0
The Power of FOCA 3Chema Alonso
At the begining was the metadataChema Alonso20/03/2013                             2
Anonym0us caseChema Alonso20/03/2013                      3
Drug DealerChema Alonso20/03/2013                   4
The breasts of Hacker’s girlfriendChema Alonso20/03/2013                                 5
Social Engineering AttackChema Alonso20/03/2013                               6
Metadata Risks• Hidden Relations       • Tactical information    –Companies              –Targeted Attacks    –People     ...
Forensic FOCAChema Alonso20/03/2013               http://www.elladodelmal.com/2012               /02/forensic-foca-beta-tr...
Metadata, hidden info & lost data                                                             New appsBad Format conversio...
Show Me Your MetadataChema Alonso20/03/2013                           10
Targeting MalwareChema Alonso20/03/2013                         11
Targeting MalwareChema Alonso20/03/2013                         12
Hidden Info: PrintersChema Alonso20/03/2013                             13
Electing the entry pointChema Alonso20/03/2013                              14
Internal Fingerprinting with FOCAChema Alonso20/03/2013                           15
Phase 1: MetadataChema Alonso
FOCA 2Chema Alonso20/03/2013              17
Recursive Network Discovery                          • Servers                          • Domains                         ...
Network Discovery: WebSearcherChema Alonso20/03/2013                                19
Network Discovery: DNS                          SOA, MX, SPF, DKIM, LDAP,     Well Known Records                          ...
DNS SearchChema Alonso20/03/2013                  21
Primary MasterChema Alonso20/03/2013                      22
Network Discovery: Bing IPChema Alonso20/03/2013                                23
Network Discovery: PTR ScannigChema Alonso20/03/2013                                    24
Network Discovery: RobtexChema Alonso20/03/2013                               25
Network Discovery: ShodanChema Alonso20/03/2013                               26
Digital CertificatesChema Alonso20/03/2013                            27
Roles ViewChema Alonso20/03/2013                  28
Google Slash TrickChema Alonso20/03/2013                          29
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc1)       http -> Web server2)       GET Banner H...
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc11) Resolve IP Address12) Get Certificate in htt...
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc21) / , /~chema/ and /~chema/dir/ are paths22) T...
Click & GoChema Alonso20/03/2013                  33
How Foca found a dataChema Alonso20/03/2013                             34
Multiple Search EnginesChema Alonso20/03/2013                             35
Huge domain caseChema Alonso20/03/2013                        36
Fingerprinting Options• 404 messages• Apps Error Messages• HTTP Banner        – Hostname        – IP Addres•     SMTP Bann...
Phase 2: Network DiscoveryChema Alonso
An0nymous #OpGreeceChema Alonso20/03/2013                           39
Phase 3: VulnerabilitiesChema Alonso
VulnerabilitiesChema Alonso20/03/2013                       41
BackupsChema Alonso20/03/2013               42
Directory ListingChema Alonso20/03/2013                         43
DNS Cache SnoopingChema Alonso20/03/2013                          44
DNS Cache SnoopingChema Alonso20/03/2013                          45
DNS Cache Snooping• Internal Software     – Windows Update     – Gtalk• Evilgrade     – Detecting vulnerable software to E...
.DS_StoreChema Alonso20/03/2013                 47
PHP CGI CODE EXECUTION BUGChema Alonso20/03/2013                                48
Insecure Http MethodsChema Alonso20/03/2013                             49
Search & UploadChema Alonso20/03/2013                       50
Juicy files   White/black list of matches for keywords and extensionsChema Alonso20/03/2013                               ...
Juicy filesChema Alonso20/03/2013                   52
.listingChema Alonso20/03/2013                53
Multiple ChoicesChema Alonso20/03/2013                        54
.svn/entriesA .svn/entries file looks like:Chema Alonso20/03/2013                        55
.svn/entriesThere is a plugin that parse the fileChema Alonso20/03/2013                              56
IIS Short Name bugChema Alonso20/03/2013                          57
Proxy Server detection• Mod_proxy• Ad-hoc    –Normal    –TransparentChema Alonso20/03/2013                              58
Proxy Server DetectionChema Alonso20/03/2013                              59
Leaks:             modsecurity_crs_50_outbound.confChema Alonso20/03/2013                                      60
Error EnforcementChema Alonso20/03/2013                         61
LeaksChema Alonso20/03/2013             62
User directories       Search for ~USER in Apache webserversChema Alonso20/03/2013                                     63
All your Foca needs is URLs• Network Discovery          • Domain Crawling• Document Search               – Bing• File pars...
Domain CrawlingChema Alonso20/03/2013                       65
Custom SearchChema Alonso20/03/2013                     66
FOCA + SpideringChema Alonso20/03/2013                        67
FOCA + SpideringChema Alonso20/03/2013                        68
Phase 4: PluginsChema Alonso
Plugins: FOCA API 0.1From FOCA to plugins (Events)   - OnNewDomain - OnNewNetrange   - OnNewURL          - OnNewRelation  ...
Plugins: .svn/Entries parserChema Alonso20/03/2013                                  71
Plugins: .svn/Entries parserChema Alonso20/03/2013                                  72
Plugins: WebFuzzerChema Alonso20/03/2013                          73
Plugins: Auto SQLi searcherChema Alonso20/03/2013                                 74
IIS Short Name FuzzerChema Alonso20/03/2013                             75
Making an esay PluginChema Alonso
FOCA Reporting ModuleChema Alonso20/03/2013                             77
Chema Alonso20/03/2013     78
Threat Analisys & ModelingChema Alonso20/03/2013                                79
Reporting OSSTMM 3.0: STARChema Alonso20/03/2013                                80
OWASP Report GeneratorChema Alonso20/03/2013                            81
“i64” Web Audit ReportChema Alonso20/03/2013                              82
Fear The FOCAChema Alonso20/03/2013                     83
FOCA OnlineChema Alonso20/03/2013                   84
Cleaning ODF: OOMetaExtractor                  http://www.codeplex.org/oometaextractorChema Alonso20/03/2013              ...
IIS MetaShield ProtectorChema Alonso20/03/2013               http://www.metashieldprotector.com                           ...
Evil FOCAChema Alonso20/03/2013                 87
Thanks to AppleChema Alonso20/03/2013                       88
Thanks to Apple (2)Chema Alonso20/03/2013                           89
Chema Alonso                     •   chema@informatica64.com                     •   @chemaalonso                     •   ...
FOCA             http://www.informatica64.com/foca.aspx                amigosdelafoca@informatica64.comChema Alonso20/03/2...
Upcoming SlideShare
Loading in...5
×

The Power of FOCA 3

1,784

Published on

Presentación de funciones de FOCA 3 a lo largo de la historia.

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,784
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
124
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Transcript of "The Power of FOCA 3"

  1. 1. The Power of FOCA 3Chema Alonso
  2. 2. At the begining was the metadataChema Alonso20/03/2013 2
  3. 3. Anonym0us caseChema Alonso20/03/2013 3
  4. 4. Drug DealerChema Alonso20/03/2013 4
  5. 5. The breasts of Hacker’s girlfriendChema Alonso20/03/2013 5
  6. 6. Social Engineering AttackChema Alonso20/03/2013 6
  7. 7. Metadata Risks• Hidden Relations • Tactical information –Companies –Targeted Attacks –People –Internal knowledge• Software Piracy • Ploting events• History of documents –Places –TimeChema Alonso 20/03/2013 7
  8. 8. Forensic FOCAChema Alonso20/03/2013 http://www.elladodelmal.com/2012 /02/forensic-foca-beta-trial.html 8
  9. 9. Metadata, hidden info & lost data New appsBad Format conversion New versionsBad management Embedded Searchers Files Spyders Doc DB Bad management Embedded objects Embedded FilesChema Alonso20/03/2013 9
  10. 10. Show Me Your MetadataChema Alonso20/03/2013 10
  11. 11. Targeting MalwareChema Alonso20/03/2013 11
  12. 12. Targeting MalwareChema Alonso20/03/2013 12
  13. 13. Hidden Info: PrintersChema Alonso20/03/2013 13
  14. 14. Electing the entry pointChema Alonso20/03/2013 14
  15. 15. Internal Fingerprinting with FOCAChema Alonso20/03/2013 15
  16. 16. Phase 1: MetadataChema Alonso
  17. 17. FOCA 2Chema Alonso20/03/2013 17
  18. 18. Recursive Network Discovery • Servers • Domains • HostNames • IP Address • RolesChema Alonso20/03/2013 18
  19. 19. Network Discovery: WebSearcherChema Alonso20/03/2013 19
  20. 20. Network Discovery: DNS SOA, MX, SPF, DKIM, LDAP, Well Known Records VoIP, Active Directory…. Zone Transfer AXFR Server1, Intranet, Private, Diccionary Search DNS, etc….Chema Alonso20/03/2013 20
  21. 21. DNS SearchChema Alonso20/03/2013 21
  22. 22. Primary MasterChema Alonso20/03/2013 22
  23. 23. Network Discovery: Bing IPChema Alonso20/03/2013 23
  24. 24. Network Discovery: PTR ScannigChema Alonso20/03/2013 24
  25. 25. Network Discovery: RobtexChema Alonso20/03/2013 25
  26. 26. Network Discovery: ShodanChema Alonso20/03/2013 26
  27. 27. Digital CertificatesChema Alonso20/03/2013 27
  28. 28. Roles ViewChema Alonso20/03/2013 28
  29. 29. Google Slash TrickChema Alonso20/03/2013 29
  30. 30. Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc1) http -> Web server2) GET Banner HTTP3) domain.com is a domain4) Search NS, MX, SPF records for domain.com5) sub.domain.com is a subdomain6) Search NS, MX, SPF records for sub.domain.com7) Try all the non verified servers on all new domains 1) server01.domain.com 2) server01.sub.domain.com8) Apple1.sub.domain.com is a hostname9) Try DNS Prediction (apple1) on all domains10) Try Google Sets(apple1) on all domainsChema Alonso 20/03/2013 30
  31. 31. Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc11) Resolve IP Address12) Get Certificate in https://IP13) Search for domain names in it14) Get HTTP Banner of http://IP15) Use Bing Ip:IP to find all domains sharing it16) Repeat for every new domain17) Connect to the internal NS (1 or all)18) Perform a PTR Scan searching for internal servers19) For every new IP discovered try Bing IP recursively20) ~chema -> chema is probably a userChema Alonso 20/03/2013 31
  32. 32. Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc21) / , /~chema/ and /~chema/dir/ are paths22) Try directory listing in all the paths23) Search for PUT, DELETE, TRACE etc.. methods in every path24) Fingerprint software from 404 error messages25) Fingerprint software from application error messages26) Try common names on all domains (dictionary)27) Try Zone Transfer on all NS28) Search for any URL indexed by web engines related to the hostname29) Download the file30) Extract the metadata, hidden info and lost data31) Sort all this information and present it nicely32) For every new IP/URL start over againChema Alonso 20/03/2013 32
  33. 33. Click & GoChema Alonso20/03/2013 33
  34. 34. How Foca found a dataChema Alonso20/03/2013 34
  35. 35. Multiple Search EnginesChema Alonso20/03/2013 35
  36. 36. Huge domain caseChema Alonso20/03/2013 36
  37. 37. Fingerprinting Options• 404 messages• Apps Error Messages• HTTP Banner – Hostname – IP Addres• SMTP Banner• Digital Certificates• Shodan• Version.bindChema Alonso 20/03/2013 37
  38. 38. Phase 2: Network DiscoveryChema Alonso
  39. 39. An0nymous #OpGreeceChema Alonso20/03/2013 39
  40. 40. Phase 3: VulnerabilitiesChema Alonso
  41. 41. VulnerabilitiesChema Alonso20/03/2013 41
  42. 42. BackupsChema Alonso20/03/2013 42
  43. 43. Directory ListingChema Alonso20/03/2013 43
  44. 44. DNS Cache SnoopingChema Alonso20/03/2013 44
  45. 45. DNS Cache SnoopingChema Alonso20/03/2013 45
  46. 46. DNS Cache Snooping• Internal Software – Windows Update – Gtalk• Evilgrade – Detecting vulnerable software to Evilgrade attacks• AV evassion – Detecting internal AV systems• Malware driven by URL – Hacking a web site ussually visited by internal usersChema Alonso20/03/2013 46
  47. 47. .DS_StoreChema Alonso20/03/2013 47
  48. 48. PHP CGI CODE EXECUTION BUGChema Alonso20/03/2013 48
  49. 49. Insecure Http MethodsChema Alonso20/03/2013 49
  50. 50. Search & UploadChema Alonso20/03/2013 50
  51. 51. Juicy files White/black list of matches for keywords and extensionsChema Alonso20/03/2013 51
  52. 52. Juicy filesChema Alonso20/03/2013 52
  53. 53. .listingChema Alonso20/03/2013 53
  54. 54. Multiple ChoicesChema Alonso20/03/2013 54
  55. 55. .svn/entriesA .svn/entries file looks like:Chema Alonso20/03/2013 55
  56. 56. .svn/entriesThere is a plugin that parse the fileChema Alonso20/03/2013 56
  57. 57. IIS Short Name bugChema Alonso20/03/2013 57
  58. 58. Proxy Server detection• Mod_proxy• Ad-hoc –Normal –TransparentChema Alonso20/03/2013 58
  59. 59. Proxy Server DetectionChema Alonso20/03/2013 59
  60. 60. Leaks: modsecurity_crs_50_outbound.confChema Alonso20/03/2013 60
  61. 61. Error EnforcementChema Alonso20/03/2013 61
  62. 62. LeaksChema Alonso20/03/2013 62
  63. 63. User directories Search for ~USER in Apache webserversChema Alonso20/03/2013 63
  64. 64. All your Foca needs is URLs• Network Discovery • Domain Crawling• Document Search – Bing• File parsing – Google – Directory Listing • Technology Recognition – Robots.txt • Custom Search – .Listing • Manual load – .DS_Store (not yet)Chema Alonso 20/03/2013 64
  65. 65. Domain CrawlingChema Alonso20/03/2013 65
  66. 66. Custom SearchChema Alonso20/03/2013 66
  67. 67. FOCA + SpideringChema Alonso20/03/2013 67
  68. 68. FOCA + SpideringChema Alonso20/03/2013 68
  69. 69. Phase 4: PluginsChema Alonso
  70. 70. Plugins: FOCA API 0.1From FOCA to plugins (Events) - OnNewDomain - OnNewNetrange - OnNewURL - OnNewRelation - OnNewIP - OnNewProjectFrom Plugins to FOCA (Calls) - AddDomain - AddSQLi - AddProxy - AddIp …. And much more….Chema Alonso20/03/2013 70
  71. 71. Plugins: .svn/Entries parserChema Alonso20/03/2013 71
  72. 72. Plugins: .svn/Entries parserChema Alonso20/03/2013 72
  73. 73. Plugins: WebFuzzerChema Alonso20/03/2013 73
  74. 74. Plugins: Auto SQLi searcherChema Alonso20/03/2013 74
  75. 75. IIS Short Name FuzzerChema Alonso20/03/2013 75
  76. 76. Making an esay PluginChema Alonso
  77. 77. FOCA Reporting ModuleChema Alonso20/03/2013 77
  78. 78. Chema Alonso20/03/2013 78
  79. 79. Threat Analisys & ModelingChema Alonso20/03/2013 79
  80. 80. Reporting OSSTMM 3.0: STARChema Alonso20/03/2013 80
  81. 81. OWASP Report GeneratorChema Alonso20/03/2013 81
  82. 82. “i64” Web Audit ReportChema Alonso20/03/2013 82
  83. 83. Fear The FOCAChema Alonso20/03/2013 83
  84. 84. FOCA OnlineChema Alonso20/03/2013 84
  85. 85. Cleaning ODF: OOMetaExtractor http://www.codeplex.org/oometaextractorChema Alonso20/03/2013 85
  86. 86. IIS MetaShield ProtectorChema Alonso20/03/2013 http://www.metashieldprotector.com 86
  87. 87. Evil FOCAChema Alonso20/03/2013 87
  88. 88. Thanks to AppleChema Alonso20/03/2013 88
  89. 89. Thanks to Apple (2)Chema Alonso20/03/2013 89
  90. 90. Chema Alonso • chema@informatica64.com • @chemaalonso • http://elladodelmal.com • http://www.informatica64.comChema Alonso20/03/2013 90
  91. 91. FOCA http://www.informatica64.com/foca.aspx amigosdelafoca@informatica64.comChema Alonso20/03/2013 91
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×