• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Foca training hackcon6
 

Foca training hackcon6

on

  • 6,148 views

Foca slides

Foca slides

Statistics

Views

Total Views
6,148
Views on SlideShare
4,200
Embed Views
1,948

Actions

Likes
3
Downloads
208
Comments
0

5 Embeds 1,948

http://www.elladodelmal.com 1935
http://static.slidesharecdn.com 9
http://rsscorner.com 2
http://dashboard.bloglines.com 1
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Foca training hackcon6 Foca training hackcon6 Presentation Transcript

    • FOCA Pro
      Chema Alonso
    • What’s a FOCA?
    • FOCA on Linux?
    • FOCA + Wine
    • Previously on
      FOCA….
    • FOCA 0.X
    • A documentis
      Whatyousee…
      And whatyoudon´t
      Templatepaths
      Usersworked in it.
      Departments.
      File & Printing Servers
      VersionHistory
      Embedded files

    • What kind of data can be found?
      Metadata:
      Information stored to give information about the document.
      For example: Creator, Organization, etc..
      Hidden information:
      Information internally stored by programs and not editable.
      For example: Template paths, Printers, db structure, etc…
      Lost data:
      Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
      For example: Links to internal servers, data hidden by format, etc…
    • Metadata
      Metadata Lifecycle
      Wrongmanagement
      Badformatconversion
      Unsecureoptions
      Wrongmanagement
      Badformatconversion
      Unsecureoptions
      New apps
      orprogram
      versions
      Searchengines
      Spiders
      Databases
      Embedded
      files
      Hiddeninfo
      Lost Data
      Embedded
      files
    • MetadataRisks
      “Secret” relationships
      Government & companies
      Companies & providers
      Piracy
      Reputation
      Social engineering attacks
      Targeting Malware
    • 2003 – MS Word bytes Tony Blair
    • Targeting Malware
    • Targeting Malware
    • Electing the entry point
    • Why you should be using FS
    • Linux installation guide
    • Social Engineering Attack
    • Anonim0us case
    • Metadatacreatedby Google
    • Lost Data
    • Lost data everywhere
    • Metadata in SearchEngines
    • Pictureswith GPS info..
      EXIFREADER
      http://www.takenet.or.jp/~ryuuji/
    • Even Videos withusers…
      http://video.techrepublic.com.com/2422-14075_11-207247.html
    • And of course, printedtxt
    • OLE Streams
      In MS Office binaryformat files
      Storeinformationaboutthe OS
      Are notcleanedwiththese Tools
      FOCA findsthisinfo
    • FOCA: File types supported
      • Office documents:
      • Open Office documents.
      • MS Office documents.
      • PDF Documents.
      • XMP.
      • EPS Documents.
      • Graphic documents.
      • EXIFF.
      • XMP.
      • Adobe Indesign, SVG, SVGZ (NEW)
    • What can be found?
      • Users:
      • Creators.
      • Modifiers .
      • Users in paths.
      • C:Documents and settingsjfoomyfile
      • /home/johnnyf
      • Operating systems.
      • Printers.
      • Local and remote.
      • Paths.
      • Local and remote.
      • Network info.
      • Shared Printers.
      • Shared Folders.
      • ACLS.
      • Internal Servers.
      • NetBIOS Name.
      • Domain Name.
      • IP Address.
      • Database structures.
      • Table names.
      • Colum names.
      • Devices info.
      • Mobiles.
      • Photo cameras.
      • Private Info.
      • Personal data.
      • History of use.
      • Software versions.
    • Demo:
      Single files
    • Sample: FBI.gov
      Total: 4841 files
    • Are theycleaned?
    • FOCA 1 v. RC3
      • Fingerprinting Organizations with Collected Archives
      • Search for documents in Google and Bing
      • Automatic file downloading
      • Capable of extracting Metadata, hidden info and lost data
      • Cluster information
      • Analyzes the info to fingerprint the network.
    • Metadata tracing
    • AlternativeDomains
    • AlternativeDomains
    • Sample: Printer info found in odf files returned by Google
    • Types of Engineers
    • DNS Prediction
    • Google Sets Prediction
    • IP Scanning
    • Manually-added Data
    • Demo:
      Mda.mil
    • What’s new in FOCA 2.5+?
      • Network Discovery
      • Recursivealgorithm
      • InformationGathering
      • SwRecognition
      • DNS Cache Snooping
      • ReportingTool
    • FOCA 2.5: Exalead
    • Hugedomains case
    • DNS Search Panel
    • Búsqueda de URLS en buscadores
    • DNS Search & Zone Transfer
      IP resolution
      Well-Known records
      NS
      TXT (SPF)
      MX
      SOA (Primary.master)
      Zone Transfer
      Diccionarysearch
    • Bing IP
    • PTR Scannig
    • Network DiscoveryAlgorithm
      http://apple1.sub.domain.com/~chema/dir/fil.doc
      http -> Web server
      GET Banner HTTP
      domain.com is a domain
      Search NS, MX, SPF records for domain.com
      sub.domain.com is a subdomain
      Search NS, MX, SPF records for sub.domain.com
      Try allthe non verified servers onall new domains
      server01.domain.com
      server01.sub.domain.com
      Apple1.sub.domain.com is a hostname
      Try DNS Prediction (apple1) onalldomains
      Try Google Sets(apple1) onalldomains
    • Network DiscoveryAlgorithm
      http://apple1.sub.domain.com/~chema/dir/fil.doc
      11) Resolve IP Address
      12) GetCertificate in https://IP
      13) Searchfordomainnames in it
      14) Get HTTP Banner of http://IP
      15) Use Bing Ip:IPtofindalldomainssharingit
      16) Repeatforevery new domain
      17) Connecttotheinternal NS (1 orall)
      18) Perform a PTR Scansearchingforinternal servers
      19) Forevery new IP discovered try Bing IP recursively
      20) ~chema-> chemaisprobably a user
    • Network DiscoveryAlgorithm
      http://apple1.sub.domain.com/~chema/dir/fil.doc
      21) / , /~chema/ and /~chema/dir/ are paths
      22) Try directorylisting in allthepaths
      23) Searchfor PUT, DELETE, TRACE methods in everypath
      24) Fingerprint software from 404 error messages
      25) Fingerprint software fromapplication error messages
      26) Try commonnamesonalldomains (dictionary)
      27) Try Zone Transfer onall NS
      28) Searchforany URL indexedby web enginesrelatedtothehostname
      29) Downloadthe file
      30) Extractthemetadata, hiddeninfo and lost data
      31) Sortallthisinformationand presentitnicely
      32) Forevery new IP/URL startoveragain
    • PC/Servers view
    • How Foca found a data
    • Role Oriented View
    • Vulnerabilites View
    • DNS Version.bind
    • Primary Master
    • Demo: fbi.gov
      whitehouse.gov
    • CustomizableSearch
    • FOCA + Spidering
    • FOCA + Spidering
    • Demo : Foca + Spidering
    • Internal PTR Scanningusing FOCA
    • Internal PTR Scanning
    • FingerprintingOptions
      404 NotFoundmessages
      Domainnames and software
      Aspx Error Messages
      HTTP Banner
      Hostname
      IP Addres
      SMTP Banner
      Digital Certificates
      Shodan
    • Digital Certificates
    • FOCA 2.5 & Shodan
    • FOCA 2.5 URL Analysis
    • .listing
    • Unsecure Http Methods
    • Search & Upload
    • Searchingfor Server-Side Technologies
    • Proxy
    • Fuzzingoptions
    • Backupdiscovery
    • PlayingwithURLs
    • DNS Cache Snooping
    • DNS Cache Snooping
    • DNS Cache Snooping
      Internal Software
      Windows Update
      Gtalk
      Evilgrade
      Detecting vulnerable software toEvilgradeattacks
      AV evassion
      Detectinginternal AV systems
      Malware drivenby URL
      Hacking a web siteussuallyvisitedbyinternalusers
    • DNS Cache detection
    • Demo: DNS
      Cache Snooping
    • Log filter
    • FOCA Reporting Module
    • FOCA Reporting Module
    • Demo: Log & Reporting
    • FearThe FOCA
    • FOCA Online
      http://www.informatica64.com/FOCA
    • Cleaning documents
      • OOMetaExtractor
      http://www.codeplex.org/oometaextractor
    • IIS MetaShield Protector
      http://www.metashieldprotector.com
    • Buy a FOCA T-Shirt
      And be «Sexy» }:))
    • Questions?
      • Chema Alonso
      • chema@informatica64.com
      • http://www.informatica64.com
      • http://www.elladodelmal.com
      • http://twitter.com/chemaalonso
      • http://www.forefront-es.com
      • http://www.seguridadapple.com
      • http://www.windowstecnico.com
      • http://www.puntocompartido.com
      • Workingon FOCA:
      • Chema Alonso
      • Alejandro Martín
      • Francisco Oca
      • Manuel Fernández «The Sur»
      • Daniel Romero
      • Enrique Rando
      • Pedro Laguna
      • SpecialThanksto: John Matherly [Shodan]