• Like
Offensive OSINT
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Offensive OSINT - Presented at OSIRA Summit in London 2014. Overview of OSINT process, and how attackers are using it to prepare their cyber attacks.

Offensive OSINT - Presented at OSIRA Summit in London 2014. Overview of OSINT process, and how attackers are using it to prepare their cyber attacks.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 2. About me Chris&an  Martorella:   –  I  work  in  Skype  (MS),  Product  Security  team   –  Founder  of  Edge-­‐security.com   –  Developed  open  source  projects  like  theHarvester,   Metagoofil,  Wfuzz  and  Webslayer   –  Presented  in  many  Security  conferences  (Blackhat  Arsenal,   Hack.lu,  WhaNheHack,  OWASP,  Source)   –  Over  12  years  focusing  on  offensive  security    
  • 3. Disclaimer Any views or opinions presented in this presentation are solely those of the author and do not necessarily represent those of the employer
  • 4. OSINT - Intro Open-­‐source  intelligence  (OSINT)  is  intelligence   collected  from  publicly  available  sources.   •  “Open"  refers  to  overt,  publicly  available  sources   (as  opposed  to  covert  or  clandes&ne  sources)   •  It  is  not  related  to  open-­‐source  soUware  or   public  intelligence.  
  • 5. OSINT       What  is  Threat  Intelligence  /  Cyber   Intelligence  ?  
  • 6. OSINT PROCESS Source Identification Data harvesting Data Analysis Data processing and Integration Results Delivery
  • 7. Source Identification
  • 8. Data Harvesting
  • 9. Data processing
  • 10. Data Analysis
  • 11. Results Delivery
  • 12. Offensive OSINT
  • 13. Offensive vs. Defensive OSINT From  the  security  perspec&ve  we  can  separate   OSINT:     Offensive:  Gathering  informa&on  before  an   aNack.     Defensive:  Learning  about  aNacks  against  the   company  
  • 14. Offensive OSINT •  Finding  as  much  informa&on  as  possible  that   will  facilitate  the  aNack   •  S&ll  now,  many  Penetra&on  Tes&ng   companies  skip  this  phase   •  ANackers  usually  spend  more  &me  than   testers  on  this  phase  
  • 15. Typical Pentesting Methodology I.G Scan Enumerate Exploit Post- Exploit Cover Tracks Write report
  • 16. What everyone focus on: I.G   Scan     Enumera te   Exploit   Post-­‐ Exploit   Cover   Tracks   Write   report  
  • 17. Attacker Methodology Discover  what  makes   the  company  money   Discover  what  is   valuable  to  the   aNacker   Do  whatever  it   takes...   Steal  it   Informa&on  Gathering  
  • 18. Data  Harves:ng  
  • 19. Data Harvesting A.K.A:   •  Informa:on  Gathering:   The  act  of  collec&ng  informa&on     •  Foot  prin:ng:     Is  the  technique  of  gathering  informa&on  about   computer  systems  and  the  en&&es  they  belong  to.     •  Web  mining:     The  act  of  collec&ng  informa&on  from  the  web        
  • 20. Data Harvesting – How? Techniques:     •  Scraping  (raw)   •  Open  APIs   •  Commercial  APIS   •  Network  Scanning   •  Purchasing  data   •  Open  source  Data  sets   •  Databases   •  Logfiles    
  • 21. Data  Harves&ng    -­‐  Passive  vs  Ac&ve   •  Passive  data  harves:ng:  Our  ac&ons  can’t  be   detected  by  the  target  (Non  aNribu&on)   •  Ac:ve  data  harves:ng:  our  ac&ons  leave   traces  that  can  be  detected  by  the  target  
  • 22. Offensive OSINT targets
  • 23. Offensive OSINT – end goals •  Phishing     •  Social  Engineering   •  Denial  of  Services   •  Password  brute  force  aNacks   •  Target  infiltra&on    
  • 24. What  data is interesting? Emails Users / Employees names -Interests -People relationships -Alias      
  • 25. Emails •  PGP  servers   •  Search  engines   •  Whois    
  • 26. Employees / Usernames / Alias linkedin.com   jigsaw.com   people123.com   pipl.com   peekyou.com   Google  Finance  /  Etc.     Usernamecheck.com   checkusernames.com     Glassdoor.com   Hoovers.com   Corpwatch.org   intelius.com  
  • 27. Username checks
  • 28. Social Media  
  • 29. •  Employees  of  a  company   •  Profile  picture   •  Special&es   •  Role   •  Country   •  Emails  
  • 30. Linkedin   Simon  LongboNom   Simon.LongboNom@amazon.com     Product  defini&on,  proposi&on  research,  pricing,   product  marke&ng,  product  promo&on,  market   research,  new  product  introduc&on     pictureUrl':  'hNp://m.c.lnkd.licdn.com/mpr/mprz/’}  
  • 31. Linkedin  
  • 32. Google+  
  • 33.   GRAPH  SEARCH:     “People  who  work  at  Amazon.com”     “People  who  work  at  Amazon.com  and  live  in   SeaNle  Washington”  
  • 34. @google.  News  and  updates  from  Google.  Mountain   @googlenexus.  Phones  and  tablets  from  Google   @GoogleDoodles   @googlewmc.  News  and  resources  from   @googleindia   @GoogleChat.  Twee&ng  about  all  things  Google   @googleaccess.  The  official  TwiNer   @googleglass.  Geing  technology  out  of  the  way.   @googlenonprofit.  News  and  updates  from   @googlewallet.  News   @googlereader.  News   @googlefiber   @googleio.  Google   @googledevs  for  updates.  San  Francisco   @GoogleIO  for  ...  If  you   @GoogleMsia.  Official  Google  Malaysia  on  TwiNer.  Kuala   @googlejobs.  Have  you  heard  we   @googleapps.  Google  Apps  news  for  ISVs   @GooglePlay.  Music   @GoogleAtWork.  The  official  TwiNer  home  of   Google  Enterprise.  Mountain  View   @FaktaGoogle.  Googling  Random  Facts.  Don   @googlemobileads.  Official  Google  Mobile   @googlepoli&cs.  Trends   @ericschmidt.  Execu&ve  Chairman   @GoogleMobile.  News   @googledownunder.  Google  Australia  and   @AdSense.  News  and  updates  from  the  Google   AdSense   @googlecalendar.  The  official  TwiNer  home  of   @googledevs.  News  about  and  from   @googlenews.  Breaking  news   @GoogleB2BTeam.   @GoogleB2BTeam  Google   @Jus&nCutroni   Google  query:  site:twiNer.com  in&tle:"on  TwiNer"   ”Google"    
  • 35. Domain  name  
  • 36. Geo-location •  People  loca&on   •  Servers  loca&on   •  Wireless  AP  loca&on      
  • 37. Geo-location Social  media  posts   Foursquare   Pictures   TwiNer   Facebook    
  • 38. Twitter - Creepy
  • 39. Images Reverse  image  search   Face  iden&fica&on   Exif  Metadata  analysis:    Profile  pictures    ANachments      
  • 40. Images •  Pic from Novartis search on TwwepSearch
  • 41. INFRASTRUCTURE IP Hostnames Services Networks Geo-location Software version CDN Multitenant Hosting
  • 42. Infrastructure Internet  Census  project   Whois   ServerSniff   Jobsites   Search  engines   ShodanHQ    
  • 43. Infrastructure     •  Once  we  have  iden&fied  the  Infrastructure   components,  what  can  we  do?  
  • 44. ShodanHQ
  • 45. Bugs databases
  • 46. INDICATORS OF COMPROMISE (IOC) IP addresses Domains URLs Hashes Stolen Passwords
  • 47. IOC Collec&ve  Intelligence  Framework  sources  (70)   Abuse.CH   Shadowserver.org   Nothink.org   Virustotal.com   Malwr   Seculert  
  • 48. DATA LEAKS   Pastebin.com     @pastebindorks     Pastebin  clones    
  • 49. Infrastructure •     DNS   o  Bruteforce   o  Zone  Transfer   •  SMTP   o  Header  analysis   o  Vrfy,  expn   •  Web  sites   o  Hidden  files  /  directories  bruteforce   •  Network  scanning   •  Metadata  
  • 50. Metadata   •  Office  documents   •  Openoffice  documents   •  PDF  documents     •  Images  EXIF  metadata   •  Others     Metadata:  is  data  about  data.             Is  used  to  facilitate  the  understanding,  use  and  management   of  data.    
  • 51. Cat Schwartz - Tech TV
  • 52. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker! DATE: 12/19/2005! PHOTOGRAPHER: Sarah L. Voisin/TWP! id#: LOCATION: Roland, OK! CAPTION:! PICTURED: Canon Canon EOS 20D! Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin! There are only 1.500 males in Roland Oklahoma
  • 53. Metagoofil - Results
  • 54. Metagoofil - Results
  • 55. Metagoofil - results
  • 56. INFORMATION GATHERING TOOLS •  FOCA   •  Spiderfoot   •  Tapir   •  Creepy   •  theHarvester   •  Metagoofil    
  • 57. This  tool  is  intended  to  help  Penetra&on  testers  in  the  early   stages  of  the  penetra&on  test  in  order  to  understand  the   customer  footprint  on  the  Internet.       It  is  also  useful  for  anyone  that  wants  to  know  what  an  aNacker   can  see  about  their  organiza&on  and  reduce  exposure  of  the   company.    
  • 58.  -­‐  Sources                google                                                  googleCSE                                                  bing                                                  bingapi                                                  pgp                                                  linkedin                people123                                                  jigsaw                                                  twiNer                                                  GooglePlus                shodanhq                                                     •  Open  source  soUware   •  Command  line     •  Extendable  
  • 59. •  python  theHarvester.py  -­‐d  lacaixa.es  -­‐b   googleCSE  -­‐l  500  -­‐v  -­‐h  
  • 60. - Intelligence Implement  en&&es   Cross  reference  en&&es   Image  reverse  search  /  profile  pictures   Geo-­‐loca&on   Iden&fy  vulnerable  services   Username  search  in  other  services   Target  priori&za&on    
  • 61. Challenges •  Source  availability    (APIs)   •  Changes  in  Terms  of  Use   •  Genera&ng  valid  intelligence  
  • 62. ? TwiNer:  @laramies   Email:  cmartorellaW@edge-­‐security.com