Downloaded 168 times
Uploaded byChema Alonso
The Power of FOCA 3
This document is a presentation about the tool FOCA (The Power of FOCA 3). It discusses how FOCA can be used to analyze metadata and extract hidden information from documents and websites in order to map networks, discover vulnerabilities, and generate reports. The presentation covers FOCA's abilities like network discovery, document analysis, plugin development, and reporting features. It provides examples of the types of insights and hidden details that FOCA can reveal through analyzing metadata.
More Related Content
The Power of FOCA 3
- 1. The Power ofFOCA 3 Chema Alonso
- 2. At the beginingwas the metadata Chema Alonso 20/03/2013 2
- 3.
- 4.
- 5. The breasts ofHacker’s girlfriend Chema Alonso 20/03/2013 5
- 6. Social Engineering Attack ChemaAlonso 20/03/2013 6
- 7. Metadata Risks • HiddenRelations • Tactical information –Companies –Targeted Attacks –People –Internal knowledge • Software Piracy • Ploting events • History of documents –Places –Time Chema Alonso 20/03/2013 7
- 8. Forensic FOCA Chema Alonso 20/03/2013 http://www.elladodelmal.com/2012 /02/forensic-foca-beta-trial.html 8
- 9. Metadata, hidden info& lost data New apps Bad Format conversion New versions Bad management Embedded Searchers Files Spyders Doc DB Bad management Embedded objects Embedded Files Chema Alonso 20/03/2013 9
- 10. Show Me YourMetadata Chema Alonso 20/03/2013 10
- 11.
- 12.
- 13. Hidden Info: Printers ChemaAlonso 20/03/2013 13
- 14. Electing the entrypoint Chema Alonso 20/03/2013 14
- 15. Internal Fingerprinting withFOCA Chema Alonso 20/03/2013 15
- 16. Phase 1: Metadata ChemaAlonso
- 17.
- 18. Recursive Network Discovery • Servers • Domains • HostNames • IP Address • Roles Chema Alonso 20/03/2013 18
- 19. Network Discovery: WebSearcher ChemaAlonso 20/03/2013 19
- 20. Network Discovery: DNS SOA, MX, SPF, DKIM, LDAP, Well Known Records VoIP, Active Directory…. Zone Transfer AXFR Server1, Intranet, Private, Diccionary Search DNS, etc…. Chema Alonso 20/03/2013 20
- 21.
- 22.
- 23. Network Discovery: BingIP Chema Alonso 20/03/2013 23
- 24. Network Discovery: PTRScannig Chema Alonso 20/03/2013 24
- 25. Network Discovery: Robtex ChemaAlonso 20/03/2013 25
- 26. Network Discovery: Shodan ChemaAlonso 20/03/2013 26
- 27.
- 28.
- 29. Google Slash Trick ChemaAlonso 20/03/2013 29
- 30. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 1) http -> Web server 2) GET Banner HTTP 3) domain.com is a domain 4) Search NS, MX, SPF records for domain.com 5) sub.domain.com is a subdomain 6) Search NS, MX, SPF records for sub.domain.com 7) Try all the non verified servers on all new domains 1) server01.domain.com 2) server01.sub.domain.com 8) Apple1.sub.domain.com is a hostname 9) Try DNS Prediction (apple1) on all domains 10) Try Google Sets(apple1) on all domains Chema Alonso 20/03/2013 30
- 31. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 11)Resolve IP Address 12) Get Certificate in https://IP 13) Search for domain names in it 14) Get HTTP Banner of http://IP 15) Use Bing Ip:IP to find all domains sharing it 16) Repeat for every new domain 17) Connect to the internal NS (1 or all) 18) Perform a PTR Scan searching for internal servers 19) For every new IP discovered try Bing IP recursively 20) ~chema -> chema is probably a user Chema Alonso 20/03/2013 31
- 32. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 21)/ , /~chema/ and /~chema/dir/ are paths 22) Try directory listing in all the paths 23) Search for PUT, DELETE, TRACE etc.. methods in every path 24) Fingerprint software from 404 error messages 25) Fingerprint software from application error messages 26) Try common names on all domains (dictionary) 27) Try Zone Transfer on all NS 28) Search for any URL indexed by web engines related to the hostname 29) Download the file 30) Extract the metadata, hidden info and lost data 31) Sort all this information and present it nicely 32) For every new IP/URL start over again Chema Alonso 20/03/2013 32
- 33. Click & Go ChemaAlonso 20/03/2013 33
- 34. How Foca founda data Chema Alonso 20/03/2013 34
- 35. Multiple Search Engines ChemaAlonso 20/03/2013 35
- 36. Huge domain case ChemaAlonso 20/03/2013 36
- 37. Fingerprinting Options • 404messages • Apps Error Messages • HTTP Banner – Hostname – IP Addres • SMTP Banner • Digital Certificates • Shodan • Version.bind Chema Alonso 20/03/2013 37
- 38. Phase 2: NetworkDiscovery Chema Alonso
- 39.
- 40.
- 41.
- 42.
- 43.
- 44. DNS Cache Snooping ChemaAlonso 20/03/2013 44
- 45. DNS Cache Snooping ChemaAlonso 20/03/2013 45
- 46. DNS Cache Snooping •Internal Software – Windows Update – Gtalk • Evilgrade – Detecting vulnerable software to Evilgrade attacks • AV evassion – Detecting internal AV systems • Malware driven by URL – Hacking a web site ussually visited by internal users Chema Alonso 20/03/2013 46
- 47.
- 48. PHP CGI CODEEXECUTION BUG Chema Alonso 20/03/2013 48
- 49. Insecure Http Methods ChemaAlonso 20/03/2013 49
- 50. Search & Upload ChemaAlonso 20/03/2013 50
- 51. Juicy files White/black list of matches for keywords and extensions Chema Alonso 20/03/2013 51
- 52.
- 53.
- 54.
- 55. .svn/entries A .svn/entries filelooks like: Chema Alonso 20/03/2013 55
- 56. .svn/entries There is aplugin that parse the file Chema Alonso 20/03/2013 56
- 57. IIS Short Namebug Chema Alonso 20/03/2013 57
- 58. Proxy Server detection •Mod_proxy • Ad-hoc –Normal –Transparent Chema Alonso 20/03/2013 58
- 59. Proxy Server Detection ChemaAlonso 20/03/2013 59
- 60. Leaks: modsecurity_crs_50_outbound.conf Chema Alonso 20/03/2013 60
- 61.
- 62.
- 63. User directories Search for ~USER in Apache webservers Chema Alonso 20/03/2013 63
- 64. All your Focaneeds is URLs • Network Discovery • Domain Crawling • Document Search – Bing • File parsing – Google – Directory Listing • Technology Recognition – Robots.txt • Custom Search – .Listing • Manual load – .DS_Store (not yet) Chema Alonso 20/03/2013 64
- 65.
- 66.
- 67. FOCA + Spidering ChemaAlonso 20/03/2013 67
- 68. FOCA + Spidering ChemaAlonso 20/03/2013 68
- 69. Phase 4: Plugins ChemaAlonso
- 70. Plugins: FOCA API0.1 From FOCA to plugins (Events) - OnNewDomain - OnNewNetrange - OnNewURL - OnNewRelation - OnNewIP - OnNewProject From Plugins to FOCA (Calls) - AddDomain - AddSQLi - AddProxy - AddIp …. And much more…. Chema Alonso 20/03/2013 70
- 71. Plugins: .svn/Entries parser ChemaAlonso 20/03/2013 71
- 72. Plugins: .svn/Entries parser ChemaAlonso 20/03/2013 72
- 73.
- 74. Plugins: Auto SQLisearcher Chema Alonso 20/03/2013 74
- 75. IIS Short NameFuzzer Chema Alonso 20/03/2013 75
- 76. Making an esayPlugin Chema Alonso
- 77. FOCA Reporting Module ChemaAlonso 20/03/2013 77
- 78.
- 79. Threat Analisys &Modeling Chema Alonso 20/03/2013 79
- 80. Reporting OSSTMM 3.0:STAR Chema Alonso 20/03/2013 80
- 81. OWASP Report Generator ChemaAlonso 20/03/2013 81
- 82. “i64” Web AuditReport Chema Alonso 20/03/2013 82
- 83. Fear The FOCA ChemaAlonso 20/03/2013 83
- 84.
- 85. Cleaning ODF: OOMetaExtractor http://www.codeplex.org/oometaextractor Chema Alonso 20/03/2013 85
- 86. IIS MetaShield Protector ChemaAlonso 20/03/2013 http://www.metashieldprotector.com 86
- 87.
- 88. Thanks to Apple ChemaAlonso 20/03/2013 88
- 89. Thanks to Apple(2) Chema Alonso 20/03/2013 89
- 90. Chema Alonso • chema@informatica64.com • @chemaalonso • http://elladodelmal.com • http://www.informatica64.com Chema Alonso 20/03/2013 90
- 91. FOCA http://www.informatica64.com/foca.aspx amigosdelafoca@informatica64.com Chema Alonso 20/03/2013 91