Uploaded on

Offensive OSINT - Presented at OSIRA Summit in London 2014. Overview of OSINT process, and how attackers are using it to prepare their cyber attacks.

Offensive OSINT - Presented at OSIRA Summit in London 2014. Overview of OSINT process, and how attackers are using it to prepare their cyber attacks.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
636
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
32
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OFFENSIVE OSINT CHRISTIAN MARTORELLA OSIRA SUMMIT 2014 LONDON, UK
  • 2. About me Chris&an  Martorella:   –  I  work  in  Skype  (MS),  Product  Security  team   –  Founder  of  Edge-­‐security.com   –  Developed  open  source  projects  like  theHarvester,   Metagoofil,  Wfuzz  and  Webslayer   –  Presented  in  many  Security  conferences  (Blackhat  Arsenal,   Hack.lu,  WhaNheHack,  OWASP,  Source)   –  Over  12  years  focusing  on  offensive  security    
  • 3. Disclaimer Any views or opinions presented in this presentation are solely those of the author and do not necessarily represent those of the employer
  • 4. OSINT - Intro Open-­‐source  intelligence  (OSINT)  is  intelligence   collected  from  publicly  available  sources.   •  “Open"  refers  to  overt,  publicly  available  sources   (as  opposed  to  covert  or  clandes&ne  sources)   •  It  is  not  related  to  open-­‐source  soUware  or   public  intelligence.  
  • 5. OSINT       What  is  Threat  Intelligence  /  Cyber   Intelligence  ?  
  • 6. OSINT PROCESS Source Identification Data harvesting Data Analysis Data processing and Integration Results Delivery
  • 7. Source Identification
  • 8. Data Harvesting
  • 9. Data processing
  • 10. Data Analysis
  • 11. Results Delivery
  • 12. Offensive OSINT
  • 13. Offensive vs. Defensive OSINT From  the  security  perspec&ve  we  can  separate   OSINT:     Offensive:  Gathering  informa&on  before  an   aNack.     Defensive:  Learning  about  aNacks  against  the   company  
  • 14. Offensive OSINT •  Finding  as  much  informa&on  as  possible  that   will  facilitate  the  aNack   •  S&ll  now,  many  Penetra&on  Tes&ng   companies  skip  this  phase   •  ANackers  usually  spend  more  &me  than   testers  on  this  phase  
  • 15. Typical Pentesting Methodology I.G Scan Enumerate Exploit Post- Exploit Cover Tracks Write report
  • 16. What everyone focus on: I.G   Scan     Enumera te   Exploit   Post-­‐ Exploit   Cover   Tracks   Write   report  
  • 17. Attacker Methodology Discover  what  makes   the  company  money   Discover  what  is   valuable  to  the   aNacker   Do  whatever  it   takes...   Steal  it   Informa&on  Gathering  
  • 18. Data  Harves:ng  
  • 19. Data Harvesting A.K.A:   •  Informa:on  Gathering:   The  act  of  collec&ng  informa&on     •  Foot  prin:ng:     Is  the  technique  of  gathering  informa&on  about   computer  systems  and  the  en&&es  they  belong  to.     •  Web  mining:     The  act  of  collec&ng  informa&on  from  the  web        
  • 20. Data Harvesting – How? Techniques:     •  Scraping  (raw)   •  Open  APIs   •  Commercial  APIS   •  Network  Scanning   •  Purchasing  data   •  Open  source  Data  sets   •  Databases   •  Logfiles    
  • 21. Data  Harves&ng    -­‐  Passive  vs  Ac&ve   •  Passive  data  harves:ng:  Our  ac&ons  can’t  be   detected  by  the  target  (Non  aNribu&on)   •  Ac:ve  data  harves:ng:  our  ac&ons  leave   traces  that  can  be  detected  by  the  target  
  • 22. Offensive OSINT targets
  • 23. Offensive OSINT – end goals •  Phishing     •  Social  Engineering   •  Denial  of  Services   •  Password  brute  force  aNacks   •  Target  infiltra&on    
  • 24. What  data is interesting? Emails Users / Employees names -Interests -People relationships -Alias      
  • 25. Emails •  PGP  servers   •  Search  engines   •  Whois    
  • 26. Employees / Usernames / Alias linkedin.com   jigsaw.com   people123.com   pipl.com   peekyou.com   Google  Finance  /  Etc.     Usernamecheck.com   checkusernames.com     Glassdoor.com   Hoovers.com   Corpwatch.org   intelius.com  
  • 27. Username checks
  • 28. Social Media  
  • 29. •  Employees  of  a  company   •  Profile  picture   •  Special&es   •  Role   •  Country   •  Emails  
  • 30. Linkedin   Simon  LongboNom   Simon.LongboNom@amazon.com     Product  defini&on,  proposi&on  research,  pricing,   product  marke&ng,  product  promo&on,  market   research,  new  product  introduc&on     pictureUrl':  'hNp://m.c.lnkd.licdn.com/mpr/mprz/’}  
  • 31. Linkedin  
  • 32. Google+  
  • 33.   GRAPH  SEARCH:     “People  who  work  at  Amazon.com”     “People  who  work  at  Amazon.com  and  live  in   SeaNle  Washington”  
  • 34. @google.  News  and  updates  from  Google.  Mountain   @googlenexus.  Phones  and  tablets  from  Google   @GoogleDoodles   @googlewmc.  News  and  resources  from   @googleindia   @GoogleChat.  Twee&ng  about  all  things  Google   @googleaccess.  The  official  TwiNer   @googleglass.  Geing  technology  out  of  the  way.   @googlenonprofit.  News  and  updates  from   @googlewallet.  News   @googlereader.  News   @googlefiber   @googleio.  Google   @googledevs  for  updates.  San  Francisco   @GoogleIO  for  ...  If  you   @GoogleMsia.  Official  Google  Malaysia  on  TwiNer.  Kuala   @googlejobs.  Have  you  heard  we   @googleapps.  Google  Apps  news  for  ISVs   @GooglePlay.  Music   @GoogleAtWork.  The  official  TwiNer  home  of   Google  Enterprise.  Mountain  View   @FaktaGoogle.  Googling  Random  Facts.  Don   @googlemobileads.  Official  Google  Mobile   @googlepoli&cs.  Trends   @ericschmidt.  Execu&ve  Chairman   @GoogleMobile.  News   @googledownunder.  Google  Australia  and   @AdSense.  News  and  updates  from  the  Google   AdSense   @googlecalendar.  The  official  TwiNer  home  of   @googledevs.  News  about  and  from   @googlenews.  Breaking  news   @GoogleB2BTeam.   @GoogleB2BTeam  Google   @Jus&nCutroni   Google  query:  site:twiNer.com  in&tle:"on  TwiNer"   ”Google"    
  • 35. Domain  name  
  • 36. Geo-location •  People  loca&on   •  Servers  loca&on   •  Wireless  AP  loca&on      
  • 37. Geo-location Social  media  posts   Foursquare   Pictures   TwiNer   Facebook    
  • 38. Twitter - Creepy
  • 39. Images Reverse  image  search   Face  iden&fica&on   Exif  Metadata  analysis:    Profile  pictures    ANachments      
  • 40. Images •  Pic from Novartis search on TwwepSearch
  • 41. INFRASTRUCTURE IP Hostnames Services Networks Geo-location Software version CDN Multitenant Hosting
  • 42. Infrastructure Internet  Census  project   Whois   ServerSniff   Jobsites   Search  engines   ShodanHQ    
  • 43. Infrastructure     •  Once  we  have  iden&fied  the  Infrastructure   components,  what  can  we  do?  
  • 44. ShodanHQ
  • 45. Bugs databases
  • 46. INDICATORS OF COMPROMISE (IOC) IP addresses Domains URLs Hashes Stolen Passwords
  • 47. IOC Collec&ve  Intelligence  Framework  sources  (70)   Abuse.CH   Shadowserver.org   Nothink.org   Virustotal.com   Malwr   Seculert  
  • 48. DATA LEAKS   Pastebin.com     @pastebindorks     Pastebin  clones    
  • 49. Infrastructure •     DNS   o  Bruteforce   o  Zone  Transfer   •  SMTP   o  Header  analysis   o  Vrfy,  expn   •  Web  sites   o  Hidden  files  /  directories  bruteforce   •  Network  scanning   •  Metadata  
  • 50. Metadata   •  Office  documents   •  Openoffice  documents   •  PDF  documents     •  Images  EXIF  metadata   •  Others     Metadata:  is  data  about  data.             Is  used  to  facilitate  the  understanding,  use  and  management   of  data.    
  • 51. Cat Schwartz - Tech TV
  • 52. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker! DATE: 12/19/2005! PHOTOGRAPHER: Sarah L. Voisin/TWP! id#: LOCATION: Roland, OK! CAPTION:! PICTURED: Canon Canon EOS 20D! Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin! There are only 1.500 males in Roland Oklahoma
  • 53. Metagoofil - Results
  • 54. Metagoofil - Results
  • 55. Metagoofil - results
  • 56. INFORMATION GATHERING TOOLS •  FOCA   •  Spiderfoot   •  Tapir   •  Creepy   •  theHarvester   •  Metagoofil    
  • 57. This  tool  is  intended  to  help  Penetra&on  testers  in  the  early   stages  of  the  penetra&on  test  in  order  to  understand  the   customer  footprint  on  the  Internet.       It  is  also  useful  for  anyone  that  wants  to  know  what  an  aNacker   can  see  about  their  organiza&on  and  reduce  exposure  of  the   company.    
  • 58.  -­‐  Sources                google                                                  googleCSE                                                  bing                                                  bingapi                                                  pgp                                                  linkedin                people123                                                  jigsaw                                                  twiNer                                                  GooglePlus                shodanhq                                                     •  Open  source  soUware   •  Command  line     •  Extendable  
  • 59. •  python  theHarvester.py  -­‐d  lacaixa.es  -­‐b   googleCSE  -­‐l  500  -­‐v  -­‐h  
  • 60. - Intelligence Implement  en&&es   Cross  reference  en&&es   Image  reverse  search  /  profile  pictures   Geo-­‐loca&on   Iden&fy  vulnerable  services   Username  search  in  other  services   Target  priori&za&on    
  • 61. Challenges •  Source  availability    (APIs)   •  Changes  in  Terms  of  Use   •  Genera&ng  valid  intelligence  
  • 62. ? TwiNer:  @laramies   Email:  cmartorellaW@edge-­‐security.com