   @googleapps.  Google  Apps  news  for  ISVs   @GooglePlay.  Music   @GoogleAtWork.  The  official  TwiNer  home  of   Google  Enterprise.  Mountain  View   @FaktaGoogle.  Googling  Random  Facts.  Don   @googlemobileads.  Official  Google  Mobile   @googlepoli&cs.  Trends   @ericschmidt.  Execu&ve  Chairman   @GoogleMobile.  News   @googledownunder.  Google  Australia  and   @AdSense.  News  and  updates  from  the  Google   AdSense   @googlecalendar.  The  official  TwiNer  home  of   @googledevs.  News  about  and  from   @googlenews.  Breaking  news   @GoogleB2BTeam.   @GoogleB2BTeam  Google   @Jus&nCutroni   Google  query:  site:twiNer.com  in&tle:"on  TwiNer"   ”Google"    
  35. 35. Domain  name  
  36. 36. Geo-location •  People  loca&on   •  Servers  loca&on   •  Wireless  AP  loca&on      
  37. 37. Geo-location Social  media  posts   Foursquare   Pictures   TwiNer   Facebook    
  38. 38. Twitter - Creepy
  39. 39. Images Reverse  image  search   Face  iden&fica&on   Exif  Metadata  analysis:    Profile  pictures    ANachments      
  40. 40. Images •  Pic from Novartis search on TwwepSearch
  41. 41. INFRASTRUCTURE IP Hostnames Services Networks Geo-location Software version CDN Multitenant Hosting
  42. 42. Infrastructure Internet  Census  project   Whois   ServerSniff   Jobsites   Search  engines   ShodanHQ    
  43. 43. Infrastructure     •  Once  we  have  iden&fied  the  Infrastructure   components,  what  can  we  do?  
  44. 44. ShodanHQ
  45. 45. Bugs databases
  46. 46. INDICATORS OF COMPROMISE (IOC) IP addresses Domains URLs Hashes Stolen Passwords
  47. 47. IOC Collec&ve  Intelligence  Framework  sources  (70)   Abuse.CH   Shadowserver.org   Nothink.org   Virustotal.com   Malwr   Seculert  
  48. 48. DATA LEAKS   Pastebin.com     @pastebindorks     Pastebin  clones    
  49. 49. Infrastructure •     DNS   o  Bruteforce   o  Zone  Transfer   •  SMTP   o  Header  analysis   o  Vrfy,  expn   •  Web  sites   o  Hidden  files  /  directories  bruteforce   •  Network  scanning   •  Metadata  
  50. 50. Metadata   •  Office  documents   •  Openoffice  documents   •  PDF  documents     •  Images  EXIF  metadata   •  Others     Metadata:  is  data  about  data.             Is  used  to  facilitate  the  understanding,  use  and  management   of  data.    
  51. 51. Cat Schwartz - Tech TV
  52. 52. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker! DATE: 12/19/2005! PHOTOGRAPHER: Sarah L. Voisin/TWP! id#: LOCATION: Roland, OK! CAPTION:! PICTURED: Canon Canon EOS 20D! Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin! There are only 1.500 males in Roland Oklahoma
  53. 53. Metagoofil - Results
  54. 54. Metagoofil - Results
  55. 55. Metagoofil - results
  56. 56. INFORMATION GATHERING TOOLS •  FOCA   •  Spiderfoot   •  Tapir   •  Creepy   •  theHarvester   •  Metagoofil    
  57. 57. This  tool  is  intended  to  help  Penetra&on  testers  in  the  early   stages  of  the  penetra&on  test  in  order  to  understand  the   customer  footprint  on  the  Internet.       It  is  also  useful  for  anyone  that  wants  to  know  what  an  aNacker   can  see  about  their  organiza&on  and  reduce  exposure  of  the   company.    
  58. 58.  -­‐  Sources                google                                                  googleCSE                                                  bing                                                  bingapi                                                  pgp                                                  linkedin                people123                                                  jigsaw                                                  twiNer                                                  GooglePlus                shodanhq                                                     •  Open  source  soUware   •  Command  line     •  Extendable  
  59. 59. •  python  theHarvester.py  -­‐d  lacaixa.es  -­‐b   googleCSE  -­‐l  500  -­‐v  -­‐h  
  60. 60. - Intelligence Implement  en&&es   Cross  reference  en&&es   Image  reverse  search  /  profile  pictures   Geo-­‐loca&on   Iden&fy  vulnerable  services   Username  search  in  other  services   Target  priori&za&on    
  61. 61. Challenges •  Source  availability    (APIs)   •  Changes  in  Terms  of  Use   •  Genera&ng  valid  intelligence  
  62. 62. ? TwiNer:  @laramies   Email:  cmartorellaW@edge-­‐security.com  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×