Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Empowering red and blue teams with osint c0c0n 2017

2,239 views

Published on

This talk will discuss Open Source Intelligence (OSINT) gathering tools and techniques that are highly useful and effective for both Blue teams and Red teams.

  • Be the first to comment

Empowering red and blue teams with osint c0c0n 2017

  1. 1. Empowering Red and Blue Teams with OSINT c0c0n 2017, Le Meridian, Kochi.
  2. 2. ://$ whoami • Shubham Mittal • Security Consultant @ NotSoSecure • Perimeter Security and OSINT • Author - @datasploit • Core Organizer - @reconvillage • Bike Rider, Beat Boxer @upgoingstar | upgoingstaar@gmail.com @upgoingstar | shubhammittal.net | upgoingstaar@gmail.com
  3. 3. Agenda ● OSINT Overview ● For Red Teams (Offensive) ● Company Profiling ● Perimeter Scoping ● Employee Profiling ● Tools of Trade ● Future Research Areas ● For Blue Team (Defensive) ● Monitoring and Alerting ● Intelligent SIEM Rules ● DLP
  4. 4. OSINT – Open Source Intelligence (Intelligence on Information publicly available) Internet gives you RAW Data. Harvest it.
  5. 5. Open Source Intelligence (OSINT) is the collection and analysis of information gathered from publicly available sources.
  6. 6. Should be used by? ● Pen-testers ● Security Engineers ● Product Security Companies ● Cyber Investigators ● Sales / Market Research
  7. 7. How OSINT can help Red Teams
  8. 8. Red Teams ● Scoping Attack Surface ● Technology Profiling ● Github ● Paste(s) ● Employee Profiling ● Breach Data ● Nerdy Data
  9. 9. Digital Asset Scoping • whoIs (who.is) > ASN ID • Reverse WhoIs • whois -h whois.radb.net -- '-i origin ASN-ID' | grep -Eo "([0-9.]+){4}/[0-9]+" | sort -n | uniq -c • https://mxtoolbox.com/SuperTool.aspx • Nslookup (terminal) • Dig (dig reconvillage.org, dig reconvillage.org cname) • Acquisitions.
  10. 10. Digital Asset Scoping – Subdomain Enumeration ● Sub-domain Enumeration ● DNSSEC Walking (Kudos to @jhaddix for suggesting) ● Certificate Transparency Reports, Forums ● Shodan/Censys, Cname Records, DNS Dumpster, Netcraft, WolframAlpha ● Tools - Sublist3r, DataSploit.
  11. 11. dnssecwalk (part of the ipV6 Toolkit) https://www.thc.org/thc-ipv6/ Custom Script(Certificate Transparency Report) - DEMO https://blog.webernetz.net/2016/11/22/how-to-walk-dnssec-zones-dnsrecon/
  12. 12. Quick Checks ● HTTP / HTTPS? ● 404 Not Found? 403 Forbidden? ● 500 Internal Server Error? ● .git / .svn / htaccess.txt / bash_history / web.config / admin / , etc.
  13. 13. Pro-active Search
  14. 14. Technology Profiling - BuildWith
  15. 15. Wappalyzer
  16. 16. Github https://hackerone.com/reports/248693
  17. 17. Paste(s) Sites
  18. 18. Public Password Dumps
  19. 19. Not ‘Google’ Search Engines ● Metasearch engine – Polymeta.com ● People search engine -Pipl.com, Peekyou, Marketvisual ● Business/Company Search - Zoominfo ● Social Search Engine - Socialmention.com ● Phone Number Search Engine – Truecaller ● Wayback machine ● Computational knowledge engine – Wolframalpha ● Clustering Search Engine - search.carrot2.org
  20. 20. Domain IP History
  21. 21. Domain IP History • Cloudflare / Incapsula / Sucuri. • Domain History reveals earlier IP Addresses. • IP still Live = Bypass rate limiting, firewall rules, etc.
  22. 22. Public Scan Engines • https://www.qualys.com/forms/freescan/ • https://urlscan.io • https://asafaweb.com
  23. 23. MetaData Data about the Data. Can find: ● Applications used to generate PDF/Docx./etc. on servers ● Exif Data (Media File Data) ● Geolocations ● Author ● Platform TCPDF CVE-2017-6100 - Local File Include Vulnerability
  24. 24. Employee Profiling ● Email-harvestor ● DataSploit ● LinkedIn ● https://www.linkedin.com/search/results/companies/?keywords= company&origin=SWITCH_SEARCH_VERTICAL ● Email Hunter ● Skrapp
  25. 25. Linked employee email extract using Skrapp / Hunter
  26. 26. Custom Script RapportiveCode
  27. 27. Email-id to Username? Social Media Accounts Forum Searches (boardreader.com) Clearbit / Full Contact DataSploit >> User to Images , Reverse Image Search, User profiling (More useful for SE) >> Find leaked creds, tokens, confidential urls/IPs, slack keys, api key, etc.
  28. 28. Email-id to Username?
  29. 29. Blue Team. ● Active Monitoring on keywords. ● Alerting (while reducing noise) ● Scan/OSINT your Attack Surface Area ● Scoping is not required - Simply find the perimeter from Devops/Central Deployment Team. ● Keep an eye on Employees (Profile their personal code share accounts). ● Review Job Openings / Questions in Forums, etc. ● Defensive Measures - Data Loss Prevention ● Strip off metadata from files going outside.
  30. 30. Tweetmonitor.py / Tweetdeck
  31. 31. Tweetmonitor.py / Tweetdeck
  32. 32. Scumblr
  33. 33. Google Alerts
  34. 34. Page Monitor - ChangeDetect / Follow.net
  35. 35. SIEM << Threat Intel Feed (robtex,etc., check for already blacklisted IPs) Collective Intelligence Framework
  36. 36. Tools of Trade Spiderfoot Recon-ng Scmublr DataSploit Sublist3r theHarvestor Foca Maltego Gosint Belati X-ray Exiftool Tinfoleak Gitrob
  37. 37. Future Research ● Data Co-relation ● Noise Reduction ● Tap Darknet
  38. 38. upgoingstaar@gmail.com | @upgoingstar

×