Foca training hackcon6

FOCA Pro
Chema Alonso

What’s a FOCA?

FOCA on Linux?

FOCA + Wine

Previously on
FOCA….

FOCA 0.X

A documentis
Whatyousee…
And whatyoudon´t
Templatepaths
Usersworked in it.
Departments.
File & Printing Servers
VersionHistory
Embedded files
…

What kind of data can be found?
Metadata:
Information stored to give information about the document.
For example: Creator, Organization, etc..
Hidden information:
Information internally stored by programs and not editable.
For example: Template paths, Printers, db structure, etc…
Lost data:
Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
For example: Links to internal servers, data hidden by format, etc…

Metadata
Metadata Lifecycle
Wrongmanagement
Badformatconversion
Unsecureoptions
Wrongmanagement
Badformatconversion
Unsecureoptions
New apps
orprogram
versions
Searchengines
Spiders
Databases
Embedded
files
Hiddeninfo
Lost Data
Embedded
files

MetadataRisks
“Secret” relationships
Government & companies
Companies & providers
Piracy
Reputation
Social engineering attacks
Targeting Malware

2003 – MS Word bytes Tony Blair

Targeting Malware

Electing the entry point

Why you should be using FS

Linux installation guide

Social Engineering Attack

Anonim0us case

Metadatacreatedby Google

Lost Data

Lost data everywhere

Metadata in SearchEngines

Pictureswith GPS info..
EXIFREADER
http://www.takenet.or.jp/~ryuuji/

Even Videos withusers…
http://video.techrepublic.com.com/2422-14075_11-207247.html

And of course, printedtxt

OLE Streams
In MS Office binaryformat files
Storeinformationaboutthe OS
Are notcleanedwiththese Tools
FOCA findsthisinfo

FOCA: File types supported
Office documents:
Open Office documents.
MS Office documents.
PDF Documents.
XMP.
EPS Documents.
Graphic documents.
EXIFF.
XMP.
Adobe Indesign, SVG, SVGZ (NEW)

What can be found?
Users:
Creators.
Modifiers .
Users in paths.
C:Documents and settingsjfoomyfile
/home/johnnyf
Operating systems.
Printers.
Local and remote.
Paths.
Local and remote.
Network info.
Shared Printers.
Shared Folders.
ACLS.
Internal Servers.
NetBIOS Name.
Domain Name.
IP Address.
Database structures.
Table names.
Colum names.
Devices info.
Mobiles.
Photo cameras.
Private Info.
Personal data.
History of use.
Software versions.

Demo:
Single files

Sample: FBI.gov
Total: 4841 files

Are theycleaned?

FOCA 1 v. RC3
Fingerprinting Organizations with Collected Archives
Search for documents in Google and Bing
Automatic file downloading
Capable of extracting Metadata, hidden info and lost data
Cluster information
Analyzes the info to fingerprint the network.

Metadata tracing

AlternativeDomains

Sample: Printer info found in odf files returned by Google

Types of Engineers

DNS Prediction

Google Sets Prediction

IP Scanning

Manually-added Data

Demo:
Mda.mil

What’s new in FOCA 2.5+?
Network Discovery
Recursivealgorithm
InformationGathering
SwRecognition
DNS Cache Snooping
ReportingTool

FOCA 2.5: Exalead

Hugedomains case

DNS Search Panel

Búsqueda de URLS en buscadores

DNS Search & Zone Transfer
IP resolution
Well-Known records
NS
TXT (SPF)
MX
SOA (Primary.master)
Zone Transfer
Diccionarysearch

Bing IP

PTR Scannig

Network DiscoveryAlgorithm
http://apple1.sub.domain.com/~chema/dir/fil.doc
http -> Web server
GET Banner HTTP
domain.com is a domain
Search NS, MX, SPF records for domain.com
sub.domain.com is a subdomain
Search NS, MX, SPF records for sub.domain.com
Try allthe non verified servers onall new domains
server01.domain.com
server01.sub.domain.com
Apple1.sub.domain.com is a hostname
Try DNS Prediction (apple1) onalldomains
Try Google Sets(apple1) onalldomains

11) Resolve IP Address
12) GetCertificate in https://IP
13) Searchfordomainnames in it
14) Get HTTP Banner of http://IP
15) Use Bing Ip:IPtofindalldomainssharingit
16) Repeatforevery new domain
17) Connecttotheinternal NS (1 orall)
18) Perform a PTR Scansearchingforinternal servers
19) Forevery new IP discovered try Bing IP recursively
20) ~chema-> chemaisprobably a user

21) / , /~chema/ and /~chema/dir/ are paths
22) Try directorylisting in allthepaths
23) Searchfor PUT, DELETE, TRACE methods in everypath
24) Fingerprint software from 404 error messages
25) Fingerprint software fromapplication error messages
26) Try commonnamesonalldomains (dictionary)
27) Try Zone Transfer onall NS
28) Searchforany URL indexedby web enginesrelatedtothehostname
29) Downloadthe file
30) Extractthemetadata, hiddeninfo and lost data
31) Sortallthisinformationand presentitnicely
32) Forevery new IP/URL startoveragain

PC/Servers view

How Foca found a data

Role Oriented View

Vulnerabilites View

DNS Version.bind

Primary Master

Demo: fbi.gov
whitehouse.gov

CustomizableSearch

FOCA + Spidering

Demo : Foca + Spidering

Internal PTR Scanningusing FOCA

Internal PTR Scanning

FingerprintingOptions
404 NotFoundmessages
Domainnames and software
Aspx Error Messages
HTTP Banner
Hostname
IP Addres
SMTP Banner
Digital Certificates
Shodan

Digital Certificates

FOCA 2.5 & Shodan

FOCA 2.5 URL Analysis

.listing

Unsecure Http Methods

Search & Upload

Searchingfor Server-Side Technologies

Fuzzingoptions

Backupdiscovery

PlayingwithURLs

DNS Cache Snooping

DNS Cache Snooping
Internal Software
Windows Update
Gtalk
Evilgrade
Detecting vulnerable software toEvilgradeattacks
AV evassion
Detectinginternal AV systems
Malware drivenby URL
Hacking a web siteussuallyvisitedbyinternalusers

DNS Cache detection

Demo: DNS
Cache Snooping

Log filter

FOCA Reporting Module

Demo: Log & Reporting

FearThe FOCA

FOCA Online
http://www.informatica64.com/FOCA

Cleaning documents
OOMetaExtractor
http://www.codeplex.org/oometaextractor

IIS MetaShield Protector
http://www.metashieldprotector.com

Buy a FOCA T-Shirt
And be «Sexy» }:))

Questions?
Chema Alonso
chema@informatica64.com
http://www.informatica64.com
http://www.elladodelmal.com
http://twitter.com/chemaalonso
http://www.forefront-es.com
http://www.seguridadapple.com
http://www.windowstecnico.com
http://www.puntocompartido.com
Workingon FOCA:
Chema Alonso
Alejandro Martín
Francisco Oca
Manuel Fernández «The Sur»
Daniel Romero
Enrique Rando
Pedro Laguna
SpecialThanksto: John Matherly [Shodan]

http://www.elladodelmal.com	1096
http://static.slidesharecdn.com	9
http://rsscorner.com	2
http://dashboard.bloglines.com	1
http://translate.googleusercontent.com	1

Foca training hackcon6

by Chema Alonso on Feb 15, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 1,109

Statistics

Foca training hackcon6 — Presentation Transcript