D2 t3   keith lee and jonathan werrett - facebook osint
Upcoming SlideShare
Loading in...5
×
 

D2 t3 keith lee and jonathan werrett - facebook osint

on

  • 419 views

 

Statistics

Views

Total Views
419
Views on SlideShare
419
Embed Views
0

Actions

Likes
1
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

D2 t3   keith lee and jonathan werrett - facebook osint D2 t3 keith lee and jonathan werrett - facebook osint Presentation Transcript

  • FACEBOOK OSINT ITS FASTER THAN SPEED DATING 17 October 2013 | HITB2013KUL Keith Lee Jonathan Werrett Thursday, 17 October 13
  • INTRODUCTION Keith Lee Security Analyst, SpiderLabs, Singapore klee@trustwave.com http://github.com/milo2012/osintstalker @keith55 Jonathan Werrett Managing Consultant, SpiderLabs, Hong Kong jwerrett@trustwave.com @werrett 2 Thursday, 17 October 13
  • AGENDA ‣ Background / Motivation ‣ Introduction to GeoStalker and FBStalker tools ‣ Problem they solves ‣ GeoStalker in-depth ‣ FBStalker in-depth ‣ What you can do to protect yourself 3 Thursday, 17 October 13
  • MOTIVATION Spend our days on “Penetration tests” Web apps and networks Day-in day-out 4 Thursday, 17 October 13
  • MOTIVATION Spend our days on “Penetration tests” Web apps and networks Day-in day-out 4 Thursday, 17 October 13
  • BUT WAIT Some times we get a real pentest Set specific targets Gain access any way you can ... 5 Thursday, 17 October 13
  • BUT WAIT Some times we get a real pentest Set specific targets Gain access any way you can ... Red team, Physical Security, Phishing Open Source Intelligence 5 Thursday, 17 October 13
  • OSINT Premise Details Geocoded Lat / Lon Google Maps Wigle.net Wireless DB MAC Addresses Photos Physical Address Whois / IP Allocations Twitter Instagram Company Domains Places Visited Company Name No. checkins together Checkins LinkedIn Network Names Facebook Photos Target Profiles Friends No. comments Education Age of friendship Background Likes Previous Jobs Tagged w/ ppl No. tags Visited 6 Thursday, 17 October 13
  • GEOSTALKER FBSTALKER Takes Takes ‣ Location (address or coordinates) ‣ Facebook profile user Retrieves location data from Uses Graph Search to reverse ‣ Wigle.net (Wireless DB) ‣ Friends ‣ Instagram ‣ Likes ‣ Twitter ‣ Check-ins ‣ Foursquare ‣ Comments ‣ Flickr Provides Provides ‣ Wireless access points near-by ‣ Social engineering targets ‣ Photos taken at that location ‣ Associates of those targets ‣ Social media accounts of people who’ve ‣ Times online visited ‣ Interests, commonly visited places 7 Thursday, 17 October 13
  • EXAMPLE OBJECTIVES Entry Points Google Maps Premise Recon? Geocode Lat / Lon Photos Facilities Twitter, Instagram, 4sq, Flickr Google Search Staff Interests LinkedIn, Facebook Phishing Targets? Staff Physical Address Geocode Lat / Lon Twitter, Instagram, 4sq, Flickr Associates 8 Thursday, 17 October 13
  • EXAMPLES FROM ENGAGEMENTS 9 Thursday, 17 October 13
  • EXAMPLES FROM ENGAGEMENTS FB Apps ‣ Indicate phishing target uses mac ‣ Ditch our Windows based payloads for OSX 9 Thursday, 17 October 13
  • EXAMPLES FROM ENGAGEMENTS FB Apps ‣ Indicate phishing target uses mac ‣ Ditch our Windows based payloads for OSX FB Friends ‣ Identify targets wife ‣ Wife runs Pilates studio ‣ Spear phish wife based on Pilates 9 Thursday, 17 October 13
  • EXAMPLES FROM ENGAGEMENTS FB Apps ‣ Indicate phishing target uses mac ‣ Ditch our Windows based payloads for OSX FB Friends ‣ Identify targets wife ‣ Wife runs Pilates studio ‣ Spear phish wife based on Pilates Instagram Photos ‣ Client was a power utility ‣ Staff target found via on photos from facilities 9 Thursday, 17 October 13
  • GEOSTALKER - INTRO Requires ‣ Address ‣ Latitude / Longitude Coordinates Queries sources Provides ‣ Wigle.net (Wireless DB) ‣ Wireless devices ‣ Instagram ‣ Photos ‣ Twitter ‣ Social network accounts ‣ Foursquare ‣ Searches social network accounts for ‘like’ names ‣ Flickr 10 Thursday, 17 October 13
  • GEOSTALKER - APPLICATION FLOW Google Search Instagram Youtube Linkedin Facebook Google+ UserID Wigle.net Flickr Twitter Instagram Foursquare Geolocation Data Source geoStalker 11 Thursday, 17 October 13
  • DEMO GEOSTALKER 12 Thursday, 17 October 13
  • GEOSTALKER - INPUT 13 Thursday, 17 October 13
  • GEOSTALKER - RUNNING 14 Thursday, 17 October 13
  • GEOSTALKER - RUNNING 15 Thursday, 17 October 13
  • GEOSTALKER - RUNNING 16 Thursday, 17 October 13
  • GEOSTALKER - RUNNING 17 Thursday, 17 October 13
  • GEOSTALKER - FOURSQUARE 18 Thursday, 17 October 13
  • GEOSTALKER - INSTAGRAM 19 Thursday, 17 October 13
  • GEOSTALKER - FLICKR 20 Thursday, 17 October 13
  • GEOSTALKER - HTML OUTPUT 21 Thursday, 17 October 13
  • GEOSTALKER - MALTEGO EXPORT 22 Thursday, 17 October 13
  • GEOSTALKER - LIMITATIONS Single threaded Query by GPS location or address only 23 Thursday, 17 October 13
  • GEOSTALKER - FUTURE VERSIONS Multithreaded - Run faster! Extend Maltego Mgtx export Allow to disable specific datasource 24 Thursday, 17 October 13
  • FBSTAKLER - INTRO Requires ‣ Profile Name Graph Search to find Provides ‣ Friends ‣ Reverse engineered friend list ‣ Likes ‣ Strength of associations ‣ Check-ins ‣ Regular posting time ‣ Comments (wake time?) 25 Thursday, 17 October 13
  • FBSTALKER - LOCKDOWN VS NON-LOCKDOWN Lockdown Profile ‣ Unable to see the list of friends ‣ Reverse engineer the list of friends from likes and tags Open Profile ‣ Analyze all friends of target and determine how two individuals are connected or know each other. ‣ Work place ‣ School ‣ Common interests ‣ Common friends ‣ Places that two individuals like 26 Thursday, 17 October 13
  • FACEBOOK GRAPH KEYWORDS UNDERSTAND HOW 2 INDIVIDUALS ARE CONNECTED / RELATED Pages that Friend X and Y likes Photos that Friend X and Y likes Pages that Friend X and Y likes Sports liked by Friend X and Y Books liked by Friend X and Y Places Friend X and Y worked at Places Friend X and Y likes Music that Friend X and Y likes Favorite interests of Friend X and Y Movies Friend X and Y likes Photos that Friend X and Y are tagged in Movies like by Friend X and Y Facebook Graph Places Friend X and Y been to Groups that Friend X and Y are in TV shows liked by Friend X and Y Restaurants that Friend X and Y likes Cafes that Friend X and Y likes Games that Friend X and Y plays 1 27 Thursday, 17 October 13
  • FBSTALKER - GRAPH SEARCH EXAMPLE 28 Thursday, 17 October 13
  • FBSTALKER - GRAPH SEARCH EXAMPLE 29 Thursday, 17 October 13
  • DEMO FBSTALKER 30 Thursday, 17 October 13
  • FBSTALKER - INPUT 31 Thursday, 17 October 13
  • FBSTALKER - RUNNING 32 Thursday, 17 October 13
  • FBSTALKER - MALTEGO EXPORT 33 Thursday, 17 October 13
  • FBSTALKER - PROBLEMS Facebook Graph API is limited PhantomJS had some issues with Facebook site Had to use Chromedriver Single threaded 34 Thursday, 17 October 13
  • FBSTALKER - FUTURE WORK ‣ Runs 100% headless ‣ Monitor changes / activities of user’s FB profile. ‣ Allow name as input instead of userid ‣ Point system for Association strength ‣ Photo Tags ‣ Check-ins ‣ Comments ‣ Post / Photo Likes 35 Thursday, 17 October 13
  • HOW TO PROTECT YOURSELF Turn off ‘location’ setting in social networking apps Tighten Facebook privacy settings 36 Thursday, 17 October 13
  • http://github.com/milo2012/osintstalker klee@trustwave.com @keith55 Thursday, 17 October 13 jwerrett@trustwave.com @werrett