The Power of FOCA 3
Upcoming SlideShare
Loading in...5
×
 

The Power of FOCA 3

on

  • 1,579 views

Presentación de funciones de FOCA 3 a lo largo de la historia.

Presentación de funciones de FOCA 3 a lo largo de la historia.

Statistics

Views

Total Views
1,579
Views on SlideShare
1,577
Embed Views
2

Actions

Likes
4
Downloads
91
Comments
0

1 Embed 2

https://twitter.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The Power of FOCA 3 The Power of FOCA 3 Presentation Transcript

  • The Power of FOCA 3Chema Alonso
  • At the begining was the metadataChema Alonso20/03/2013 2
  • Anonym0us caseChema Alonso20/03/2013 3
  • Drug DealerChema Alonso20/03/2013 4
  • The breasts of Hacker’s girlfriendChema Alonso20/03/2013 5
  • Social Engineering AttackChema Alonso20/03/2013 6
  • Metadata Risks• Hidden Relations • Tactical information –Companies –Targeted Attacks –People –Internal knowledge• Software Piracy • Ploting events• History of documents –Places –TimeChema Alonso 20/03/2013 7
  • Forensic FOCAChema Alonso20/03/2013 http://www.elladodelmal.com/2012 /02/forensic-foca-beta-trial.html 8
  • Metadata, hidden info & lost data New appsBad Format conversion New versionsBad management Embedded Searchers Files Spyders Doc DB Bad management Embedded objects Embedded FilesChema Alonso20/03/2013 9
  • Show Me Your MetadataChema Alonso20/03/2013 10
  • Targeting MalwareChema Alonso20/03/2013 11
  • Targeting MalwareChema Alonso20/03/2013 12
  • Hidden Info: PrintersChema Alonso20/03/2013 13
  • Electing the entry pointChema Alonso20/03/2013 14
  • Internal Fingerprinting with FOCAChema Alonso20/03/2013 15
  • Phase 1: MetadataChema Alonso
  • FOCA 2Chema Alonso20/03/2013 17
  • Recursive Network Discovery • Servers • Domains • HostNames • IP Address • RolesChema Alonso20/03/2013 18
  • Network Discovery: WebSearcherChema Alonso20/03/2013 19
  • Network Discovery: DNS SOA, MX, SPF, DKIM, LDAP, Well Known Records VoIP, Active Directory…. Zone Transfer AXFR Server1, Intranet, Private, Diccionary Search DNS, etc….Chema Alonso20/03/2013 20
  • DNS SearchChema Alonso20/03/2013 21
  • Primary MasterChema Alonso20/03/2013 22
  • Network Discovery: Bing IPChema Alonso20/03/2013 23
  • Network Discovery: PTR ScannigChema Alonso20/03/2013 24
  • Network Discovery: RobtexChema Alonso20/03/2013 25
  • Network Discovery: ShodanChema Alonso20/03/2013 26
  • Digital CertificatesChema Alonso20/03/2013 27
  • Roles ViewChema Alonso20/03/2013 28
  • Google Slash TrickChema Alonso20/03/2013 29
  • Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc1) http -> Web server2) GET Banner HTTP3) domain.com is a domain4) Search NS, MX, SPF records for domain.com5) sub.domain.com is a subdomain6) Search NS, MX, SPF records for sub.domain.com7) Try all the non verified servers on all new domains 1) server01.domain.com 2) server01.sub.domain.com8) Apple1.sub.domain.com is a hostname9) Try DNS Prediction (apple1) on all domains10) Try Google Sets(apple1) on all domainsChema Alonso 20/03/2013 30
  • Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc11) Resolve IP Address12) Get Certificate in https://IP13) Search for domain names in it14) Get HTTP Banner of http://IP15) Use Bing Ip:IP to find all domains sharing it16) Repeat for every new domain17) Connect to the internal NS (1 or all)18) Perform a PTR Scan searching for internal servers19) For every new IP discovered try Bing IP recursively20) ~chema -> chema is probably a userChema Alonso 20/03/2013 31
  • Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc21) / , /~chema/ and /~chema/dir/ are paths22) Try directory listing in all the paths23) Search for PUT, DELETE, TRACE etc.. methods in every path24) Fingerprint software from 404 error messages25) Fingerprint software from application error messages26) Try common names on all domains (dictionary)27) Try Zone Transfer on all NS28) Search for any URL indexed by web engines related to the hostname29) Download the file30) Extract the metadata, hidden info and lost data31) Sort all this information and present it nicely32) For every new IP/URL start over againChema Alonso 20/03/2013 32
  • Click & GoChema Alonso20/03/2013 33
  • How Foca found a dataChema Alonso20/03/2013 34
  • Multiple Search EnginesChema Alonso20/03/2013 35
  • Huge domain caseChema Alonso20/03/2013 36
  • Fingerprinting Options• 404 messages• Apps Error Messages• HTTP Banner – Hostname – IP Addres• SMTP Banner• Digital Certificates• Shodan• Version.bindChema Alonso 20/03/2013 37
  • Phase 2: Network DiscoveryChema Alonso
  • An0nymous #OpGreeceChema Alonso20/03/2013 39
  • Phase 3: VulnerabilitiesChema Alonso
  • VulnerabilitiesChema Alonso20/03/2013 41
  • BackupsChema Alonso20/03/2013 42
  • Directory ListingChema Alonso20/03/2013 43
  • DNS Cache SnoopingChema Alonso20/03/2013 44
  • DNS Cache SnoopingChema Alonso20/03/2013 45
  • DNS Cache Snooping• Internal Software – Windows Update – Gtalk• Evilgrade – Detecting vulnerable software to Evilgrade attacks• AV evassion – Detecting internal AV systems• Malware driven by URL – Hacking a web site ussually visited by internal usersChema Alonso20/03/2013 46
  • .DS_StoreChema Alonso20/03/2013 47
  • PHP CGI CODE EXECUTION BUGChema Alonso20/03/2013 48
  • Insecure Http MethodsChema Alonso20/03/2013 49
  • Search & UploadChema Alonso20/03/2013 50
  • Juicy files White/black list of matches for keywords and extensionsChema Alonso20/03/2013 51
  • Juicy filesChema Alonso20/03/2013 52
  • .listingChema Alonso20/03/2013 53
  • Multiple ChoicesChema Alonso20/03/2013 54
  • .svn/entriesA .svn/entries file looks like:Chema Alonso20/03/2013 55
  • .svn/entriesThere is a plugin that parse the fileChema Alonso20/03/2013 56
  • IIS Short Name bugChema Alonso20/03/2013 57
  • Proxy Server detection• Mod_proxy• Ad-hoc –Normal –TransparentChema Alonso20/03/2013 58
  • Proxy Server DetectionChema Alonso20/03/2013 59
  • Leaks: modsecurity_crs_50_outbound.confChema Alonso20/03/2013 60
  • Error EnforcementChema Alonso20/03/2013 61
  • LeaksChema Alonso20/03/2013 62
  • User directories Search for ~USER in Apache webserversChema Alonso20/03/2013 63
  • All your Foca needs is URLs• Network Discovery • Domain Crawling• Document Search – Bing• File parsing – Google – Directory Listing • Technology Recognition – Robots.txt • Custom Search – .Listing • Manual load – .DS_Store (not yet)Chema Alonso 20/03/2013 64
  • Domain CrawlingChema Alonso20/03/2013 65
  • Custom SearchChema Alonso20/03/2013 66
  • FOCA + SpideringChema Alonso20/03/2013 67
  • FOCA + SpideringChema Alonso20/03/2013 68
  • Phase 4: PluginsChema Alonso
  • Plugins: FOCA API 0.1From FOCA to plugins (Events) - OnNewDomain - OnNewNetrange - OnNewURL - OnNewRelation - OnNewIP - OnNewProjectFrom Plugins to FOCA (Calls) - AddDomain - AddSQLi - AddProxy - AddIp …. And much more….Chema Alonso20/03/2013 70
  • Plugins: .svn/Entries parserChema Alonso20/03/2013 71
  • Plugins: .svn/Entries parserChema Alonso20/03/2013 72
  • Plugins: WebFuzzerChema Alonso20/03/2013 73
  • Plugins: Auto SQLi searcherChema Alonso20/03/2013 74
  • IIS Short Name FuzzerChema Alonso20/03/2013 75
  • Making an esay PluginChema Alonso
  • FOCA Reporting ModuleChema Alonso20/03/2013 77
  • Chema Alonso20/03/2013 78
  • Threat Analisys & ModelingChema Alonso20/03/2013 79
  • Reporting OSSTMM 3.0: STARChema Alonso20/03/2013 80
  • OWASP Report GeneratorChema Alonso20/03/2013 81
  • “i64” Web Audit ReportChema Alonso20/03/2013 82
  • Fear The FOCAChema Alonso20/03/2013 83
  • FOCA OnlineChema Alonso20/03/2013 84
  • Cleaning ODF: OOMetaExtractor http://www.codeplex.org/oometaextractorChema Alonso20/03/2013 85
  • IIS MetaShield ProtectorChema Alonso20/03/2013 http://www.metashieldprotector.com 86
  • Evil FOCAChema Alonso20/03/2013 87
  • Thanks to AppleChema Alonso20/03/2013 88
  • Thanks to Apple (2)Chema Alonso20/03/2013 89
  • Chema Alonso • chema@informatica64.com • @chemaalonso • http://elladodelmal.com • http://www.informatica64.comChema Alonso20/03/2013 90
  • FOCA http://www.informatica64.com/foca.aspx amigosdelafoca@informatica64.comChema Alonso20/03/2013 91