defcon 18: foca 2
DESCRIPTION
Slides used by Jose Palazon PALAKO and Chema Alonso to present FOCA 2 in Defcon 18TRANSCRIPT
![Page 1: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/1.jpg)
FOCA 2.5Chema Alonso
José Palazón «PALAKO»
![Page 2: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/2.jpg)
What our FOCA is not
![Page 3: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/3.jpg)
What our FOCA is not
![Page 4: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/4.jpg)
What’s a FOCA?
![Page 5: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/5.jpg)
FOCA on Linux?
![Page 6: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/6.jpg)
Previously on FOCA….
![Page 7: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/7.jpg)
FOCA 0.X
![Page 8: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/8.jpg)
FOCA: File types supported
• Office documents:– Open Office documents.– MS Office documents.– PDF Documents.• XMP.
– EPS Documents.– Graphic documents.• EXIFF.• XMP.
– Adobe Indesign, SVG, SVGZ (NEW)
![Page 9: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/9.jpg)
What can be found?
![Page 10: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/10.jpg)
Pictures with GPS info..
![Page 11: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/11.jpg)
Demo:Single files
![Page 12: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/12.jpg)
Sample: mda.mil
Total: 1075 files
![Page 13: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/13.jpg)
Sample: FBI.gov
Total: 4841 files
![Page 14: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/14.jpg)
FOCA 1 v. RC3
• Fingerprinting Organizations with Collected Archives– Search for documents in Google and Bing– Automatic file downloading– Capable of extracting Metadata, hidden info and
lost data– Cluster information – Analyzes the info to fingerprint the network.
![Page 15: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/15.jpg)
DNS Prediction
![Page 16: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/16.jpg)
Google Sets Prediction
![Page 17: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/17.jpg)
Sample: Printer info found in odf files returned by Google
![Page 18: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/18.jpg)
Demo:Whitehouse.gov
![Page 19: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/19.jpg)
Yes, we can!
![Page 20: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/20.jpg)
FOCA 2.0
![Page 21: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/21.jpg)
What’s new in FOCA 2.5?
• Network Discovery• Recursive algorithm• Information Gathering• Sw Recognition• DNS Cache Snooping• Reporting Tool
![Page 22: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/22.jpg)
FOCA 2.5: Exalead
![Page 23: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/23.jpg)
PTR Scannig
![Page 24: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/24.jpg)
Bing IP
![Page 25: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/25.jpg)
FOCA 2.5 & Shodan
![Page 26: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/26.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
1)http -> Web server 2)GET Banner HTTP3)domain.com is a domain4)Search NS, MX, SPF records for domain.com5)sub.domain.com is a subdomain6)Search NS, MX, SPF records for sub.domain.com7)Try all the non verified servers on all new domains
1) server01.domain.com2) server01.sub.domain.com
8)Apple1.sub.domain.com is a hostname9)Try DNS Prediction (apple1) on all domains10)Try Google Sets(apple1) on all domains
![Page 27: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/27.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
11) Resolve IP Address12) Get HTTP Banner of http://IP13) Use Bing Ip:IP to find all domains sharing it14) Repeat for every new domain 15) Connect to the internal NS (1 or all)16) Perform a PTR Scan searching for internal servers17) For every new IP discovered try Bing IP recursively18) ~chema -> chema is probably a user
![Page 28: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/28.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
19) / , /~chema/ and /~chema/dir/ are paths20) Try directory listing in all the paths21) Search for PUT, DELETE, TRACE methods in every path22) Fingerprint software from 404 error messages23) Fingerprint software from application error messages24) Try common names on all domains (dictionary)25) Try Zone Transfer on all NS26) Search for any URL indexed by web engines related to the hostname27) Download the file28) Extract the metadata, hidden info and lost data29) Sort all this information and present it nicely30) For every new IP/URL start over again
![Page 29: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/29.jpg)
![Page 30: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/30.jpg)
FOCA 2.5 URL Analysis
![Page 31: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/31.jpg)
FOCA 2.5 URL Analysis
![Page 32: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/32.jpg)
Demo:Whitehouse.gov
![Page 33: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/33.jpg)
Yes, we can!
![Page 34: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/34.jpg)
DNS Cache Snooping
![Page 35: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/35.jpg)
FOCA Reporting Module
![Page 36: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/36.jpg)
FOCA Reporting Module
![Page 37: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/37.jpg)
Demo: DNSCache Snooping
![Page 38: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/38.jpg)
FOCA Onlinehttp://www.informatica64.com/FOCA
![Page 39: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/39.jpg)
IIS MetaShield Protector
http://www.metashieldprotector.com
![Page 40: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/40.jpg)
Cleaning documents• OOMetaExtractor
http://www.codeplex.org/oometaextractor
![Page 41: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/41.jpg)
Questions at Q&A room 113Speakers: -Chema Alonso
- [email protected] Blog: http://elladodelmal.blogspot.com - http://twitter.com/chemaalonso
-José Palazón «PALAKO»- [email protected]
-Working on FOCA:- Chema Alonso- Alejandro Martín- Francisco Oca- Manuel Fernández «The Sur»- Daniel Romero- Enrique Rando- Pedro Laguna- Special Thanks to: John Matherly [Shodan]
![Page 42: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/42.jpg)
… and Tomorrow here at 19:00
![Page 43: Defcon 18: FOCA 2](https://reader033.vdocuments.site/reader033/viewer/2022061213/5498b5a7b4795921718b4673/html5/thumbnails/43.jpg)
Demo: US Army