Defcon 18: FOCA 2

9,819 views

Published on

Slides used by Jose Palazon PALAKO and Chema Alonso to present FOCA 2 in Defcon 18

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,819
On SlideShare
0
From Embeds
0
Number of Embeds
496
Actions
Shares
0
Downloads
248
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Defcon 18: FOCA 2

  1. 1. FOCA 2.5 Chema Alonso José Palazón «PALAKO»
  2. 2. What our FOCA is not
  3. 3. What our FOCA is not
  4. 4. What’s a FOCA?
  5. 5. FOCA on Linux?
  6. 6. Previously on FOCA….
  7. 7. FOCA 0.X
  8. 8. FOCA: File types supported <ul><li>Office documents: </li></ul><ul><ul><li>Open Office documents. </li></ul></ul><ul><ul><li>MS Office documents. </li></ul></ul><ul><ul><li>PDF Documents. </li></ul></ul><ul><ul><ul><li>XMP. </li></ul></ul></ul><ul><ul><li>EPS Documents. </li></ul></ul><ul><ul><li>Graphic documents. </li></ul></ul><ul><ul><ul><li>EXIFF. </li></ul></ul></ul><ul><ul><ul><li>XMP. </li></ul></ul></ul><ul><ul><li>Adobe Indesign, SVG, SVGZ ( NEW ) </li></ul></ul>
  9. 9. What can be found?
  10. 10. Pictures with GPS info..
  11. 11. Demo: Single files
  12. 12. Sample: mda.mil Total: 1075 files
  13. 13. Sample: FBI.gov Total: 4841 files
  14. 14. FOCA 1 v. RC3 <ul><li>Fingerprinting Organizations with Collected Archives </li></ul><ul><ul><li>Search for documents in Google and Bing </li></ul></ul><ul><ul><li>Automatic file downloading </li></ul></ul><ul><ul><li>Capable of extracting Metadata, hidden info and lost data </li></ul></ul><ul><ul><li>Cluster information </li></ul></ul><ul><ul><li>Analyzes the info to fingerprint the network. </li></ul></ul>
  15. 15. DNS Prediction
  16. 16. Google Sets Prediction
  17. 17. Sample: Printer info found in odf files returned by Google
  18. 18. Demo: Whitehouse.gov
  19. 19. Yes, we can!
  20. 20. FOCA 2.0
  21. 21. What’s new in FOCA 2.5? <ul><li>Network Discovery </li></ul><ul><li>Recursive algorithm </li></ul><ul><li>Information Gathering </li></ul><ul><li>Sw Recognition </li></ul><ul><li>DNS Cache Snooping </li></ul><ul><li>Reporting Tool </li></ul>
  22. 22. FOCA 2.5: Exalead
  23. 23. PTR Scannig
  24. 24. Bing IP
  25. 25. FOCA 2.5 & Shodan
  26. 26. Network Discovery Algorithm <ul><li>http://apple1.sub.domain.com/~chema/dir/fil.doc </li></ul><ul><li>http -> Web server </li></ul><ul><li>GET Banner HTTP </li></ul><ul><li>domain.com is a domain </li></ul><ul><li>Search NS, MX, SPF records for domain.com </li></ul><ul><li>sub.domain.com is a subdomain </li></ul><ul><li>Search NS, MX, SPF records for sub.domain.com </li></ul><ul><li>Try all the non verified servers on all new domains </li></ul><ul><ul><li>server01.domain.com </li></ul></ul><ul><ul><li>server01.sub.domain.com </li></ul></ul><ul><li>Apple1.sub.domain.com is a hostname </li></ul><ul><li>Try DNS Prediction (apple1) on all domains </li></ul><ul><li>Try Google Sets(apple1) on all domains </li></ul>
  27. 27. Network Discovery Algorithm <ul><li>http://apple1.sub.domain.com/~chema/dir/fil.doc </li></ul><ul><li>11) Resolve IP Address </li></ul><ul><li>12) Get HTTP Banner of http://IP </li></ul><ul><li>13) Use Bing Ip:IP to find all domains sharing it </li></ul><ul><li>14) Repeat for every new domain </li></ul><ul><li>15) Connect to the internal NS (1 or all) </li></ul><ul><li>16) Perform a PTR Scan searching for internal servers </li></ul><ul><li>17) For every new IP discovered try Bing IP recursively </li></ul><ul><li>18) ~chema -> chema is probably a user </li></ul>
  28. 28. Network Discovery Algorithm <ul><li>http://apple1.sub.domain.com/~chema/dir/fil.doc </li></ul><ul><li>19) / , /~chema/ and /~chema/dir/ are paths </li></ul><ul><li>20) Try directory listing in all the paths </li></ul><ul><li>21) Search for PUT, DELETE, TRACE methods in every path </li></ul><ul><li>22) Fingerprint software from 404 error messages </li></ul><ul><li>23) Fingerprint software from application error messages </li></ul><ul><li>24) Try common names on all domains (dictionary) </li></ul><ul><li>25) Try Zone Transfer on all NS </li></ul><ul><li>26) Search for any URL indexed by web engines related to the hostname </li></ul><ul><li>27) Download the file </li></ul><ul><li>28) Extract the metadata, hidden info and lost data </li></ul><ul><li>29) Sort all this information and present it nicely </li></ul><ul><li>30) For every new IP/URL start over again </li></ul>
  29. 30. FOCA 2.5 URL Analysis
  30. 31. FOCA 2.5 URL Analysis
  31. 32. Demo: Whitehouse.gov
  32. 33. Yes, we can!
  33. 34. DNS Cache Snooping
  34. 35. FOCA Reporting Module
  35. 36. FOCA Reporting Module
  36. 37. Demo: DNS Cache Snooping
  37. 38. FOCA Online http://www.informatica64.com/FOCA
  38. 39. IIS MetaShield Protector http://www.metashieldprotector.com
  39. 40. Cleaning documents <ul><li>OOMetaExtractor </li></ul>http://www.codeplex.org/oometaextractor
  40. 41. Questions at Q&A room 113 <ul><li>Speakers: </li></ul><ul><li>Chema Alonso </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>Blog: http://elladodelmal.blogspot.com </li></ul></ul><ul><ul><li>http://twitter.com/chemaalonso </li></ul></ul><ul><li>José Palazón «PALAKO» </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Working on FOCA: </li></ul><ul><ul><li>Chema Alonso </li></ul></ul><ul><ul><li>Alejandro Martín </li></ul></ul><ul><ul><li>Francisco Oca </li></ul></ul><ul><ul><li>Manuel Fernández «The Sur» </li></ul></ul><ul><ul><li>Daniel Romero </li></ul></ul><ul><ul><li>Enrique Rando </li></ul></ul><ul><ul><li>Pedro Laguna </li></ul></ul><ul><ul><li>Special Thanks to: John Matherly [Shodan] </li></ul></ul>
  41. 42. … and Tomorrow here at 19:00
  42. 43. Demo: US Army

×