Offensive OSINT

1. OFFENSIVE OSINT CHRISTIAN MARTORELLA OSIRA SUMMIT 2014 LONDON, UK

2. About me Chris&an Martorella: –  I work in Skype (MS), Product Security team –  Founder of Edge-‐security.com –  Developed open source projects like theHarvester, Metagooﬁl, Wfuzz and Webslayer –  Presented in many Security conferences (Blackhat Arsenal, Hack.lu, WhaNheHack, OWASP, Source) –  Over 12 years focusing on oﬀensive security

3. Disclaimer Any views or opinions presented in this presentation are solely those of the author and do not necessarily represent those of the employer

4. OSINT - Intro Open-‐source intelligence (OSINT) is intelligence collected from publicly available sources. •  “Open" refers to overt, publicly available sources (as opposed to covert or clandes&ne sources) •  It is not related to open-‐source soUware or public intelligence.

5. OSINT What is Threat Intelligence / Cyber Intelligence ?

6. OSINT PROCESS Source Identification Data harvesting Data Analysis Data processing and Integration Results Delivery

7. Source Identification

8. Data Harvesting

9. Data processing

10. Data Analysis

11. Results Delivery

12. Offensive OSINT

13. Offensive vs. Defensive OSINT From the security perspec&ve we can separate OSINT: Oﬀensive: Gathering informa&on before an aNack. Defensive: Learning about aNacks against the company

14. Offensive OSINT •  Finding as much informa&on as possible that will facilitate the aNack •  S&ll now, many Penetra&on Tes&ng companies skip this phase •  ANackers usually spend more &me than testers on this phase

15. Typical Pentesting Methodology I.G Scan Enumerate Exploit Post- Exploit Cover Tracks Write report

16. What everyone focus on: I.G Scan Enumera te Exploit Post-‐ Exploit Cover Tracks Write report

17. Attacker Methodology Discover what makes the company money Discover what is valuable to the aNacker Do whatever it takes... Steal it Informa&on Gathering

18. Data Harves:ng

19. Data Harvesting A.K.A: •  Informa:on Gathering: The act of collec&ng informa&on •  Foot prin:ng: Is the technique of gathering informa&on about computer systems and the en&&es they belong to. •  Web mining: The act of collec&ng informa&on from the web

20. Data Harvesting – How? Techniques: •  Scraping (raw) •  Open APIs •  Commercial APIS •  Network Scanning •  Purchasing data •  Open source Data sets •  Databases •  Logﬁles

22. Data Harves&ng -‐ Passive vs Ac&ve •  Passive data harves:ng: Our ac&ons can’t be detected by the target (Non aNribu&on) •  Ac:ve data harves:ng: our ac&ons leave traces that can be detected by the target

23. Offensive OSINT targets

24. Offensive OSINT – end goals •  Phishing •  Social Engineering •  Denial of Services •  Password brute force aNacks •  Target inﬁltra&on

25. What data is interesting? Emails Users / Employees names -Interests -People relationships -Alias

26. Emails •  PGP servers •  Search engines •  Whois

27. Employees / Usernames / Alias linkedin.com jigsaw.com people123.com pipl.com peekyou.com Google Finance / Etc. Usernamecheck.com checkusernames.com Glassdoor.com Hoovers.com Corpwatch.org intelius.com

28. Username checks

29. Social Media

30. •  Employees of a company •  Proﬁle picture •  Special&es •  Role •  Country •  Emails

31. Linkedin Simon LongboNom Simon.LongboNom@amazon.com Product deﬁni&on, proposi&on research, pricing, product marke&ng, product promo&on, market research, new product introduc&on pictureUrl': 'hNp://m.c.lnkd.licdn.com/mpr/mprz/’}

32. Linkedin

33. Google+

34. GRAPH SEARCH: “People who work at Amazon.com” “People who work at Amazon.com and live in SeaNle Washington”

35. @google. News and updates from Google. Mountain @googlenexus. Phones and tablets from Google @GoogleDoodles @googlewmc. News and resources from @googleindia @GoogleChat. Twee&ng about all things Google @googleaccess. The official TwiNer @googleglass. Geing technology out of the way. @googlenonprofit. News and updates from @googlewallet. News @googlereader. News @googlefiber @googleio. Google @googledevs for updates. San Francisco @GoogleIO for ... If you @GoogleMsia. Official Google Malaysia on TwiNer. Kuala @googlejobs. Have you heard we @googleapps. Google Apps news for ISVs @GooglePlay. Music @GoogleAtWork. The official TwiNer home of Google Enterprise. Mountain View @FaktaGoogle. Googling Random Facts. Don @googlemobileads. Official Google Mobile @googlepoli&cs. Trends @ericschmidt. Execu&ve Chairman @GoogleMobile. News @googledownunder. Google Australia and @AdSense. News and updates from the Google AdSense @googlecalendar. The official TwiNer home of @googledevs. News about and from @googlenews. Breaking news @GoogleB2BTeam. @GoogleB2BTeam Google @Jus&nCutroni Google query: site:twiNer.com in&tle:"on TwiNer" ”Google"

36. Domain name

37. Geo-location •  People loca&on •  Servers loca&on •  Wireless AP loca&on

38. Geo-location Social media posts Foursquare Pictures TwiNer Facebook

39. Twitter - Creepy

40. Images Reverse image search Face iden&ﬁca&on Exif Metadata analysis: Proﬁle pictures ANachments

41. Images •  Pic from Novartis search on TwwepSearch

43. INFRASTRUCTURE IP Hostnames Services Networks Geo-location Software version CDN Multitenant Hosting

44. Infrastructure Internet Census project Whois ServerSniﬀ Jobsites Search engines ShodanHQ

45. Infrastructure •  Once we have iden&ﬁed the Infrastructure components, what can we do?

46. ShodanHQ

48. Bugs databases

49. INDICATORS OF COMPROMISE (IOC) IP addresses Domains URLs Hashes Stolen Passwords

50. IOC Collec&ve Intelligence Framework sources (70) Abuse.CH Shadowserver.org Nothink.org Virustotal.com Malwr Seculert

51. DATA LEAKS Pastebin.com @pastebindorks Pastebin clones

53. Infrastructure •  DNS o  Bruteforce o  Zone Transfer •  SMTP o  Header analysis o  Vrfy, expn •  Web sites o  Hidden ﬁles / directories bruteforce •  Network scanning •  Metadata

54. Metadata •  Oﬃce documents •  Openoﬃce documents •  PDF documents •  Images EXIF metadata •  Others Metadata: is data about data. Is used to facilitate the understanding, use and management of data.

55. Cat Schwartz - Tech TV

56. Washington Post Botmaster location exposed by the Washington Post SLUG: mag/hacker! DATE: 12/19/2005! PHOTOGRAPHER: Sarah L. Voisin/TWP! id#: LOCATION: Roland, OK! CAPTION:! PICTURED: Canon Canon EOS 20D! Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin! There are only 1.500 males in Roland Oklahoma

57. Metagoofil - Results

58. Metagoofil - Results

59. Metagoofil - results

61. INFORMATION GATHERING TOOLS •  FOCA •  Spiderfoot •  Tapir •  Creepy •  theHarvester •  Metagooﬁl

62. This tool is intended to help Penetra&on testers in the early stages of the penetra&on test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an aNacker can see about their organiza&on and reduce exposure of the company.

63. -‐ Sources google googleCSE bing bingapi pgp linkedin people123 jigsaw twiNer GooglePlus shodanhq •  Open source soUware •  Command line •  Extendable

66. •  python theHarvester.py -‐d lacaixa.es -‐b googleCSE -‐l 500 -‐v -‐h

67. - Intelligence Implement en&&es Cross reference en&&es Image reverse search / proﬁle pictures Geo-‐loca&on Iden&fy vulnerable services Username search in other services Target priori&za&on

68. Challenges •  Source availability (APIs) •  Changes in Terms of Use •  Genera&ng valid intelligence

69. ? TwiNer: @laramies Email: cmartorellaW@edge-‐security.com

Offensive OSINT

Offensive OSINT

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Offensive OSINT

Similar to Offensive OSINT(20)

More from Christian Martorella

More from Christian Martorella(8)

Recently uploaded

Recently uploaded(9)

Offensive OSINT