Recommended
More Related Content
What's hot
What's hot (20)
Similar to Empowering red and blue teams with osint c0c0n 2017
Similar to Empowering red and blue teams with osint c0c0n 2017 (20)
More from reconvillage
More from reconvillage (7)
Recently uploaded
Recently uploaded (19)
Empowering red and blue teams with osint c0c0n 2017
- 1. Empowering Red and Blue Teams with OSINT c0c0n 2017, Le Meridian, Kochi.
- 2. ://$ whoami • Shubham Mittal • Security Consultant @ NotSoSecure • Perimeter Security and OSINT • Author - @datasploit • Core Organizer - @reconvillage • Bike Rider, Beat Boxer @upgoingstar | upgoingstaar@gmail.com @upgoingstar | shubhammittal.net | upgoingstaar@gmail.com
- 3. Agenda ● OSINT Overview ● For Red Teams (Offensive) ● Company Profiling ● Perimeter Scoping ● Employee Profiling ● Tools of Trade ● Future Research Areas ● For Blue Team (Defensive) ● Monitoring and Alerting ● Intelligent SIEM Rules ● DLP
- 4. OSINT – Open Source Intelligence (Intelligence on Information publicly available) Internet gives you RAW Data. Harvest it.
- 5. Open Source Intelligence (OSINT) is the collection and analysis of information gathered from publicly available sources.
- 6. Should be used by? ● Pen-testers ● Security Engineers ● Product Security Companies ● Cyber Investigators ● Sales / Market Research
- 7. How OSINT can help Red Teams
- 8. Red Teams ● Scoping Attack Surface ● Technology Profiling ● Github ● Paste(s) ● Employee Profiling ● Breach Data ● Nerdy Data
- 9. Digital Asset Scoping • whoIs (who.is) > ASN ID • Reverse WhoIs • whois -h whois.radb.net -- '-i origin ASN-ID' | grep -Eo "([0-9.]+){4}/[0-9]+" | sort -n | uniq -c • https://mxtoolbox.com/SuperTool.aspx • Nslookup (terminal) • Dig (dig reconvillage.org, dig reconvillage.org cname) • Acquisitions.
- 10. Digital Asset Scoping – Subdomain Enumeration ● Sub-domain Enumeration ● DNSSEC Walking (Kudos to @jhaddix for suggesting) ● Certificate Transparency Reports, Forums ● Shodan/Censys, Cname Records, DNS Dumpster, Netcraft, WolframAlpha ● Tools - Sublist3r, DataSploit.
- 11. dnssecwalk (part of the ipV6 Toolkit) https://www.thc.org/thc-ipv6/ Custom Script(Certificate Transparency Report) - DEMO https://blog.webernetz.net/2016/11/22/how-to-walk-dnssec-zones-dnsrecon/
- 12. Quick Checks ● HTTP / HTTPS? ● 404 Not Found? 403 Forbidden? ● 500 Internal Server Error? ● .git / .svn / htaccess.txt / bash_history / web.config / admin / , etc.
- 15. Technology Profiling - BuildWith
- 16. Wappalyzer
- 18. Paste(s) Sites
- 20. Not ‘Google’ Search Engines ● Metasearch engine – Polymeta.com ● People search engine -Pipl.com, Peekyou, Marketvisual ● Business/Company Search - Zoominfo ● Social Search Engine - Socialmention.com ● Phone Number Search Engine – Truecaller ● Wayback machine ● Computational knowledge engine – Wolframalpha ● Clustering Search Engine - search.carrot2.org
- 22. Domain IP History • Cloudflare / Incapsula / Sucuri. • Domain History reveals earlier IP Addresses. • IP still Live = Bypass rate limiting, firewall rules, etc.
- 23. Public Scan Engines • https://www.qualys.com/forms/freescan/ • https://urlscan.io • https://asafaweb.com
- 24. MetaData Data about the Data. Can find: ● Applications used to generate PDF/Docx./etc. on servers ● Exif Data (Media File Data) ● Geolocations ● Author ● Platform TCPDF CVE-2017-6100 - Local File Include Vulnerability
- 25. Employee Profiling ● Email-harvestor ● DataSploit ● LinkedIn ● https://www.linkedin.com/search/results/companies/?keywords= company&origin=SWITCH_SEARCH_VERTICAL ● Email Hunter ● Skrapp
- 26. Linked employee email extract using Skrapp / Hunter
- 28. Email-id to Username? Social Media Accounts Forum Searches (boardreader.com) Clearbit / Full Contact DataSploit >> User to Images , Reverse Image Search, User profiling (More useful for SE) >> Find leaked creds, tokens, confidential urls/IPs, slack keys, api key, etc.
- 31. Blue Team. ● Active Monitoring on keywords. ● Alerting (while reducing noise) ● Scan/OSINT your Attack Surface Area ● Scoping is not required - Simply find the perimeter from Devops/Central Deployment Team. ● Keep an eye on Employees (Profile their personal code share accounts). ● Review Job Openings / Questions in Forums, etc. ● Defensive Measures - Data Loss Prevention ● Strip off metadata from files going outside.
- 34. Scumblr
- 35. Google Alerts
- 36. Page Monitor - ChangeDetect / Follow.net
- 37. SIEM << Threat Intel Feed (robtex,etc., check for already blacklisted IPs) Collective Intelligence Framework
- 39. Future Research ● Data Co-relation ● Noise Reduction ● Tap Darknet
Editor's Notes
- The DNSKEY record is used by a DNS server during the validation process. DNSKEY records can store public keys for a zone signing key (ZSK) or a key signing key (KSK). A DS record is a DNSSEC record type that is used to secure a delegation. DS records are used to build authentication chains to child zones.Feb
- https://www.thc.org/thc-ipv6/ https://blog.webernetz.net/2016/11/22/how-to-walk-dnssec-zones-dnsrecon/ After the implementation of DNS and DNSSEC (see the last posts) it is good to do some reconnaissance attacks against the own DNS servers. Especially to see the NSEC or NSEC3 differences, i.e., whether zone walking (enumeration) is feasible or not.
- CVE for Apache 2.4.10?
- https://hackerone.com/reports/248693
- https://labs.detectify.com/2015/03/25/stealing-files-from-web-servers-by-exploiting-a-popular-pdf-generator-2/ http://www.securityfocus.com/bid/96326/discuss
- http://garage4hackers.com/entry.php?b=3114
- Silkroad – drug seller was arrested.