jerod brennen - what you need to know about osint
TRANSCRIPT
Detecting the Undetectable: What You Need to Know
About OSINT
Hack all the things!
Jerod Brennen, CISSP, GWAPT
You can find me at:
Twitter: @slandailLinkedIn: /in/slandail
Hacker, hack
thyself.
Want Answers? Start With the Right Questions.
◉What the heck is OSINT?
◉What’s your process?
◉What OSINT tools should I know about?
◉How do I defend myself?
1.What the heck is OSINT?
Let’s begin at the beginning.
OSINTOpen Source INTelligence
Penetration Testing
OSINT is a key component of the Penetration Testing Execution Standard (PTES).
[Image from https://www.trustedsec.com/penetration-testing/]
2.What’s your process?
Wash. Rinse. Repeat.
EDGARU.S. Securities and Exchange Commission. Over 20 million filings for publicly traded companies.
You can also split your content
Google FinanceLeadership, performance, news stories, external links.
Step 1: Profile the Company
LinkedInCompany page. Products, services, 30k foot view.
Company WebsiteCareful, here. Visits from your laptop = a record of your IP touching their web infrastructure.
LinkedInEmployee names, titles, history with the company, and technologies that the IT staff uses.
You can also split your content
FacebookWhat do they eat for lunch? (More importantly, the answers to their secret questions.)
Step 2: Profile the People
TwitterWho do they talk to?What do they talk about?
Search EnginesGoogle, Bing, Duck Duck Go
Individual Internet footprint
In two or three columns
The Wall of ShameU.S. Department of Health and Human ServicesOffice for Civil RightsBreach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.
Breaches Affecting 500 or More Individuals
PrivacyRights.orgChronology of Data Breaches (2005 –present).
Filter by source (if known), industry, and/or year.
PasteBin / CryptbinDesigned to let programmers share and troubleshoot snippets of code, they’ve also become repositories for proof of breach.
For example. “Here are 1,000 passwords. Send xxx bitcoins to this address for the other 49,000.
Step 3: Research Previous Breaches
Mobile AppsStart with Google Play and iTunes.
Download the app file (.apk, .ipa) to your testing machine, unzip it, and start poking around.
If they have an app in Google Play, reverse the app back to it’s original Java source code.
You can also split your content
Web InfrastructureLots to cover here, folks. Let’s save the details for the next section.
Step 4: Profile the Internet-Facing Infrastructure
3.What OSINT tools do I need to know about?
Automation, folks. That’s where it’s at.
Tell Me About Your Web Apps
◉ Netcraft Site Reporthttp://toolbar.netcraft.com/site_report
◉ ICANN WHOIShttps://whois.icann.org/en
◉ ARIN WHOIS-RWShttps://whois.arin.net/ui/advanced.jsp
◉ Hurricane Electric BGP Toolkithttp://bgp.he.net/
These Are a Few of My Favorite Things
◉ Qualys SSL Labs – SSL Server Testhttps://www.ssllabs.com/ssltest/
◉ PunkSPIDERhttps://www.punkspider.org/
◉ UltraTools DNS Zone Transfer Lookuphttps://www.ultratools.com/tools/zoneFileDump
◉ SHODANhttps://www.shodan.io/
◉FOCAhttps://www.elevenpaths.co
m/labstools/foca/index.html
◉ Google Hackinghttp://www.hackersforcharity.org/ghdb/
Passive Active
““Automation, folks. That’s where it’s
at.” – Jerod Brennen, just a few minutes ago
◉Maltegohttps://www.paterva.com/w
eb6/products/maltego.php
◉ recon-nghttps://bitbucket.org/LaNMaSteR53/recon-ng
Replace Yourself With a Very Small Shell Script
4.How do I defend myself?
Sitting under your desk and crying is not an option.
Riddle Me This, Batman…
How much of what we’ve discussed would trigger an alert in your IDS/IPS?
◉ Unauthorized ports open on Shodan? Close them.
◉ Web app vulnerabilities on PunkSPIDER? Fix them.
◉ Zone transfers were successful? Disable them.
◉ Passwords on Pastebin? Change them.
◉ Users oversharing on social media? Train them.
Let’s Not Overcomplicate Things
Would You Like to Know More?
◉Online Strategieshttp://www.onstrat.com/osint/
◉Penetration Testing Execution Standardhttp://www.pentest-standard.org/index.php/Main_Page
◉IT Security Careerhttp://www.itsecuritycareer.com/blog/what-you-dont-know-
about-osint-can-hurt-you/
Thanks!
ANY QUESTIONS?
You can find me at:
Twitter: @slandailLinkedIn: /in/slandail