Download as PDF, PPTX
Uploaded byChristian Martorella
Offensive OSINT
This document provides an overview of offensive open-source intelligence (OSINT) techniques. It defines OSINT and discusses the differences between offensive and defensive OSINT approaches. Offensive OSINT focuses on gathering as much public information as possible to facilitate an attack against a target. The document outlines the OSINT process and details specific techniques for harvesting data from public sources, including scraping websites, using APIs, searching social media, analyzing images and metadata, and researching infrastructure components like IP addresses, domains, and software versions. The goal of offensive OSINT is to discover valuable information like employee emails, usernames, relationships, locations and technical vulnerabilities to enable attacks like phishing, social engineering, and infiltration.
More Related Content
Offensive OSINT
- 1. OFFENSIVE OSINT CHRISTIAN MARTORELLA OSIRASUMMIT 2014 LONDON, UK
- 2. About me Chris&an Martorella: – I work in Skype (MS), Product Security team – Founder of Edge-‐security.com – Developed open source projects like theHarvester, Metagoofil, Wfuzz and Webslayer – Presented in many Security conferences (Blackhat Arsenal, Hack.lu, WhaNheHack, OWASP, Source) – Over 12 years focusing on offensive security
- 3. Disclaimer Any views oropinions presented in this presentation are solely those of the author and do not necessarily represent those of the employer
- 4. OSINT - Intro Open-‐source intelligence (OSINT) is intelligence collected from publicly available sources. • “Open" refers to overt, publicly available sources (as opposed to covert or clandes&ne sources) • It is not related to open-‐source soUware or public intelligence.
- 5. OSINT What is Threat Intelligence / Cyber Intelligence ?
- 6. OSINT PROCESS Source Identification Dataharvesting Data Analysis Data processing and Integration Results Delivery
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13. Offensive vs. DefensiveOSINT From the security perspec&ve we can separate OSINT: Offensive: Gathering informa&on before an aNack. Defensive: Learning about aNacks against the company
- 14. Offensive OSINT • Finding as much informa&on as possible that will facilitate the aNack • S&ll now, many Penetra&on Tes&ng companies skip this phase • ANackers usually spend more &me than testers on this phase
- 15. Typical Pentesting Methodology I.GScan Enumerate Exploit Post- Exploit Cover Tracks Write report
- 16. What everyone focuson: I.G Scan Enumera te Exploit Post-‐ Exploit Cover Tracks Write report
- 17. Attacker Methodology Discover what makes the company money Discover what is valuable to the aNacker Do whatever it takes... Steal it Informa&on Gathering
- 18.
- 19. Data Harvesting A.K.A: • Informa:on Gathering: The act of collec&ng informa&on • Foot prin:ng: Is the technique of gathering informa&on about computer systems and the en&&es they belong to. • Web mining: The act of collec&ng informa&on from the web
- 20. Data Harvesting –How? Techniques: • Scraping (raw) • Open APIs • Commercial APIS • Network Scanning • Purchasing data • Open source Data sets • Databases • Logfiles
- 22. Data Harves&ng -‐ Passive vs Ac&ve • Passive data harves:ng: Our ac&ons can’t be detected by the target (Non aNribu&on) • Ac:ve data harves:ng: our ac&ons leave traces that can be detected by the target
- 23.
- 24. Offensive OSINT –end goals • Phishing • Social Engineering • Denial of Services • Password brute force aNacks • Target infiltra&on
- 25. What data isinteresting? Emails Users / Employees names -Interests -People relationships -Alias
- 26. Emails • PGP servers • Search engines • Whois
- 27. Employees / Usernames/ Alias linkedin.com jigsaw.com people123.com pipl.com peekyou.com Google Finance / Etc. Usernamecheck.com checkusernames.com Glassdoor.com Hoovers.com Corpwatch.org intelius.com
- 28.
- 29.
- 30. • Employees of a company • Profile picture • Special&es • Role • Country • Emails
- 31. Linkedin Simon LongboNom Simon.LongboNom@amazon.com Product defini&on, proposi&on research, pricing, product marke&ng, product promo&on, market research, new product introduc&on pictureUrl': 'hNp://m.c.lnkd.licdn.com/mpr/mprz/’}
- 32.
- 33.
- 34. GRAPH SEARCH: “People who work at Amazon.com” “People who work at Amazon.com and live in SeaNle Washington”
- 35. @google. News and updates from Google. Mountain @googlenexus. Phones and tablets from Google @GoogleDoodles @googlewmc. News and resources from @googleindia @GoogleChat. Twee&ng about all things Google @googleaccess. The official TwiNer @googleglass. Geing technology out of the way. @googlenonprofit. News and updates from @googlewallet. News @googlereader. News @googlefiber @googleio. Google @googledevs for updates. San Francisco @GoogleIO for ... If you @GoogleMsia. Official Google Malaysia on TwiNer. Kuala @googlejobs. Have you heard we @googleapps. Google Apps news for ISVs @GooglePlay. Music @GoogleAtWork. The official TwiNer home of Google Enterprise. Mountain View @FaktaGoogle. Googling Random Facts. Don @googlemobileads. Official Google Mobile @googlepoli&cs. Trends @ericschmidt. Execu&ve Chairman @GoogleMobile. News @googledownunder. Google Australia and @AdSense. News and updates from the Google AdSense @googlecalendar. The official TwiNer home of @googledevs. News about and from @googlenews. Breaking news @GoogleB2BTeam. @GoogleB2BTeam Google @Jus&nCutroni Google query: site:twiNer.com in&tle:"on TwiNer" ”Google"
- 36.
- 37. Geo-location • People loca&on • Servers loca&on • Wireless AP loca&on
- 38. Geo-location Social media posts Foursquare Pictures TwiNer Facebook
- 39.
- 40. Images Reverse image search Face iden&fica&on Exif Metadata analysis: Profile pictures ANachments
- 41. Images • Pic from Novartis searchon TwwepSearch
- 43.
- 44. Infrastructure Internet Census project Whois ServerSniff Jobsites Search engines ShodanHQ
- 45. Infrastructure • Once we have iden&fied the Infrastructure components, what can we do?
- 46.
- 48.
- 49. INDICATORS OF COMPROMISE (IOC) IPaddresses Domains URLs Hashes Stolen Passwords
- 50. IOC Collec&ve Intelligence Framework sources (70) Abuse.CH Shadowserver.org Nothink.org Virustotal.com Malwr Seculert
- 51. DATA LEAKS Pastebin.com @pastebindorks Pastebin clones
- 53. Infrastructure • DNS o Bruteforce o Zone Transfer • SMTP o Header analysis o Vrfy, expn • Web sites o Hidden files / directories bruteforce • Network scanning • Metadata
- 54. Metadata • Office documents • Openoffice documents • PDF documents • Images EXIF metadata • Others Metadata: is data about data. Is used to facilitate the understanding, use and management of data.
- 55. Cat Schwartz -Tech TV
- 56. Washington Post Botmaster locationexposed by the Washington Post SLUG: mag/hacker! DATE: 12/19/2005! PHOTOGRAPHER: Sarah L. Voisin/TWP! id#: LOCATION: Roland, OK! CAPTION:! PICTURED: Canon Canon EOS 20D! Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin! There are only 1.500 males in Roland Oklahoma
- 57.
- 58.
- 59.
- 61. INFORMATION GATHERING TOOLS • FOCA • Spiderfoot • Tapir • Creepy • theHarvester • Metagoofil
- 62. This tool is intended to help Penetra&on testers in the early stages of the penetra&on test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an aNacker can see about their organiza&on and reduce exposure of the company.
- 63. -‐ Sources google googleCSE bing bingapi pgp linkedin people123 jigsaw twiNer GooglePlus shodanhq • Open source soUware • Command line • Extendable
- 66. • python theHarvester.py -‐d lacaixa.es -‐b googleCSE -‐l 500 -‐v -‐h
- 67. - Intelligence Implement en&&es Cross reference en&&es Image reverse search / profile pictures Geo-‐loca&on Iden&fy vulnerable services Username search in other services Target priori&za&on
- 68. Challenges • Source availability (APIs) • Changes in Terms of Use • Genera&ng valid intelligence
- 69. ? TwiNer: @laramies Email: cmartorellaW@edge-‐security.com