Tactical Information Gathering
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Tactical Information Gathering

on

  • 13,591 views

This presentation shows new sources where information could be gathered from a target victim or company. Useful for penetration testers :)

This presentation shows new sources where information could be gathered from a target victim or company. Useful for penetration testers :)

Statistics

Views

Total Views
13,591
Views on SlideShare
13,501
Embed Views
90

Actions

Likes
11
Downloads
466
Comments
1

9 Embeds 90

http://agentsil.blogspot.com 63
http://www.slideshare.net 12
http://www.agentsil.blogspot.com 4
http://blog-css-style.blogspot.com 4
http://agentsil.blogspot.in 2
http://agentsil.blogspot.co.il 2
http://a1.vox-data.com 1
http://agentsil.blogspot.co.uk 1
http://agentsil.blogspot.ch 1
More...

Accessibility

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Nice Information..
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Tactical Information Gathering Presentation Transcript

  • 1. Christian Martorella Source Conference Barcelona 2009
  • 2. Tactical Information Gathering Christian Martorella Source Conference Barcelona 2009
  • 3. Who am i ? Christian Martorella Security Services S21sec CISSP, CISA, CISM, OPST, OPSA, C|EH OWASP WebSlayer Project Leader Edge-Security.com
  • 4. Information Gathering “Is the collection of information before the attack. The idea is to collect as much information as possible about the target which may be valuable later.”
  • 5. Tactical “Designed or implemented to gain a temporary limited advantage” Wikipedia
  • 6. I.G Why use it? It’s what the real attackers are doing Attackers doesn’t have a restricted scope Knowing what information about you or your company is available online Spear Phishing: 15.000 infected users, as results of 66 campaings.
  • 7. I.G what for? Infrastructure: Information for discovering new targets, to get a description of the hosts (NS,MX, AS,etc), shared resources, applications, software, etc. People and organizations : For performing brute force attacks on available services, Spear phishing, social engineering, investigations, background checks, information leaks
  • 8. Typical Pentesting Methodology Post- Cover Write I.G Scan Enumerate Exploit Exploit Tracks report
  • 9. What everyone focus on: Enumera Post- Cover Write I.G Scan Exploit te Exploit Tracks report
  • 10. Real world Methodology I.G Discover what makes the company money Do whatever it Steal it takes... Discover what is valuable to the attacker
  • 11. Types of I.G
  • 12. Types of I.G Passive Active Semi Passive
  • 13. Where / how can we obtain this kind of info?
  • 14. Obtaining info - Old School way DNS Zone Transfer (active) DNS Reverse Lookup Search engines (active) PGP Key Servers DNS BruteForce (active++) Whois Mail headers (active) smtp Bruteforcing (active++)
  • 15. Obtaining info - Old School way Active Passive DNS Zone Transfer (active) DNS Reverse Lookup Search engines (active) PGP Key Servers DNS BruteForce (active++) Whois Mail headers (active) smtp Bruteforcing (active++)
  • 16. New sources for I.G
  • 17. Obtaining - New sources Web 2.0 - Social Networks and Search engines (passive) Metadata (passive) Private data (passive paid) Intelius, Lexis Nexis
  • 18. Obtaining people info - New sources Professional and Business Social networks
  • 19. Obtaining people info - New sources
  • 20. Obtaining people info - New sources Current Job Pasts Jobs Education Job description Etc...
  • 21. Obtaining employees names from a company
  • 22. Obtaining employees names from a company
  • 23. Linkedin I.G example
  • 24. Linkedin I.G example I L FA
  • 25. Obtaining people info - New sources
  • 26. Obtaining Emails from a company
  • 27. Obtaining Emails from a company
  • 28. Google Finance & Reuters
  • 29. People information:
  • 30. People search
  • 31. People search
  • 32. People search Name Username Email Phone Business
  • 33. Nick name / username verification
  • 34. Nick name / username verification
  • 35. Nick name / username verification
  • 36. Nick name / username verification
  • 37. Private data - pay per view
  • 38. Microblogs Small posts up to 140 characters
  • 39. Microblogs Small posts up to 140 characters
  • 40. Bookmarks
  • 41. Bookmarks
  • 42. Bookmarks
  • 43. Bookmarks A IL F
  • 44. Reverse Image search Pic from “Novartis” search on TwwepSearch
  • 45. Reverse Image search Pic from “Novartis” search on TwwepSearch
  • 46. WikiScanner When you edit the wikipedia: You can edit leaving your username You can edit anonymous using your IP address
  • 47. WikiScanner Company IP ranges Anonymous Wikipedia edits, from interesting organizations Provide an ip for a wikipedia username http://wikiscanner.virgil.gr/
  • 48. WikiScanner - IP ranges
  • 49. WikiScanner - Wikipedia edits
  • 50. Poor Man Check User Provide an ip for a wikipedia username
  • 51. New sources - Metadata Metadata: is data about data.
  • 52. New sources - Metadata Metadata: is data about data. Is used to facilitate the understanding, use and management of data.
  • 53. Obtaining more data - Metadata Provides basic information such as the author of a work, the date of creation, links to any related works, etc.
  • 54. Metadata - Dublin Core (schema) Content & about the Intellectual Property Electronic or Physical Resource manifestation Title Author or Creator Date Subject Publisher Type Description Contributor Format Language Rights Identifier Relation Coverage
  • 55. Metadata example
  • 56. Metadata example
  • 57. Metadata - Images EXIF Exchangeable Image File Format • GPS coordinates • Time • Camera type • Serial number • Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  • 58. Metadata - Images EXIF Exchangeable Image File Format • GPS coordinates • Time • Camera type • Serial number • Sometimes unaltered original photo can be found in thumbnail Online exif viewer.
  • 59. Metadata - example
  • 60. Metadata - example logo-Kubuntu.png logo-Ubuntu.png software - www.inkscape.org software - Adobe ImageReady size - 1501x379 size - 1501x391 mimetype - image/png mimetype - image/png
  • 61. Metadata - example logo-Kubuntu.png logo-Ubuntu.png software - www.inkscape.org software - Adobe ImageReady size - 1501x379 size - 1501x391 mimetype - image/png mimetype - image/png :/
  • 62. Metadata - EXIF- Harry Pwner Deathly EXIF?
  • 63. Cat Schwartz - Tech TV
  • 64. Cat Schwartz - Tech TV
  • 65. Cat Schwartz - Tech TV
  • 66. Cat Schwartz - Tech TV I L FA
  • 67. Washington Post Botmaster location exposed by the Washington Post
  • 68. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker DATE: 12/19/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK CAPTION: PICTURED: Canon Canon EOS 20D Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin
  • 69. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker DATE: 12/19/2005 PHOTOGRAPHER: Sarah L. Voisin/TWP id#: LOCATION: Roland, OK CAPTION: PICTURED: Canon Canon EOS 20D Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin There are only 1.500 males in Roland Oklahoma
  • 70. Metadata Ok, I understand metadata... so what?
  • 71. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 72. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 73. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 74. Metagoofil Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target/victim websites.
  • 75. Metagoofil
  • 76. Metagoofil Workers User names Server names names Software Paths versions + Date Mac Address
  • 77. Metagoofil Workers User names Server names names Computer Software Paths names versions + Date Mac Address
  • 78. Metagoofil
  • 79. Metagoofil site:nasa.gov filetype:ppt
  • 80. Metagoofil site:nasa.gov filetype:ppt
  • 81. Metagoofil Downloaded files
  • 82. Metagoofil Downloaded files ppt 1 pptx 2 parsers / Results.html doc 3 filtering Libextractor docx 3 Hachoir Regexp pdf n Own libs
  • 83. Metagoofil - results
  • 84. Metagoofil - results
  • 85. Metagoofil - results
  • 86. Metagoofil - results
  • 87. Metagoofil - results
  • 88. Metagoofil - results
  • 89. Metadata - The Revisionist Tool developed by Michal Zalewski, this tool will extract comments and “Track changes” from Word documents. http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc
  • 90. Metagoofil & Linkedin results Now we have a lot of information, what can i do? • User profiling
  • 91. Using results
  • 92. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd john.d jd doe john
  • 93. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd john.d jd doe john
  • 94. Using results User profiling • User list creation John Doe john.doe jdoe j.doe johndoe johnd ATTACK! john.d jd doe john
  • 95. Using results
  • 96. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon elf brainstorm ... ...
  • 97. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon elf brainstorm ... ...
  • 98. Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon Brute force elf ATTACK brainstorm ... ...
  • 99. One password to rule them all
  • 100. Maltego the ultimate I.G Tool
  • 101. Maltego the ultimate I.G Tool
  • 102. Maltego the ultimate I.G Tool
  • 103. Maltego the ultimate I.G Tool
  • 104. Other examples
  • 105. Phone in sick and treat himself to a day in bed. Kyle Doyle's Facebook profile makes it quite obvious he was not off work for a 'valid medical reason'
  • 106. Phone in sick and treat himself to a day in bed. I L FA Kyle Doyle's Facebook profile makes it quite obvious he was not off work for a 'valid medical reason'
  • 107. Was shown the door after posting that her job was 'boring' on her Facebook page
  • 108. I L FA Was shown the door after posting that her job was 'boring' on her Facebook page
  • 109. More than meet the eyes
  • 110. More than meet the eyes
  • 111. More than meet the eyes
  • 112. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up:
  • 113. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel
  • 114. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel Local police, applicant arrested 2 years before for shoplifting
  • 115. Daily life I.G Looking for a Housekeeper on Craiglist, 3 interesting resumes came up: Myspace page, applicant drinking beer from a funnel Local police, applicant arrested 2 years before for shoplifting Personal blog, saying that she is applying for menial jobs, and will quit as soon she sells some paintings
  • 116. Final thoughts Be careful what you post/send, all stay online Think twice what you post Check the privacy configuration of your tools/sites Too much information, difficult to classify This is growing, more information is being indexed, more search engines
  • 117. References www.edge-security.com blog.s21sec.com www.s21sec.com carnal0wnage.blogspot.com www.gnunet.org/libextractor lcamtuf.coredump.cx/strikeout/ www.paterva.com http://sethgodin.typepad.com/seths_blog/2009/02/personal-branding-in-the-age- of-google.html laramies.blogspot.com http://www.eweek.com/c/a/Security/Washington-Post-Caught-in-Metadata-Gaffe/ Chris Gates Carnal0wnage Brucon 2009 Presentation http://www.neuroproductions.be/twitter_friends_network_browser/
  • 118. ?
  • 119. Thank you for coming cmartorella@s21sec.com http://laramies.blogspot.com cmartorella@edge-security.com http://twitter.com/laramies