Your SlideShare is downloading. ×
Tactical Information Gathering
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Tactical Information Gathering

12,406
views

Published on

This presentation shows new sources where information could be gathered from a target victim or company. Useful for penetration testers :)

This presentation shows new sources where information could be gathered from a target victim or company. Useful for penetration testers :)

Published in: Technology, Travel, Education

1 Comment
11 Likes
Statistics
Notes
  • Nice Information..
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
12,406
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
487
Comments
1
Likes
11
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Christian Martorella Source Conference Barcelona 2009
  • 2. Tactical Information Gathering Christian Martorella Source Conference Barcelona 2009
  • 3. Who am i ? Christian Martorella Security Services S21sec CISSP, CISA, CISM, OPST, OPSA, C|EH OWASP WebSlayer Project Leader Edge-Security.com
  • 4. Information Gathering “Is the collection of information before the attack. The idea is to collect as much information as possible about the target which may be valuable later.”
  • 5. Tactical “Designed or implemented to gain a temporary limited advantage” Wikipedia
  • 6. I.G Why use it? It’s what the real attackers are doing Attackers doesn’t have a restricted scope Knowing what information about you or your company is available online Spear Phishing: 15.000 infected users, as results of 66 campaings.
  • 7. I.G what for? Infrastructure: Information for discovering new targets, to get a description of the hosts (NS,MX, AS,etc), shared resources, applications, software, etc. People and organizations : For performing brute force attacks on available services, Spear phishing, social engineering, investigations, background checks, information leaks
  • 8. Typical Pentesting Methodology Post- Cover Write I.G Scan Enumerate Exploit Exploit Tracks report
  • 9. What everyone focus on: Enumera Post- Cover Write I.G Scan Exploit te Exploit Tracks report
  • 10. Real world Methodology I.G Discover what makes the company money Do whatever it Steal it takes... Discover what is valuable to the attacker
  • 11. Types of I.G
  • 12. Types of I.G Passive Active Semi Passive
  • 13. Where / how can we obtain this kind of info?
  • 14. Obtaining info - Old School way DNS Zone Transfer (active) DNS Reverse Lookup Search engines (active) PGP Key Servers DNS BruteForce (active++) Whois Mail headers (active) smtp Bruteforcing (active++)
  • 15. Obtaining info - Old School way Active Passive DNS Zone Transfer (active) DNS Reverse Lookup Search engines (active) PGP Key Servers DNS BruteForce (active++) Whois Mail headers (active) smtp Bruteforcing (active++)
  • 16. New sources for I.G
  • 17. Obtaining - New sources Web 2.0 - Social Networks and Search engines (passive) Metadata (passive) Private data (passive paid) Intelius, Lexis Nexis
  • 18. Obtaining people info - New sources Professional and Business Social networks
  • 19. Obtaining people info - New sources
  • 20. Obtaining people info - New sources Current Job Pasts Jobs Education Job description Etc...
  • 21. Obtaining employees names from a company
  • 22. Obtaining employees names from a company
  • 23. Linkedin I.G example
  • 24. Linkedin I.G example I L FA
  • 25. Obtaining people info - New sources
  • 26. Obtaining Emails from a company
  • 27. Obtaining Emails from a company
  • 28. Google Finance & Reuters
  • 29. People information:
  • 30. People search
  • 31. People search
  • 32. People search Name Username Email Phone Business
  • 33. Nick name / username verification
  • 34. Nick name / username verification
  • 35. Nick name / username verification
  • 36. Nick name / username verification
  • 37. Private data - pay per view
  • 38. Microblogs Small posts up to 140 characters
  • 39. Microblogs Small posts up to 140 characters
  • 40. Bookmarks
  • 41. Bookmarks
  • 42. Bookmarks
  • 43. Bookmarks A IL F
  • 44. Reverse Image search Pic from “Novartis” search on TwwepSearch
  • 45. Reverse Image search Pic from “Novartis” search on TwwepSearch
  • 46. WikiScanner When you edit the wikipedia: You can edit leaving your username You can edit anonymous using your IP address
  • 47. WikiScanner Company IP ranges Anonymous Wikipedia edits, from interesting organizations Provide an ip for a wikipedia username http://wikiscanner.virgil.gr/
  • 48. WikiScanner - IP ranges
  • 49. WikiScanner - Wikipedia edits
  • 50. Poor Man Check User Provide an ip for a wikipedia username
  • 51. New sources - Metadata Metadata: is data about data.
  • 52. New sources - Metadata Metadata: is data about data. Is used to facilitate the understanding, use and management of data.
  • 53. Obtaining more data - Metadata Provides basic information such as the author of a work, the date of creation, links to any related works, etc.
  • 54. Metadata - Dublin Core (schema) Content & about the Intellectual Property Electronic or Physical Resource manifestation Title Author or Creator Date Subject Publisher Type Description Contributor Format Language Rights Identifier Relation Coverage
  • 55. Metadata example
  • 56. Metadata example
  • 57. Metadata - Images EXIF Exchangeable Image File Format • GPS coordinates • Time • Camera type • Serial number • Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  • 58. Metadata - Images EXIF Exchangeable Image File Format • GPS coordinates • Time • Camera type • Serial number • Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  • 59. Metadata - example
  • 60. Metadata - example logo-Kubuntu.png logo-Ubuntu.png software - www.inkscape.org software - Adobe ImageReady size - 1501x379 size - 1501x391 mimetype - image/png mimetype - image/png
  • 61. Metadata - example logo-Kubuntu.png logo-Ubuntu.png software - www.inkscape.org software - Adobe ImageReady size - 1501x379 size - 1501x391 mimetype - image/png mimetype - image/png :/
  • 62. Metadata - EXIF- Harry Pwner Deathly EXIF?
  • 63. Cat Schwartz - Tech TV
  • 64. Cat Schwartz - Tech TV
  • 65. Cat Schwartz - Tech TV
  • 66. Cat Schwartz - Tech TV I L FA
  • 67. Washington Post Botmaster location exposed by the Washington Post
  • 68. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker DATE: 12/19/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK CAPTION: PICTURED: Canon Canon EOS 20D Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin
  • 69. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker DATE: 12/19/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK CAPTION: PICTURED: Canon Canon EOS 20D Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin There are only 1.500 males in Roland Oklahoma
  • 70. Metadata Ok, I understand metadata... so what?
  • 71. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 72. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 73. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 74. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 75. Metagoofil
  • 76. Metagoofil Workers User names Server names names Software Paths versions + Date Mac Address
  • 77. Metagoofil Workers User names Server names names Computer Software Paths names versions + Date Mac Address
  • 78. Metagoofil
  • 79. Metagoofil site:nasa.gov filetype:ppt
  • 80. Metagoofil site:nasa.gov filetype:ppt
  • 81. Metagoofil Downloaded files
  • 82. Metagoofil Downloaded files ppt 1 pptx 2 parsers / Results.html doc 3 filtering Libextractor docx 3 Hachoir Regexp pdf n Own libs
  • 83. Metagoofil - results
  • 84. Metagoofil - results
  • 85. Metagoofil - results
  • 86. Metagoofil - results
  • 87. Metagoofil - results
  • 88. Metagoofil - results
  • 89. Metadata - The Revisionist Tool developed by Michal Zalewski, this tool will extract comments and “Track changes” from Word documents. http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc
  • 90. Metagoofil & Linkedin results Now we have a lot of information, what can i do? • User profiling
  • 91. Using results
  • 92. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd john.d jd doe john
  • 93. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd john.d jd doe john
  • 94. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd ATTACK! john.d jd doe john
  • 95. Using results
  • 96. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon elf brainstorm ... ...
  • 97. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon elf brainstorm ... ...
  • 98. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon Brute force elf ATTACK brainstorm ... ...
  • 99. One password to rule them all
  • 100. Maltego the ultimate I.G Tool
  • 101. Maltego the ultimate I.G Tool
  • 102. Maltego the ultimate I.G Tool
  • 103. Maltego the ultimate I.G Tool
  • 104. Other examples
  • 105. Phone in sick and treat himself to a day in bed. Kyle Doyle's Facebook profile makes it quite obvious he was not off work for a 'valid medical reason'
  • 106. Phone in sick and treat himself to a day in bed. I L FA Kyle Doyle's Facebook profile makes it quite obvious he was not off work for a 'valid medical reason'
  • 107. Was shown the door after posting that her job was 'boring' on her Facebook page
  • 108. I L FA Was shown the door after posting that her job was 'boring' on her Facebook page
  • 109. More than meet the eyes
  • 110. More than meet the eyes
  • 111. More than meet the eyes
  • 112. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up:
  • 113. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel
  • 114. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel Local police, applicant arrested 2 years before for shoplifting
  • 115. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel Local police, applicant arrested 2 years before for shoplifting Personal blog, saying that she is applying for menial jobs, and will quit as soon she sells some paintings
  • 116. Final thoughts Be careful what you post/send, all stay online Think twice what you post Check the privacy configuration of your tools/sites Too much information, difficult to classify This is growing, more information is being indexed, more search engines
  • 117. References www.edge-security.com blog.s21sec.com www.s21sec.com carnal0wnage.blogspot.com www.gnunet.org/libextractor lcamtuf.coredump.cx/strikeout/ www.paterva.com http://sethgodin.typepad.com/seths_blog/2009/02/personal-branding-in-the-age- of-google.html laramies.blogspot.com http://www.eweek.com/c/a/Security/Washington-Post-Caught-in-Metadata-Gaffe/ Chris Gates Carnal0wnage Brucon 2009 Presentation http://www.neuroproductions.be/twitter_friends_network_browser/
  • 118. ?
  • 119. Thank you for coming cmartorella@s21sec.com http://laramies.blogspot.com cmartorella@edge-security.com http://twitter.com/laramies