Your SlideShare is downloading. ×
0
Christian Martorella
Source Conference Barcelona 2009
Tactical
          Information Gathering




Christian Martorella
Source Conference Barcelona 2009
Who am i ?

Christian Martorella
   Security Services S21sec
   CISSP, CISA, CISM, OPST, OPSA, C|EH
   OWASP WebSlayer Pro...
Information Gathering


 “Is the collection of information before the attack.

 The idea is to collect as much information...
Tactical

 “Designed or implemented to gain a temporary
 limited advantage”
                               Wikipedia
I.G Why use it?
 It’s what the real attackers are doing
 Attackers doesn’t have a restricted scope
 Knowing what informati...
I.G what for?
 Infrastructure:
 Information for discovering new targets, to get a
 description of the hosts (NS,MX, AS,etc...
Typical Pentesting Methodology


                                    Post-     Cover     Write
 I.G   Scan   Enumerate   E...
What everyone focus on:


             Enumera             Post-     Cover     Write
I.G   Scan             Exploit
      ...
Real world Methodology
      I.G

  Discover what
makes the company
     money

                    Do whatever it
       ...
Types	 of I.G
Types	 of I.G


   Passive                  Active




             Semi Passive
Where / how can we obtain
this kind of info?
Obtaining info - Old School way


 DNS Zone Transfer (active)
 DNS Reverse Lookup             Search engines
 (active)    ...
Obtaining info - Old School way
      Active                      Passive


 DNS Zone Transfer (active)
 DNS Reverse Looku...
New sources for I.G
Obtaining - New sources

Web 2.0 - Social Networks and Search engines (passive)


Metadata (passive)


Private data (passi...
Obtaining people info - New sources

 Professional and Business Social networks
Obtaining people info -
New sources
Obtaining people info -
New sources




    Current Job
     Pasts Jobs
     Education
   Job description
        Etc...
Obtaining employees names
from a company
Obtaining employees names
from a company
Linkedin I.G example
Linkedin I.G example



              I L
          FA
Obtaining people info -
New sources
Obtaining Emails from a
company
Obtaining Emails from a
company
Google Finance & Reuters
People information:
People search
People search
People search
   Name
 Username
   Email
  Phone
 Business
Nick name / username
verification
Nick name / username
verification
Nick name / username
verification
Nick name / username
verification
Private data - pay per view
Microblogs



 Small posts up to 140 characters
Microblogs



 Small posts up to 140 characters
Bookmarks
Bookmarks
Bookmarks
Bookmarks



             A IL
            F
Reverse Image search




Pic from
“Novartis”
search on
TwwepSearch
Reverse Image search




Pic from
“Novartis”
search on
TwwepSearch
WikiScanner

When you edit the wikipedia:
  You can edit leaving your username
  You can edit anonymous using your IP addr...
WikiScanner
Company IP ranges
Anonymous Wikipedia edits, from interesting
organizations
Provide an ip for a wikipedia user...
WikiScanner - IP ranges
WikiScanner - Wikipedia edits
Poor Man Check User
Provide an ip for a wikipedia username
New sources - Metadata


Metadata: is data about data.
New sources - Metadata


Metadata: is data about data.

Is used to facilitate the understanding, use and
management of dat...
Obtaining more data - Metadata



Provides basic information such as the author of a
work, the date of creation, links to ...
Metadata - Dublin Core (schema)
Content & about the   Intellectual Property   Electronic or Physical
     Resource        ...
Metadata example
Metadata example
Metadata - Images
EXIF Exchangeable Image
File Format
• GPS coordinates
• Time
• Camera type
• Serial number
• Sometimes u...
Metadata - Images
EXIF Exchangeable Image
File Format
• GPS coordinates
• Time
• Camera type
• Serial number
• Sometimes u...
Metadata - example
Metadata - example
     logo-Kubuntu.png
                                    logo-Ubuntu.png




software - www.inkscape.o...
Metadata - example
     logo-Kubuntu.png
                                         logo-Ubuntu.png




software - www.inksc...
Metadata - EXIF- Harry Pwner




     Deathly EXIF?
Cat Schwartz - Tech TV
Cat Schwartz - Tech TV
Cat Schwartz - Tech TV
Cat Schwartz - Tech TV



              I L
          FA
Washington Post

Botmaster location exposed by the Washington Post
Washington Post

Botmaster location exposed by the Washington Post

 SLUG: mag/hacker
 DATE: 12/19/2005
 PHOTOGRAPHER: Sar...
Washington Post

Botmaster location exposed by the Washington Post

 SLUG: mag/hacker
 DATE: 12/19/2005
 PHOTOGRAPHER: Sar...
Metadata


 Ok, I understand metadata... so what?
Metagoofil

 Metagoofil is an information gathering tool
 designed for extracting metadata of public
 documents (pdf,doc,xls...
Metagoofil

 Metagoofil is an information gathering tool
 designed for extracting metadata of public
 documents (pdf,doc,xls...
Metagoofil

 Metagoofil is an information gathering tool
 designed for extracting metadata of public
 documents (pdf,doc,xls...
Metagoofil

 Metagoofil is an information gathering tool
 designed for extracting metadata of public
 documents (pdf,doc,xls...
Metagoofil
Metagoofil

               Workers
 User names                 Server names
               names


                        ...
Metagoofil

               Workers
 User names                 Server names
               names


 Computer               ...
Metagoofil
Metagoofil
      site:nasa.gov filetype:ppt
Metagoofil
      site:nasa.gov filetype:ppt
Metagoofil
Downloaded files
Metagoofil
Downloaded files

     ppt 1

     pptx 2
                   parsers /
                                 Results.h...
Metagoofil - results
Metagoofil - results
Metagoofil - results
Metagoofil - results
Metagoofil - results
Metagoofil - results
Metadata - The Revisionist

         Tool developed by Michal Zalewski, this tool will
         extract comments and “Trac...
Metagoofil & Linkedin results


 Now we have a lot of information, what can i do?
 • User profiling
Using results
Using results
User profiling

• User list creation John Doe

                john.doe
                     jdoe
           ...
Using results
User profiling

• User list creation John Doe

                john.doe
                     jdoe
           ...
Using results
User profiling

• User list creation John Doe

                john.doe
                     jdoe
           ...
Using results
Using results
Password profiling

Dictionary creation: words from the different user sites



                 magic
      ...
Using results
Password profiling

Dictionary creation: words from the different user sites



                 magic
      ...
Using results
Password profiling

Dictionary creation: words from the different user sites



                 magic
      ...
One password to rule them
all
Maltego the ultimate I.G Tool
Maltego the ultimate I.G Tool
Maltego the ultimate I.G Tool
Maltego the ultimate I.G Tool
Other examples
Phone in sick and treat himself to a day in bed.




Kyle Doyle's Facebook profile makes it quite
obvious he was not off wo...
Phone in sick and treat himself to a day in bed.




                            I L
                  FA
Kyle Doyle's Fac...
Was shown the door after posting that her job was
        'boring' on her Facebook page
I L
                   FA
Was shown the door after posting that her job was
        'boring' on her Facebook page
More than meet the eyes
More than meet the eyes
More than meet the eyes
Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:
Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:

  Myspace page, applicant drinking ...
Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:

  Myspace page, applicant drinking ...
Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:

  Myspace page, applicant drinking ...
Final thoughts
Be careful what you post/send, all stay online
Think twice what you post
Check the privacy configuration of ...
References
www.edge-security.com

blog.s21sec.com

www.s21sec.com

carnal0wnage.blogspot.com

www.gnunet.org/libextractor
...
?
Thank you for coming



cmartorella@s21sec.com          http://laramies.blogspot.com
cmartorella@edge-security.com   http:...
Tactical Information Gathering
Tactical Information Gathering
Tactical Information Gathering
Tactical Information Gathering
Upcoming SlideShare
Loading in...5
×

Tactical Information Gathering

13,243

Published on

This presentation shows new sources where information could be gathered from a target victim or company. Useful for penetration testers :)

Published in: Technology, Travel, Education
1 Comment
13 Likes
Statistics
Notes
  • Nice Information..
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
13,243
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
499
Comments
1
Likes
13
Embeds 0
No embeds

No notes for slide

Transcript of "Tactical Information Gathering"

  1. 1. Christian Martorella Source Conference Barcelona 2009
  2. 2. Tactical Information Gathering Christian Martorella Source Conference Barcelona 2009
  3. 3. Who am i ? Christian Martorella Security Services S21sec CISSP, CISA, CISM, OPST, OPSA, C|EH OWASP WebSlayer Project Leader Edge-Security.com
  4. 4. Information Gathering “Is the collection of information before the attack. The idea is to collect as much information as possible about the target which may be valuable later.”
  5. 5. Tactical “Designed or implemented to gain a temporary limited advantage” Wikipedia
  6. 6. I.G Why use it? It’s what the real attackers are doing Attackers doesn’t have a restricted scope Knowing what information about you or your company is available online Spear Phishing: 15.000 infected users, as results of 66 campaings.
  7. 7. I.G what for? Infrastructure: Information for discovering new targets, to get a description of the hosts (NS,MX, AS,etc), shared resources, applications, software, etc. People and organizations : For performing brute force attacks on available services, Spear phishing, social engineering, investigations, background checks, information leaks
  8. 8. Typical Pentesting Methodology Post- Cover Write I.G Scan Enumerate Exploit Exploit Tracks report
  9. 9. What everyone focus on: Enumera Post- Cover Write I.G Scan Exploit te Exploit Tracks report
  10. 10. Real world Methodology I.G Discover what makes the company money Do whatever it Steal it takes... Discover what is valuable to the attacker
  11. 11. Types of I.G
  12. 12. Types of I.G Passive Active Semi Passive
  13. 13. Where / how can we obtain this kind of info?
  14. 14. Obtaining info - Old School way DNS Zone Transfer (active) DNS Reverse Lookup Search engines (active) PGP Key Servers DNS BruteForce (active++) Whois Mail headers (active) smtp Bruteforcing (active++)
  15. 15. Obtaining info - Old School way Active Passive DNS Zone Transfer (active) DNS Reverse Lookup Search engines (active) PGP Key Servers DNS BruteForce (active++) Whois Mail headers (active) smtp Bruteforcing (active++)
  16. 16. New sources for I.G
  17. 17. Obtaining - New sources Web 2.0 - Social Networks and Search engines (passive) Metadata (passive) Private data (passive paid) Intelius, Lexis Nexis
  18. 18. Obtaining people info - New sources Professional and Business Social networks
  19. 19. Obtaining people info - New sources
  20. 20. Obtaining people info - New sources Current Job Pasts Jobs Education Job description Etc...
  21. 21. Obtaining employees names from a company
  22. 22. Obtaining employees names from a company
  23. 23. Linkedin I.G example
  24. 24. Linkedin I.G example I L FA
  25. 25. Obtaining people info - New sources
  26. 26. Obtaining Emails from a company
  27. 27. Obtaining Emails from a company
  28. 28. Google Finance & Reuters
  29. 29. People information:
  30. 30. People search
  31. 31. People search
  32. 32. People search Name Username Email Phone Business
  33. 33. Nick name / username verification
  34. 34. Nick name / username verification
  35. 35. Nick name / username verification
  36. 36. Nick name / username verification
  37. 37. Private data - pay per view
  38. 38. Microblogs Small posts up to 140 characters
  39. 39. Microblogs Small posts up to 140 characters
  40. 40. Bookmarks
  41. 41. Bookmarks
  42. 42. Bookmarks
  43. 43. Bookmarks A IL F
  44. 44. Reverse Image search Pic from “Novartis” search on TwwepSearch
  45. 45. Reverse Image search Pic from “Novartis” search on TwwepSearch
  46. 46. WikiScanner When you edit the wikipedia: You can edit leaving your username You can edit anonymous using your IP address
  47. 47. WikiScanner Company IP ranges Anonymous Wikipedia edits, from interesting organizations Provide an ip for a wikipedia username http://wikiscanner.virgil.gr/
  48. 48. WikiScanner - IP ranges
  49. 49. WikiScanner - Wikipedia edits
  50. 50. Poor Man Check User Provide an ip for a wikipedia username
  51. 51. New sources - Metadata Metadata: is data about data.
  52. 52. New sources - Metadata Metadata: is data about data. Is used to facilitate the understanding, use and management of data.
  53. 53. Obtaining more data - Metadata Provides basic information such as the author of a work, the date of creation, links to any related works, etc.
  54. 54. Metadata - Dublin Core (schema) Content & about the Intellectual Property Electronic or Physical Resource manifestation Title Author or Creator Date Subject Publisher Type Description Contributor Format Language Rights Identifier Relation Coverage
  55. 55. Metadata example
  56. 56. Metadata example
  57. 57. Metadata - Images EXIF Exchangeable Image File Format • GPS coordinates • Time • Camera type • Serial number • Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  58. 58. Metadata - Images EXIF Exchangeable Image File Format • GPS coordinates • Time • Camera type • Serial number • Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  59. 59. Metadata - example
  60. 60. Metadata - example logo-Kubuntu.png logo-Ubuntu.png software - www.inkscape.org software - Adobe ImageReady size - 1501x379 size - 1501x391 mimetype - image/png mimetype - image/png
  61. 61. Metadata - example logo-Kubuntu.png logo-Ubuntu.png software - www.inkscape.org software - Adobe ImageReady size - 1501x379 size - 1501x391 mimetype - image/png mimetype - image/png :/
  62. 62. Metadata - EXIF- Harry Pwner Deathly EXIF?
  63. 63. Cat Schwartz - Tech TV
  64. 64. Cat Schwartz - Tech TV
  65. 65. Cat Schwartz - Tech TV
  66. 66. Cat Schwartz - Tech TV I L FA
  67. 67. Washington Post Botmaster location exposed by the Washington Post
  68. 68. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker DATE: 12/19/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK CAPTION: PICTURED: Canon Canon EOS 20D Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin
  69. 69. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker DATE: 12/19/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK CAPTION: PICTURED: Canon Canon EOS 20D Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin There are only 1.500 males in Roland Oklahoma
  70. 70. Metadata Ok, I understand metadata... so what?
  71. 71. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  72. 72. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  73. 73. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  74. 74. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  75. 75. Metagoofil
  76. 76. Metagoofil Workers User names Server names names Software Paths versions + Date Mac Address
  77. 77. Metagoofil Workers User names Server names names Computer Software Paths names versions + Date Mac Address
  78. 78. Metagoofil
  79. 79. Metagoofil site:nasa.gov filetype:ppt
  80. 80. Metagoofil site:nasa.gov filetype:ppt
  81. 81. Metagoofil Downloaded files
  82. 82. Metagoofil Downloaded files ppt 1 pptx 2 parsers / Results.html doc 3 filtering Libextractor docx 3 Hachoir Regexp pdf n Own libs
  83. 83. Metagoofil - results
  84. 84. Metagoofil - results
  85. 85. Metagoofil - results
  86. 86. Metagoofil - results
  87. 87. Metagoofil - results
  88. 88. Metagoofil - results
  89. 89. Metadata - The Revisionist Tool developed by Michal Zalewski, this tool will extract comments and “Track changes” from Word documents. http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc
  90. 90. Metagoofil & Linkedin results Now we have a lot of information, what can i do? • User profiling
  91. 91. Using results
  92. 92. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd john.d jd doe john
  93. 93. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd john.d jd doe john
  94. 94. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd ATTACK! john.d jd doe john
  95. 95. Using results
  96. 96. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon elf brainstorm ... ...
  97. 97. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon elf brainstorm ... ...
  98. 98. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon Brute force elf ATTACK brainstorm ... ...
  99. 99. One password to rule them all
  100. 100. Maltego the ultimate I.G Tool
  101. 101. Maltego the ultimate I.G Tool
  102. 102. Maltego the ultimate I.G Tool
  103. 103. Maltego the ultimate I.G Tool
  104. 104. Other examples
  105. 105. Phone in sick and treat himself to a day in bed. Kyle Doyle's Facebook profile makes it quite obvious he was not off work for a 'valid medical reason'
  106. 106. Phone in sick and treat himself to a day in bed. I L FA Kyle Doyle's Facebook profile makes it quite obvious he was not off work for a 'valid medical reason'
  107. 107. Was shown the door after posting that her job was 'boring' on her Facebook page
  108. 108. I L FA Was shown the door after posting that her job was 'boring' on her Facebook page
  109. 109. More than meet the eyes
  110. 110. More than meet the eyes
  111. 111. More than meet the eyes
  112. 112. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up:
  113. 113. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel
  114. 114. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel Local police, applicant arrested 2 years before for shoplifting
  115. 115. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel Local police, applicant arrested 2 years before for shoplifting Personal blog, saying that she is applying for menial jobs, and will quit as soon she sells some paintings
  116. 116. Final thoughts Be careful what you post/send, all stay online Think twice what you post Check the privacy configuration of your tools/sites Too much information, difficult to classify This is growing, more information is being indexed, more search engines
  117. 117. References www.edge-security.com blog.s21sec.com www.s21sec.com carnal0wnage.blogspot.com www.gnunet.org/libextractor lcamtuf.coredump.cx/strikeout/ www.paterva.com http://sethgodin.typepad.com/seths_blog/2009/02/personal-branding-in-the-age- of-google.html laramies.blogspot.com http://www.eweek.com/c/a/Security/Washington-Post-Caught-in-Metadata-Gaffe/ Chris Gates Carnal0wnage Brucon 2009 Presentation http://www.neuroproductions.be/twitter_friends_network_browser/
  118. 118. ?
  119. 119. Thank you for coming cmartorella@s21sec.com http://laramies.blogspot.com cmartorella@edge-security.com http://twitter.com/laramies
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×