Foca training hackcon6

7,292 views
7,118 views

Published on

Foca slides

Published in: Education
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,292
On SlideShare
0
From Embeds
0
Number of Embeds
2,869
Actions
Shares
0
Downloads
236
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Foca training hackcon6

  1. 1. FOCA Pro <br />Chema Alonso<br />
  2. 2. What’s a FOCA?<br />
  3. 3. FOCA on Linux?<br />
  4. 4. FOCA + Wine<br />
  5. 5. Previously on<br /> FOCA….<br />
  6. 6. FOCA 0.X<br />
  7. 7. A documentis<br />Whatyousee…<br />And whatyoudon´t<br />Templatepaths<br />Usersworked in it.<br />Departments.<br />File & Printing Servers<br />VersionHistory<br />Embedded files<br />…<br />
  8. 8. What kind of data can be found?<br />Metadata:<br />Information stored to give information about the document.<br />For example: Creator, Organization, etc..<br />Hidden information:<br />Information internally stored by programs and not editable.<br />For example: Template paths, Printers, db structure, etc…<br />Lost data:<br />Information which is in documents due to human mistakes or negligence, because it was not intended to be there.<br />For example: Links to internal servers, data hidden by format, etc…<br />
  9. 9. Metadata<br />Metadata Lifecycle<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />New apps<br />orprogram<br />versions<br />Searchengines<br />Spiders<br />Databases<br />Embedded<br />files<br />Hiddeninfo<br />Lost Data<br />Embedded<br />files<br />
  10. 10. MetadataRisks<br />“Secret” relationships<br />Government & companies<br />Companies & providers<br />Piracy<br />Reputation<br />Social engineering attacks<br />Targeting Malware<br />
  11. 11. 2003 – MS Word bytes Tony Blair<br />
  12. 12. Targeting Malware<br />
  13. 13. Targeting Malware<br />
  14. 14. Electing the entry point<br />
  15. 15. Why you should be using FS<br />
  16. 16. Linux installation guide<br />
  17. 17. Social Engineering Attack<br />
  18. 18. Anonim0us case<br />
  19. 19. Metadatacreatedby Google<br />
  20. 20. Lost Data<br />
  21. 21. Lost data everywhere<br />
  22. 22. Metadata in SearchEngines<br />
  23. 23. Pictureswith GPS info..<br />EXIFREADER<br />http://www.takenet.or.jp/~ryuuji/<br />
  24. 24. Even Videos withusers…<br />http://video.techrepublic.com.com/2422-14075_11-207247.html<br />
  25. 25. And of course, printedtxt<br />
  26. 26. OLE Streams<br />In MS Office binaryformat files<br />Storeinformationaboutthe OS<br />Are notcleanedwiththese Tools<br />FOCA findsthisinfo<br />
  27. 27. FOCA: File types supported<br /><ul><li>Office documents:
  28. 28. Open Office documents.
  29. 29. MS Office documents.
  30. 30. PDF Documents.
  31. 31. XMP.
  32. 32. EPS Documents.
  33. 33. Graphic documents.
  34. 34. EXIFF.
  35. 35. XMP.
  36. 36. Adobe Indesign, SVG, SVGZ (NEW)</li></li></ul><li>What can be found? <br /><ul><li>Users:
  37. 37. Creators.
  38. 38. Modifiers .
  39. 39. Users in paths.
  40. 40. C:Documents and settingsjfoomyfile
  41. 41. /home/johnnyf
  42. 42. Operating systems.
  43. 43. Printers.
  44. 44. Local and remote.
  45. 45. Paths.
  46. 46. Local and remote.
  47. 47. Network info.
  48. 48. Shared Printers.
  49. 49. Shared Folders.
  50. 50. ACLS.
  51. 51. Internal Servers.
  52. 52. NetBIOS Name.
  53. 53. Domain Name.
  54. 54. IP Address.
  55. 55. Database structures.
  56. 56. Table names.
  57. 57. Colum names.
  58. 58. Devices info.
  59. 59. Mobiles.
  60. 60. Photo cameras.
  61. 61. Private Info.
  62. 62. Personal data.
  63. 63. History of use.
  64. 64. Software versions.</li></li></ul><li>Demo:<br />Single files<br />
  65. 65. Sample: FBI.gov<br />Total: 4841 files<br />
  66. 66. Are theycleaned?<br />
  67. 67. FOCA 1 v. RC3<br /><ul><li>Fingerprinting Organizations with Collected Archives
  68. 68. Search for documents in Google and Bing
  69. 69. Automatic file downloading
  70. 70. Capable of extracting Metadata, hidden info and lost data
  71. 71. Cluster information
  72. 72. Analyzes the info to fingerprint the network.</li></li></ul><li>Metadata tracing <br />
  73. 73. AlternativeDomains<br />
  74. 74. AlternativeDomains<br />
  75. 75. Sample: Printer info found in odf files returned by Google<br />
  76. 76. Types of Engineers<br />
  77. 77. DNS Prediction<br />
  78. 78. Google Sets Prediction<br />
  79. 79. IP Scanning<br />
  80. 80. Manually-added Data<br />
  81. 81.
  82. 82. Demo:<br />Mda.mil<br />
  83. 83. What’s new in FOCA 2.5+?<br /><ul><li>Network Discovery
  84. 84. Recursivealgorithm
  85. 85. InformationGathering
  86. 86. SwRecognition
  87. 87. DNS Cache Snooping
  88. 88. ReportingTool</li></li></ul><li>FOCA 2.5: Exalead<br />
  89. 89. Hugedomains case<br />
  90. 90. DNS Search Panel<br />
  91. 91. Búsqueda de URLS en buscadores<br />
  92. 92. DNS Search & Zone Transfer<br />IP resolution<br />Well-Known records<br />NS<br />TXT (SPF)<br />MX<br />SOA (Primary.master)<br />Zone Transfer<br />Diccionarysearch<br />
  93. 93. Bing IP<br />
  94. 94. PTR Scannig<br />
  95. 95. Network DiscoveryAlgorithm<br />http://apple1.sub.domain.com/~chema/dir/fil.doc<br />http -> Web server <br />GET Banner HTTP<br />domain.com is a domain<br />Search NS, MX, SPF records for domain.com<br />sub.domain.com is a subdomain<br />Search NS, MX, SPF records for sub.domain.com<br />Try allthe non verified servers onall new domains<br />server01.domain.com<br />server01.sub.domain.com<br />Apple1.sub.domain.com is a hostname<br />Try DNS Prediction (apple1) onalldomains<br />Try Google Sets(apple1) onalldomains<br />
  96. 96. Network DiscoveryAlgorithm<br />http://apple1.sub.domain.com/~chema/dir/fil.doc<br />11) Resolve IP Address<br />12) GetCertificate in https://IP<br />13) Searchfordomainnames in it<br />14) Get HTTP Banner of http://IP<br />15) Use Bing Ip:IPtofindalldomainssharingit<br />16) Repeatforevery new domain<br />17) Connecttotheinternal NS (1 orall)<br />18) Perform a PTR Scansearchingforinternal servers<br />19) Forevery new IP discovered try Bing IP recursively<br />20) ~chema-> chemaisprobably a user<br />
  97. 97. Network DiscoveryAlgorithm<br />http://apple1.sub.domain.com/~chema/dir/fil.doc<br />21) / , /~chema/ and /~chema/dir/ are paths<br />22) Try directorylisting in allthepaths<br />23) Searchfor PUT, DELETE, TRACE methods in everypath<br />24) Fingerprint software from 404 error messages<br />25) Fingerprint software fromapplication error messages<br />26) Try commonnamesonalldomains (dictionary)<br />27) Try Zone Transfer onall NS<br />28) Searchforany URL indexedby web enginesrelatedtothehostname<br />29) Downloadthe file<br />30) Extractthemetadata, hiddeninfo and lost data<br />31) Sortallthisinformationand presentitnicely<br />32) Forevery new IP/URL startoveragain<br />
  98. 98.
  99. 99. PC/Servers view<br />
  100. 100. How Foca found a data<br />
  101. 101. Role Oriented View<br />
  102. 102. Vulnerabilites View<br />
  103. 103. DNS Version.bind<br />
  104. 104. Primary Master<br />
  105. 105. Demo: fbi.gov<br />whitehouse.gov<br />
  106. 106. CustomizableSearch<br />
  107. 107. FOCA + Spidering<br />
  108. 108. FOCA + Spidering<br />
  109. 109. Demo : Foca + Spidering<br />
  110. 110. Internal PTR Scanningusing FOCA<br />
  111. 111. Internal PTR Scanning<br />
  112. 112. FingerprintingOptions<br />404 NotFoundmessages<br />Domainnames and software<br />Aspx Error Messages<br />HTTP Banner<br />Hostname<br />IP Addres<br />SMTP Banner<br />Digital Certificates<br />Shodan<br />
  113. 113. Digital Certificates<br />
  114. 114. FOCA 2.5 & Shodan<br />
  115. 115. FOCA 2.5 URL Analysis<br />
  116. 116. .listing<br />
  117. 117. Unsecure Http Methods<br />
  118. 118. Search & Upload<br />
  119. 119. Searchingfor Server-Side Technologies<br />
  120. 120. Proxy <br />
  121. 121. Fuzzingoptions<br />
  122. 122. Backupdiscovery<br />
  123. 123. PlayingwithURLs<br />
  124. 124. DNS Cache Snooping<br />
  125. 125. DNS Cache Snooping<br />
  126. 126. DNS Cache Snooping<br />Internal Software<br />Windows Update<br />Gtalk<br />Evilgrade<br />Detecting vulnerable software toEvilgradeattacks<br />AV evassion<br />Detectinginternal AV systems<br />Malware drivenby URL<br />Hacking a web siteussuallyvisitedbyinternalusers<br />
  127. 127. DNS Cache detection<br />
  128. 128. Demo: DNS<br />Cache Snooping<br />
  129. 129. Log filter<br />
  130. 130. FOCA Reporting Module<br />
  131. 131. FOCA Reporting Module<br />
  132. 132. Demo: Log & Reporting<br />
  133. 133. FearThe FOCA<br />
  134. 134. FOCA Online<br />http://www.informatica64.com/FOCA<br />
  135. 135. Cleaning documents<br /><ul><li>OOMetaExtractor</li></ul>http://www.codeplex.org/oometaextractor<br />
  136. 136. IIS MetaShield Protector<br />http://www.metashieldprotector.com<br />
  137. 137. Buy a FOCA T-Shirt<br />And be «Sexy» }:))<br />
  138. 138. Questions?<br /><ul><li>Chema Alonso
  139. 139. chema@informatica64.com
  140. 140. http://www.informatica64.com
  141. 141. http://www.elladodelmal.com
  142. 142. http://twitter.com/chemaalonso
  143. 143. http://www.forefront-es.com
  144. 144. http://www.seguridadapple.com
  145. 145. http://www.windowstecnico.com
  146. 146. http://www.puntocompartido.com
  147. 147. Workingon FOCA:
  148. 148. Chema Alonso
  149. 149. Alejandro Martín
  150. 150. Francisco Oca
  151. 151. Manuel Fernández «The Sur»
  152. 152. Daniel Romero
  153. 153. Enrique Rando
  154. 154. Pedro Laguna
  155. 155. SpecialThanksto: John Matherly [Shodan]</li>

×