Foca training hackcon6
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Foca training hackcon6

on

  • 6,420 views

Foca slides

Foca slides

Statistics

Views

Total Views
6,420
Views on SlideShare
4,389
Embed Views
2,031

Actions

Likes
4
Downloads
218
Comments
0

5 Embeds 2,031

http://www.elladodelmal.com 2018
http://static.slidesharecdn.com 9
http://rsscorner.com 2
http://dashboard.bloglines.com 1
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Foca training hackcon6 Presentation Transcript

  • 1. FOCA Pro
    Chema Alonso
  • 2. What’s a FOCA?
  • 3. FOCA on Linux?
  • 4. FOCA + Wine
  • 5. Previously on
    FOCA….
  • 6. FOCA 0.X
  • 7. A documentis
    Whatyousee…
    And whatyoudon´t
    Templatepaths
    Usersworked in it.
    Departments.
    File & Printing Servers
    VersionHistory
    Embedded files

  • 8. What kind of data can be found?
    Metadata:
    Information stored to give information about the document.
    For example: Creator, Organization, etc..
    Hidden information:
    Information internally stored by programs and not editable.
    For example: Template paths, Printers, db structure, etc…
    Lost data:
    Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
    For example: Links to internal servers, data hidden by format, etc…
  • 9. Metadata
    Metadata Lifecycle
    Wrongmanagement
    Badformatconversion
    Unsecureoptions
    Wrongmanagement
    Badformatconversion
    Unsecureoptions
    New apps
    orprogram
    versions
    Searchengines
    Spiders
    Databases
    Embedded
    files
    Hiddeninfo
    Lost Data
    Embedded
    files
  • 10. MetadataRisks
    “Secret” relationships
    Government & companies
    Companies & providers
    Piracy
    Reputation
    Social engineering attacks
    Targeting Malware
  • 11. 2003 – MS Word bytes Tony Blair
  • 12. Targeting Malware
  • 13. Targeting Malware
  • 14. Electing the entry point
  • 15. Why you should be using FS
  • 16. Linux installation guide
  • 17. Social Engineering Attack
  • 18. Anonim0us case
  • 19. Metadatacreatedby Google
  • 20. Lost Data
  • 21. Lost data everywhere
  • 22. Metadata in SearchEngines
  • 23. Pictureswith GPS info..
    EXIFREADER
    http://www.takenet.or.jp/~ryuuji/
  • 24. Even Videos withusers…
    http://video.techrepublic.com.com/2422-14075_11-207247.html
  • 25. And of course, printedtxt
  • 26. OLE Streams
    In MS Office binaryformat files
    Storeinformationaboutthe OS
    Are notcleanedwiththese Tools
    FOCA findsthisinfo
  • 27. FOCA: File types supported
    • Office documents:
    • 28. Open Office documents.
    • 29. MS Office documents.
    • 30. PDF Documents.
    • 31. XMP.
    • 32. EPS Documents.
    • 33. Graphic documents.
    • 34. EXIFF.
    • 35. XMP.
    • 36. Adobe Indesign, SVG, SVGZ (NEW)
  • What can be found?
    • Users:
    • 37. Creators.
    • 38. Modifiers .
    • 39. Users in paths.
    • 40. C:Documents and settingsjfoomyfile
    • 41. /home/johnnyf
    • 42. Operating systems.
    • 43. Printers.
    • 44. Local and remote.
    • 45. Paths.
    • 46. Local and remote.
    • 47. Network info.
    • 48. Shared Printers.
    • 49. Shared Folders.
    • 50. ACLS.
    • 51. Internal Servers.
    • 52. NetBIOS Name.
    • 53. Domain Name.
    • 54. IP Address.
    • 55. Database structures.
    • 56. Table names.
    • 57. Colum names.
    • 58. Devices info.
    • 59. Mobiles.
    • 60. Photo cameras.
    • 61. Private Info.
    • 62. Personal data.
    • 63. History of use.
    • 64. Software versions.
  • Demo:
    Single files
  • 65. Sample: FBI.gov
    Total: 4841 files
  • 66. Are theycleaned?
  • 67. FOCA 1 v. RC3
    • Fingerprinting Organizations with Collected Archives
    • 68. Search for documents in Google and Bing
    • 69. Automatic file downloading
    • 70. Capable of extracting Metadata, hidden info and lost data
    • 71. Cluster information
    • 72. Analyzes the info to fingerprint the network.
  • Metadata tracing
  • 73. AlternativeDomains
  • 74. AlternativeDomains
  • 75. Sample: Printer info found in odf files returned by Google
  • 76. Types of Engineers
  • 77. DNS Prediction
  • 78. Google Sets Prediction
  • 79. IP Scanning
  • 80. Manually-added Data
  • 81.
  • 82. Demo:
    Mda.mil
  • 83. What’s new in FOCA 2.5+?
    • Network Discovery
    • 84. Recursivealgorithm
    • 85. InformationGathering
    • 86. SwRecognition
    • 87. DNS Cache Snooping
    • 88. ReportingTool
  • FOCA 2.5: Exalead
  • 89. Hugedomains case
  • 90. DNS Search Panel
  • 91. Búsqueda de URLS en buscadores
  • 92. DNS Search & Zone Transfer
    IP resolution
    Well-Known records
    NS
    TXT (SPF)
    MX
    SOA (Primary.master)
    Zone Transfer
    Diccionarysearch
  • 93. Bing IP
  • 94. PTR Scannig
  • 95. Network DiscoveryAlgorithm
    http://apple1.sub.domain.com/~chema/dir/fil.doc
    http -> Web server
    GET Banner HTTP
    domain.com is a domain
    Search NS, MX, SPF records for domain.com
    sub.domain.com is a subdomain
    Search NS, MX, SPF records for sub.domain.com
    Try allthe non verified servers onall new domains
    server01.domain.com
    server01.sub.domain.com
    Apple1.sub.domain.com is a hostname
    Try DNS Prediction (apple1) onalldomains
    Try Google Sets(apple1) onalldomains
  • 96. Network DiscoveryAlgorithm
    http://apple1.sub.domain.com/~chema/dir/fil.doc
    11) Resolve IP Address
    12) GetCertificate in https://IP
    13) Searchfordomainnames in it
    14) Get HTTP Banner of http://IP
    15) Use Bing Ip:IPtofindalldomainssharingit
    16) Repeatforevery new domain
    17) Connecttotheinternal NS (1 orall)
    18) Perform a PTR Scansearchingforinternal servers
    19) Forevery new IP discovered try Bing IP recursively
    20) ~chema-> chemaisprobably a user
  • 97. Network DiscoveryAlgorithm
    http://apple1.sub.domain.com/~chema/dir/fil.doc
    21) / , /~chema/ and /~chema/dir/ are paths
    22) Try directorylisting in allthepaths
    23) Searchfor PUT, DELETE, TRACE methods in everypath
    24) Fingerprint software from 404 error messages
    25) Fingerprint software fromapplication error messages
    26) Try commonnamesonalldomains (dictionary)
    27) Try Zone Transfer onall NS
    28) Searchforany URL indexedby web enginesrelatedtothehostname
    29) Downloadthe file
    30) Extractthemetadata, hiddeninfo and lost data
    31) Sortallthisinformationand presentitnicely
    32) Forevery new IP/URL startoveragain
  • 98.
  • 99. PC/Servers view
  • 100. How Foca found a data
  • 101. Role Oriented View
  • 102. Vulnerabilites View
  • 103. DNS Version.bind
  • 104. Primary Master
  • 105. Demo: fbi.gov
    whitehouse.gov
  • 106. CustomizableSearch
  • 107. FOCA + Spidering
  • 108. FOCA + Spidering
  • 109. Demo : Foca + Spidering
  • 110. Internal PTR Scanningusing FOCA
  • 111. Internal PTR Scanning
  • 112. FingerprintingOptions
    404 NotFoundmessages
    Domainnames and software
    Aspx Error Messages
    HTTP Banner
    Hostname
    IP Addres
    SMTP Banner
    Digital Certificates
    Shodan
  • 113. Digital Certificates
  • 114. FOCA 2.5 & Shodan
  • 115. FOCA 2.5 URL Analysis
  • 116. .listing
  • 117. Unsecure Http Methods
  • 118. Search & Upload
  • 119. Searchingfor Server-Side Technologies
  • 120. Proxy
  • 121. Fuzzingoptions
  • 122. Backupdiscovery
  • 123. PlayingwithURLs
  • 124. DNS Cache Snooping
  • 125. DNS Cache Snooping
  • 126. DNS Cache Snooping
    Internal Software
    Windows Update
    Gtalk
    Evilgrade
    Detecting vulnerable software toEvilgradeattacks
    AV evassion
    Detectinginternal AV systems
    Malware drivenby URL
    Hacking a web siteussuallyvisitedbyinternalusers
  • 127. DNS Cache detection
  • 128. Demo: DNS
    Cache Snooping
  • 129. Log filter
  • 130. FOCA Reporting Module
  • 131. FOCA Reporting Module
  • 132. Demo: Log & Reporting
  • 133. FearThe FOCA
  • 134. FOCA Online
    http://www.informatica64.com/FOCA
  • 135. Cleaning documents
    • OOMetaExtractor
    http://www.codeplex.org/oometaextractor
  • 136. IIS MetaShield Protector
    http://www.metashieldprotector.com
  • 137. Buy a FOCA T-Shirt
    And be «Sexy» }:))
  • 138. Questions?
    • Chema Alonso
    • 139. chema@informatica64.com
    • 140. http://www.informatica64.com
    • 141. http://www.elladodelmal.com
    • 142. http://twitter.com/chemaalonso
    • 143. http://www.forefront-es.com
    • 144. http://www.seguridadapple.com
    • 145. http://www.windowstecnico.com
    • 146. http://www.puntocompartido.com
    • 147. Workingon FOCA:
    • 148. Chema Alonso
    • 149. Alejandro Martín
    • 150. Francisco Oca
    • 151. Manuel Fernández «The Sur»
    • 152. Daniel Romero
    • 153. Enrique Rando
    • 154. Pedro Laguna
    • 155. SpecialThanksto: John Matherly [Shodan]