Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Offensive OSINT

Offensive OSINT - Presented at OSIRA Summit in London 2014. Overview of OSINT process, and how attackers are using it to prepare their cyber attacks.

  • Login to see the comments

Offensive OSINT

  2. 2. About me Chris&an  Martorella:   –  I  work  in  Skype  (MS),  Product  Security  team   –  Founder  of  Edge-­‐   –  Developed  open  source  projects  like  theHarvester,   Metagoofil,  Wfuzz  and  Webslayer   –  Presented  in  many  Security  conferences  (Blackhat  Arsenal,,  WhaNheHack,  OWASP,  Source)   –  Over  12  years  focusing  on  offensive  security    
  3. 3. Disclaimer Any views or opinions presented in this presentation are solely those of the author and do not necessarily represent those of the employer
  4. 4. OSINT - Intro Open-­‐source  intelligence  (OSINT)  is  intelligence   collected  from  publicly  available  sources.   •  “Open"  refers  to  overt,  publicly  available  sources   (as  opposed  to  covert  or  clandes&ne  sources)   •  It  is  not  related  to  open-­‐source  soUware  or   public  intelligence.  
  5. 5. OSINT       What  is  Threat  Intelligence  /  Cyber   Intelligence  ?  
  6. 6. OSINT PROCESS Source Identification Data harvesting Data Analysis Data processing and Integration Results Delivery
  7. 7. Source Identification
  8. 8. Data Harvesting
  9. 9. Data processing
  10. 10. Data Analysis
  11. 11. Results Delivery
  12. 12. Offensive OSINT
  13. 13. Offensive vs. Defensive OSINT From  the  security  perspec&ve  we  can  separate   OSINT:     Offensive:  Gathering  informa&on  before  an   aNack.     Defensive:  Learning  about  aNacks  against  the   company  
  14. 14. Offensive OSINT •  Finding  as  much  informa&on  as  possible  that   will  facilitate  the  aNack   •  S&ll  now,  many  Penetra&on  Tes&ng   companies  skip  this  phase   •  ANackers  usually  spend  more  &me  than   testers  on  this  phase  
  15. 15. Typical Pentesting Methodology I.G Scan Enumerate Exploit Post- Exploit Cover Tracks Write report
  16. 16. What everyone focus on: I.G   Scan     Enumera te   Exploit   Post-­‐ Exploit   Cover   Tracks   Write   report  
  17. 17. Attacker Methodology Discover  what  makes   the  company  money   Discover  what  is   valuable  to  the   aNacker   Do  whatever  it   takes...   Steal  it   Informa&on  Gathering  
  18. 18. Data  Harves:ng  
  19. 19. Data Harvesting A.K.A:   •  Informa:on  Gathering:   The  act  of  collec&ng  informa&on     •  Foot  prin:ng:     Is  the  technique  of  gathering  informa&on  about   computer  systems  and  the  en&&es  they  belong  to.     •  Web  mining:     The  act  of  collec&ng  informa&on  from  the  web        
  20. 20. Data Harvesting – How? Techniques:     •  Scraping  (raw)   •  Open  APIs   •  Commercial  APIS   •  Network  Scanning   •  Purchasing  data   •  Open  source  Data  sets   •  Databases   •  Logfiles    
  21. 21. Data  Harves&ng    -­‐  Passive  vs  Ac&ve   •  Passive  data  harves:ng:  Our  ac&ons  can’t  be   detected  by  the  target  (Non  aNribu&on)   •  Ac:ve  data  harves:ng:  our  ac&ons  leave   traces  that  can  be  detected  by  the  target  
  22. 22. Offensive OSINT targets
  23. 23. Offensive OSINT – end goals •  Phishing     •  Social  Engineering   •  Denial  of  Services   •  Password  brute  force  aNacks   •  Target  infiltra&on    
  24. 24. What  data is interesting? Emails Users / Employees names -Interests -People relationships -Alias      
  25. 25. Emails •  PGP  servers   •  Search  engines   •  Whois    
  26. 26. Employees / Usernames / Alias   Google  Finance  /  Etc.  
  27. 27. Username checks
  28. 28. Social Media  
  29. 29. •  Employees  of  a  company   •  Profile  picture   •  Special&es   •  Role   •  Country   •  Emails  
  30. 30. Linkedin   Simon  LongboNom     Product  defini&on,  proposi&on  research,  pricing,   product  marke&ng,  product  promo&on,  market   research,  new  product  introduc&on     pictureUrl':  'hNp://’}  
  31. 31. Linkedin  
  32. 32. Google+  
  33. 33.   GRAPH  SEARCH:     “People  who  work  at”     “People  who  work  at  and  live  in   SeaNle  Washington”  
  34. 34. @google.  News  and  updates  from  Google.  Mountain   @googlenexus.  Phones  and  tablets  from  Google   @GoogleDoodles   @googlewmc.  News  and  resources  from   @googleindia   @GoogleChat.  Twee&ng  about  all  things  Google   @googleaccess.  The  official  TwiNer   @googleglass.  Geing  technology  out  of  the  way.   @googlenonprofit.  News  and  updates  from   @googlewallet.  News   @googlereader.  News   @googlefiber   @googleio.  Google   @googledevs  for  updates.  San  Francisco   @GoogleIO  for  ...  If  you   @GoogleMsia.  Official  Google  Malaysia  on  TwiNer.  Kuala   @googlejobs.  Have  you  heard  we   @googleapps.  Google  Apps  news  for  ISVs   @GooglePlay.  Music   @GoogleAtWork.  The  official  TwiNer  home  of   Google  Enterprise.  Mountain  View   @FaktaGoogle.  Googling  Random  Facts.  Don   @googlemobileads.  Official  Google  Mobile   @googlepoli&cs.  Trends   @ericschmidt.  Execu&ve  Chairman   @GoogleMobile.  News   @googledownunder.  Google  Australia  and   @AdSense.  News  and  updates  from  the  Google   AdSense   @googlecalendar.  The  official  TwiNer  home  of   @googledevs.  News  about  and  from   @googlenews.  Breaking  news   @GoogleB2BTeam.   @GoogleB2BTeam  Google   @Jus&nCutroni   Google  query:  in&tle:"on  TwiNer"   ”Google"    
  35. 35. Domain  name  
  36. 36. Geo-location •  People  loca&on   •  Servers  loca&on   •  Wireless  AP  loca&on      
  37. 37. Geo-location Social  media  posts   Foursquare   Pictures   TwiNer   Facebook    
  38. 38. Twitter - Creepy
  39. 39. Images Reverse  image  search   Face  iden&fica&on   Exif  Metadata  analysis:    Profile  pictures    ANachments      
  40. 40. Images •  Pic from Novartis search on TwwepSearch
  41. 41. INFRASTRUCTURE IP Hostnames Services Networks Geo-location Software version CDN Multitenant Hosting
  42. 42. Infrastructure Internet  Census  project   Whois   ServerSniff   Jobsites   Search  engines   ShodanHQ    
  43. 43. Infrastructure     •  Once  we  have  iden&fied  the  Infrastructure   components,  what  can  we  do?  
  44. 44. ShodanHQ
  45. 45. Bugs databases
  46. 46. INDICATORS OF COMPROMISE (IOC) IP addresses Domains URLs Hashes Stolen Passwords
  47. 47. IOC Collec&ve  Intelligence  Framework  sources  (70)   Abuse.CH   Malwr   Seculert  
  48. 48. DATA LEAKS     @pastebindorks     Pastebin  clones    
  49. 49. Infrastructure •     DNS   o  Bruteforce   o  Zone  Transfer   •  SMTP   o  Header  analysis   o  Vrfy,  expn   •  Web  sites   o  Hidden  files  /  directories  bruteforce   •  Network  scanning   •  Metadata  
  50. 50. Metadata   •  Office  documents   •  Openoffice  documents   •  PDF  documents     •  Images  EXIF  metadata   •  Others     Metadata:  is  data  about  data.             Is  used  to  facilitate  the  understanding,  use  and  management   of  data.    
  51. 51. Cat Schwartz - Tech TV
  52. 52. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker! DATE: 12/19/2005! PHOTOGRAPHER: Sarah L. Voisin/TWP! id#: LOCATION: Roland, OK! CAPTION:! PICTURED: Canon Canon EOS 20D! Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin! There are only 1.500 males in Roland Oklahoma
  53. 53. Metagoofil - Results
  54. 54. Metagoofil - Results
  55. 55. Metagoofil - results
  56. 56. INFORMATION GATHERING TOOLS •  FOCA   •  Spiderfoot   •  Tapir   •  Creepy   •  theHarvester   •  Metagoofil    
  57. 57. This  tool  is  intended  to  help  Penetra&on  testers  in  the  early   stages  of  the  penetra&on  test  in  order  to  understand  the   customer  footprint  on  the  Internet.       It  is  also  useful  for  anyone  that  wants  to  know  what  an  aNacker   can  see  about  their  organiza&on  and  reduce  exposure  of  the   company.    
  58. 58.  -­‐  Sources                google                                                  googleCSE                                                  bing                                                  bingapi                                                  pgp                                                  linkedin                people123                                                  jigsaw                                                  twiNer                                                  GooglePlus                shodanhq                                                     •  Open  source  soUware   •  Command  line     •  Extendable  
  59. 59. •  python  -­‐d  -­‐b   googleCSE  -­‐l  500  -­‐v  -­‐h  
  60. 60. - Intelligence Implement  en&&es   Cross  reference  en&&es   Image  reverse  search  /  profile  pictures   Geo-­‐loca&on   Iden&fy  vulnerable  services   Username  search  in  other  services   Target  priori&za&on    
  61. 61. Challenges •  Source  availability    (APIs)   •  Changes  in  Terms  of  Use   •  Genera&ng  valid  intelligence  
  62. 62. ? TwiNer:  @laramies   Email:  cmartorellaW@edge-­‐