Your SlideShare is downloading. ×
0
FOCA 2.5.5<br />Chema Alonso<br />
What’s a FOCA?<br />
FOCA on Linux?<br />
FOCA + Wine<br />
Previously on<br /> FOCA….<br />
FOCA 0.X<br />
A documentis<br />Whatyousee…<br />And whatyoudon´t<br />Templatepaths<br />Usersworked in it.<br />Departments.<br />File...
What kind of data can be found?<br />Metadata:<br />Information stored to give information about the document.<br />For ex...
Metadata<br />Metadata Lifecycle<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />Wrongmanagement<b...
MetadataRisks<br />“Secret” relationships<br />Government & companies<br />Companies & providers<br />Piracy discovery<br ...
2003 – MS Word bytes Tony Blair<br />
Targeting Malware<br />
Targeting Malware<br />
Electing the entry point<br />
Why you should be using FS<br />
Linux installation guide<br />
Social Engineering Attack<br />
Metadatacreatedby Google<br />
Lost Data<br />
Lost data everywhere<br />
Metadata in SearchEngines<br />
Pictureswith GPS info..<br />EXIFREADER<br />http://www.takenet.or.jp/~ryuuji/<br />
Even Videos withusers…<br />http://video.techrepublic.com.com/2422-14075_11-207247.html<br />
And of course, printedtxt<br />
OLE Streams<br />In MS Office binaryformat files<br />Storeinformationaboutthe OS<br />Are notcleanedwiththese Tools<br />...
FOCA: File types supported<br /><ul><li>Office documents:
Open Office documents.
MS Office documents.
PDF Documents.
XMP.
EPS Documents.
Graphic documents.
EXIFF.
XMP.
Adobe Indesign, SVG, SVGZ (NEW)</li></li></ul><li>What can be found? <br /><ul><li>Users:
Creators.
Modifiers .
Users in paths.
C:Documents and settingsjfoomyfile
/home/johnnyf
Operating systems.
Printers.
Local and remote.
Paths.
Local and remote.
Network info.
Shared Printers.
Shared Folders.
ACLS.
Internal Servers.
NetBIOS Name.
Domain Name.
IP Address.
Database structures.
Table names.
Colum names.
Devices info.
Mobiles.
Photo cameras.
Private Info.
Personal data.
History of use.
Software versions.</li></li></ul><li>Demo:<br />Single files<br />
Sample: FBI.gov<br />Total:  4841 files<br />
Are theycleaned?<br />
FOCA 1 v. RC3<br /><ul><li>Fingerprinting  Organizations with Collected Archives
Search for documents in Google and Bing
Automatic file downloading
Capable of extracting Metadata, hidden info and lost data
Cluster information
Analyzes the info to fingerprint the network.</li></li></ul><li>Metadata tracing <br />
AlternativeDomains<br />
AlternativeDomains<br />
Sample: Printer info found in odf files returned by Google<br />
Types of Engineers<br />
DNS Prediction<br />
Google Sets Prediction<br />
IP Scanning<br />
Manually-added Data<br />
Demo:<br />Mda.mil<br />
What’s new in FOCA 2.5?<br /><ul><li>Network Discovery
Recursivealgorithm
Upcoming SlideShare
Loading in...5
×

FOCA 2.5.5 Training

4,772

Published on

Training about FOCA 2.5.5 delivered by Chema Alonso (Informatica 64). Learn about FOCA PRO 2.5.5

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • it is nice work. But in Foca3 i cannot get files from internet what can i do?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,772
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
194
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "FOCA 2.5.5 Training"

  1. 1. FOCA 2.5.5<br />Chema Alonso<br />
  2. 2. What’s a FOCA?<br />
  3. 3. FOCA on Linux?<br />
  4. 4. FOCA + Wine<br />
  5. 5. Previously on<br /> FOCA….<br />
  6. 6. FOCA 0.X<br />
  7. 7. A documentis<br />Whatyousee…<br />And whatyoudon´t<br />Templatepaths<br />Usersworked in it.<br />Departments.<br />File & Printing Servers<br />VersionHistory<br />Embedded files<br />…<br />
  8. 8. What kind of data can be found?<br />Metadata:<br />Information stored to give information about the document.<br />For example: Creator, Organization, etc..<br />Hidden information:<br />Information internally stored by programs and not editable.<br />For example: Template paths, Printers, db structure, etc…<br />Lost data:<br />Information which is in documents due to human mistakes or negligence, because it was not intended to be there.<br />For example: Links to internal servers, data hidden by format, etc…<br />
  9. 9. Metadata<br />Metadata Lifecycle<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />New apps<br />orprogram<br />versions<br />Searchengines<br />Spiders<br />Databases<br />Embedded<br />files<br />Hiddeninfo<br />Lost Data<br />Embedded<br />files<br />
  10. 10. MetadataRisks<br />“Secret” relationships<br />Government & companies<br />Companies & providers<br />Piracy discovery<br />Reputation<br />Social engineering attacks<br />Targeting Malware<br />
  11. 11. 2003 – MS Word bytes Tony Blair<br />
  12. 12. Targeting Malware<br />
  13. 13. Targeting Malware<br />
  14. 14. Electing the entry point<br />
  15. 15. Why you should be using FS<br />
  16. 16. Linux installation guide<br />
  17. 17. Social Engineering Attack<br />
  18. 18. Metadatacreatedby Google<br />
  19. 19. Lost Data<br />
  20. 20. Lost data everywhere<br />
  21. 21. Metadata in SearchEngines<br />
  22. 22. Pictureswith GPS info..<br />EXIFREADER<br />http://www.takenet.or.jp/~ryuuji/<br />
  23. 23. Even Videos withusers…<br />http://video.techrepublic.com.com/2422-14075_11-207247.html<br />
  24. 24. And of course, printedtxt<br />
  25. 25. OLE Streams<br />In MS Office binaryformat files<br />Storeinformationaboutthe OS<br />Are notcleanedwiththese Tools<br />FOCA findsthisinfo<br />
  26. 26. FOCA: File types supported<br /><ul><li>Office documents:
  27. 27. Open Office documents.
  28. 28. MS Office documents.
  29. 29. PDF Documents.
  30. 30. XMP.
  31. 31. EPS Documents.
  32. 32. Graphic documents.
  33. 33. EXIFF.
  34. 34. XMP.
  35. 35. Adobe Indesign, SVG, SVGZ (NEW)</li></li></ul><li>What can be found? <br /><ul><li>Users:
  36. 36. Creators.
  37. 37. Modifiers .
  38. 38. Users in paths.
  39. 39. C:Documents and settingsjfoomyfile
  40. 40. /home/johnnyf
  41. 41. Operating systems.
  42. 42. Printers.
  43. 43. Local and remote.
  44. 44. Paths.
  45. 45. Local and remote.
  46. 46. Network info.
  47. 47. Shared Printers.
  48. 48. Shared Folders.
  49. 49. ACLS.
  50. 50. Internal Servers.
  51. 51. NetBIOS Name.
  52. 52. Domain Name.
  53. 53. IP Address.
  54. 54. Database structures.
  55. 55. Table names.
  56. 56. Colum names.
  57. 57. Devices info.
  58. 58. Mobiles.
  59. 59. Photo cameras.
  60. 60. Private Info.
  61. 61. Personal data.
  62. 62. History of use.
  63. 63. Software versions.</li></li></ul><li>Demo:<br />Single files<br />
  64. 64. Sample: FBI.gov<br />Total: 4841 files<br />
  65. 65. Are theycleaned?<br />
  66. 66. FOCA 1 v. RC3<br /><ul><li>Fingerprinting Organizations with Collected Archives
  67. 67. Search for documents in Google and Bing
  68. 68. Automatic file downloading
  69. 69. Capable of extracting Metadata, hidden info and lost data
  70. 70. Cluster information
  71. 71. Analyzes the info to fingerprint the network.</li></li></ul><li>Metadata tracing <br />
  72. 72. AlternativeDomains<br />
  73. 73. AlternativeDomains<br />
  74. 74. Sample: Printer info found in odf files returned by Google<br />
  75. 75. Types of Engineers<br />
  76. 76. DNS Prediction<br />
  77. 77. Google Sets Prediction<br />
  78. 78. IP Scanning<br />
  79. 79. Manually-added Data<br />
  80. 80.
  81. 81. Demo:<br />Mda.mil<br />
  82. 82. What’s new in FOCA 2.5?<br /><ul><li>Network Discovery
  83. 83. Recursivealgorithm
  84. 84. InformationGathering
  85. 85. SwRecognition
  86. 86. DNS Cache Snooping
  87. 87. ReportingTool</li></li></ul><li>FOCA 2.5: Exalead<br />
  88. 88. DNS Search Panel<br />
  89. 89. Búsqueda de URLS en buscadores<br />
  90. 90. DNS Search & Zone Transfer<br />IP resolution<br />Well-Known records<br />NS<br />TXT (SPF)<br />MX<br />Zone Transfer<br />Diccionarysearch<br />
  91. 91. Bing IP<br />
  92. 92. PTR Scannig<br />
  93. 93. Network DiscoveryAlgorithm<br />http://apple1.sub.domain.com/~chema/dir/fil.doc<br />http -> Web server <br />GET Banner HTTP<br />domain.com is a domain<br />Search NS, MX, SPF records for domain.com<br />sub.domain.com is a subdomain<br />Search NS, MX, SPF records for sub.domain.com<br />Try allthe non verified servers onall new domains<br />server01.domain.com<br />server01.sub.domain.com<br />Apple1.sub.domain.com is a hostname<br />Try DNS Prediction (apple1) onalldomains<br />Try Google Sets(apple1) onalldomains<br />
  94. 94. Network DiscoveryAlgorithm<br />http://apple1.sub.domain.com/~chema/dir/fil.doc<br />11) Resolve IP Address<br />12) GetCertificate in https://IP<br />13) Searchfordomainnames in it<br />14) Get HTTP Banner of http://IP<br />15) Use Bing Ip:IPtofindalldomainssharingit<br />16) Repeatforevery new domain<br />17) Connecttotheinternal NS (1 orall)<br />18) Perform a PTR Scansearchingforinternal servers<br />19) Forevery new IP discovered try Bing IP recursively<br />20) ~chema-> chemaisprobably a user<br />
  95. 95. Network DiscoveryAlgorithm<br />http://apple1.sub.domain.com/~chema/dir/fil.doc<br />21) / , /~chema/ and /~chema/dir/ are paths<br />22) Try directorylisting in allthepaths<br />23) Searchfor PUT, DELETE, TRACE methods in everypath<br />24) Fingerprint software from 404 error messages<br />25) Fingerprint software fromapplication error messages<br />26) Try commonnamesonalldomains (dictionary)<br />27) Try Zone Transfer onall NS<br />28) Searchforany URL indexedby web enginesrelatedtothehostname<br />29) Downloadthe file<br />30) Extractthemetadata, hiddeninfo and lost data<br />31) Sortallthisinformationand presentitnicely<br />32) Forevery new IP/URL startoveragain<br />
  96. 96.
  97. 97. How Foca found a data<br />
  98. 98. Role Oriented View<br />
  99. 99. Demo: fbi.gov<br />whitehouse.gov<br />
  100. 100. CustomizableSearch<br />
  101. 101. FOCA + Spidering<br />
  102. 102. FOCA + Spidering<br />
  103. 103. Demo : Foca + Spidering<br />
  104. 104. Internal PTR Scanningusing FOCA<br />
  105. 105. Internal PTR Scanning<br />
  106. 106. FingerprintingOptions<br />404 NotFoundmessages<br />Domainnames and software<br />Aspx Error Messages<br />HTTP Banner<br />Hostname<br />IP Addres<br />SMTP Banner<br />Digital Certificates<br />Shodan<br />
  107. 107. Digital Certificates<br />
  108. 108. FOCA 2.5 & Shodan<br />
  109. 109. FOCA 2.5 URL Analysis<br />
  110. 110. Unsecure Http Methods<br />
  111. 111. Search & Upload<br />
  112. 112. Searchingfor Server-Side Technologies<br />
  113. 113. PlayingwithURLs<br />
  114. 114. DNS Cache Snooping<br />
  115. 115. DNS Cache Snooping<br />
  116. 116. DNS Cache Snooping<br />Internal Software<br />Windows Update<br />Gtalk<br />Evilgrade<br />Detecting vulnerable software toEvilgradeattacks<br />AV evassion<br />Detectinginternal AV systems<br />Malware drivenby URL<br />Hacking a web siteussuallyvisitedbyinternalusers<br />
  117. 117. Demo: DNS<br />Cache Snooping<br />
  118. 118. Log filter<br />
  119. 119. FOCA Reporting Module<br />
  120. 120. FOCA Reporting Module<br />
  121. 121. Demo: Log & Reporting<br />
  122. 122. FearThe FOCA<br />
  123. 123. FOCA Online<br />http://www.informatica64.com/FOCA<br />
  124. 124. Cleaning documents<br /><ul><li>OOMetaExtractor</li></ul>http://www.codeplex.org/oometaextractor<br />
  125. 125. IIS MetaShield Protector<br />http://www.metashieldprotector.com<br />
  126. 126. Questions?<br /><ul><li>Chema Alonso
  127. 127. chema@informatica64.com
  128. 128. http://www.informatica64.com
  129. 129. http://www.elladodelmal.com
  130. 130. http://twitter.com/chemaalonso
  131. 131. http://www.forefront-es.com
  132. 132. http://www.seguridadapple.com
  133. 133. http://www.windowstecnico.com
  134. 134. http://www.puntocompartido.com
  135. 135. Workingon FOCA:
  136. 136. Chema Alonso
  137. 137. Alejandro Martín
  138. 138. Francisco Oca
  139. 139. Manuel Fernández «The Sur»
  140. 140. Daniel Romero
  141. 141. Enrique Rando
  142. 142. Pedro Laguna
  143. 143. SpecialThanksto: John Matherly [Shodan]</li>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×