Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Defcon 18: FOCA 2

12,111 views

Published on

Slides used by Jose Palazon PALAKO and Chema Alonso to present FOCA 2 in Defcon 18

Defcon 18: FOCA 2

  1. 1. FOCA 2.5 Chema Alonso José Palazón «PALAKO»
  2. 2. What our FOCA is not
  3. 3. What our FOCA is not
  4. 4. What’s a FOCA?
  5. 5. FOCA on Linux?
  6. 6. Previously on FOCA….
  7. 7. FOCA 0.X
  8. 8. FOCA: File types supported <ul><li>Office documents: </li></ul><ul><ul><li>Open Office documents. </li></ul></ul><ul><ul><li>MS Office documents. </li></ul></ul><ul><ul><li>PDF Documents. </li></ul></ul><ul><ul><ul><li>XMP. </li></ul></ul></ul><ul><ul><li>EPS Documents. </li></ul></ul><ul><ul><li>Graphic documents. </li></ul></ul><ul><ul><ul><li>EXIFF. </li></ul></ul></ul><ul><ul><ul><li>XMP. </li></ul></ul></ul><ul><ul><li>Adobe Indesign, SVG, SVGZ ( NEW ) </li></ul></ul>
  9. 9. What can be found?
  10. 10. Pictures with GPS info..
  11. 11. Demo: Single files
  12. 12. Sample: mda.mil Total: 1075 files
  13. 13. Sample: FBI.gov Total: 4841 files
  14. 14. FOCA 1 v. RC3 <ul><li>Fingerprinting Organizations with Collected Archives </li></ul><ul><ul><li>Search for documents in Google and Bing </li></ul></ul><ul><ul><li>Automatic file downloading </li></ul></ul><ul><ul><li>Capable of extracting Metadata, hidden info and lost data </li></ul></ul><ul><ul><li>Cluster information </li></ul></ul><ul><ul><li>Analyzes the info to fingerprint the network. </li></ul></ul>
  15. 15. DNS Prediction
  16. 16. Google Sets Prediction
  17. 17. Sample: Printer info found in odf files returned by Google
  18. 18. Demo: Whitehouse.gov
  19. 19. Yes, we can!
  20. 20. FOCA 2.0
  21. 21. What’s new in FOCA 2.5? <ul><li>Network Discovery </li></ul><ul><li>Recursive algorithm </li></ul><ul><li>Information Gathering </li></ul><ul><li>Sw Recognition </li></ul><ul><li>DNS Cache Snooping </li></ul><ul><li>Reporting Tool </li></ul>
  22. 22. FOCA 2.5: Exalead
  23. 23. PTR Scannig
  24. 24. Bing IP
  25. 25. FOCA 2.5 & Shodan
  26. 26. Network Discovery Algorithm <ul><li>http://apple1.sub.domain.com/~chema/dir/fil.doc </li></ul><ul><li>http -> Web server </li></ul><ul><li>GET Banner HTTP </li></ul><ul><li>domain.com is a domain </li></ul><ul><li>Search NS, MX, SPF records for domain.com </li></ul><ul><li>sub.domain.com is a subdomain </li></ul><ul><li>Search NS, MX, SPF records for sub.domain.com </li></ul><ul><li>Try all the non verified servers on all new domains </li></ul><ul><ul><li>server01.domain.com </li></ul></ul><ul><ul><li>server01.sub.domain.com </li></ul></ul><ul><li>Apple1.sub.domain.com is a hostname </li></ul><ul><li>Try DNS Prediction (apple1) on all domains </li></ul><ul><li>Try Google Sets(apple1) on all domains </li></ul>
  27. 27. Network Discovery Algorithm <ul><li>http://apple1.sub.domain.com/~chema/dir/fil.doc </li></ul><ul><li>11) Resolve IP Address </li></ul><ul><li>12) Get HTTP Banner of http://IP </li></ul><ul><li>13) Use Bing Ip:IP to find all domains sharing it </li></ul><ul><li>14) Repeat for every new domain </li></ul><ul><li>15) Connect to the internal NS (1 or all) </li></ul><ul><li>16) Perform a PTR Scan searching for internal servers </li></ul><ul><li>17) For every new IP discovered try Bing IP recursively </li></ul><ul><li>18) ~chema -> chema is probably a user </li></ul>
  28. 28. Network Discovery Algorithm <ul><li>http://apple1.sub.domain.com/~chema/dir/fil.doc </li></ul><ul><li>19) / , /~chema/ and /~chema/dir/ are paths </li></ul><ul><li>20) Try directory listing in all the paths </li></ul><ul><li>21) Search for PUT, DELETE, TRACE methods in every path </li></ul><ul><li>22) Fingerprint software from 404 error messages </li></ul><ul><li>23) Fingerprint software from application error messages </li></ul><ul><li>24) Try common names on all domains (dictionary) </li></ul><ul><li>25) Try Zone Transfer on all NS </li></ul><ul><li>26) Search for any URL indexed by web engines related to the hostname </li></ul><ul><li>27) Download the file </li></ul><ul><li>28) Extract the metadata, hidden info and lost data </li></ul><ul><li>29) Sort all this information and present it nicely </li></ul><ul><li>30) For every new IP/URL start over again </li></ul>
  29. 30. FOCA 2.5 URL Analysis
  30. 31. FOCA 2.5 URL Analysis
  31. 32. Demo: Whitehouse.gov
  32. 33. Yes, we can!
  33. 34. DNS Cache Snooping
  34. 35. FOCA Reporting Module
  35. 36. FOCA Reporting Module
  36. 37. Demo: DNS Cache Snooping
  37. 38. FOCA Online http://www.informatica64.com/FOCA
  38. 39. IIS MetaShield Protector http://www.metashieldprotector.com
  39. 40. Cleaning documents <ul><li>OOMetaExtractor </li></ul>http://www.codeplex.org/oometaextractor
  40. 41. Questions at Q&A room 113 <ul><li>Speakers: </li></ul><ul><li>Chema Alonso </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>Blog: http://elladodelmal.blogspot.com </li></ul></ul><ul><ul><li>http://twitter.com/chemaalonso </li></ul></ul><ul><li>José Palazón «PALAKO» </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Working on FOCA: </li></ul><ul><ul><li>Chema Alonso </li></ul></ul><ul><ul><li>Alejandro Martín </li></ul></ul><ul><ul><li>Francisco Oca </li></ul></ul><ul><ul><li>Manuel Fernández «The Sur» </li></ul></ul><ul><ul><li>Daniel Romero </li></ul></ul><ul><ul><li>Enrique Rando </li></ul></ul><ul><ul><li>Pedro Laguna </li></ul></ul><ul><ul><li>Special Thanks to: John Matherly [Shodan] </li></ul></ul>
  41. 42. … and Tomorrow here at 19:00
  42. 43. Demo: US Army

×