owasp christianmartorella information gathering via osint
TRANSCRIPT
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
1/68
A fresh new look into
Information Gathering
Christian Martorella
IV OWASP MEETING SPAIN
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
2/68
Who am i ?
Christian Martorella
Manager Auditoria S21secCISSP, CISA, CISM, OPST, OPSA
OWASP WebSlayer Project Leader
OISSG, Board of Directors
FIST Conference, Presidente
Edge-Security.com
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
3/68
Information Gathering
Denotes the collection of information before the
attack. The idea is to collect as much informationas possible about the target which may bevaluable later.
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
4/68
OSINT:
Open Source INTelligence
Is an information processing discipline that involves
finding, selecting, and acquiring information from
publicly available sources and analyzing it to produce
actionable intelligence.
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
5/68
Penetration test anatomy
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
6/68
Typesof I.G
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
7/68
I.G - Types of information
Domain, subdomain/host names dev.target.comUser names jdoe
Email Accounts
Person names John Doe
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
8/68
I.G what for?
Infraestructure:
Information for discovering new targets, to get a
description of the hosts (NS,MX, AS,etc), sharedresources
People and organizations:
For performing brute force attacks on availableservices, Spear phishing, social engineering,
investigations, analysis, background checks,
information leaks
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
9/68
How can we obtain this kindof info?
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
10/68
Obtaining host and Domainsinfo -
ClassicZone Transfer (active)
Whois (passive)Reverse Lookup (active)
BruteForce (active++)
Mail headers (active)
smtp (active++)
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
11/68
Zone-Transfer - DIG
request: dig @srv.weak.dns weak.dns -t AXFR
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
12/68
DNS bruteforce
Domain: target.com
host afrodita.target.com
afrodita.target.com has 192.168.1.1
x
x
Discoverd hosts:
afroditaneo
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
13/68
Mail Headers
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
14/68
Obtaining user info- Classic
Search engines (passive)
Web pages (active)
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
15/68
New sources for I.G ...
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
16/68
Obtaining host and Domainsinfo
Search Engines (passive)
Public PGP key servers (passive)
serversniff.net and others (passive)
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
17/68
Obtaininghost and Domains-
Search engines
subdomain
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
18/68
Obtaininghost and Domainsinfo
The PGP public keyservers are only intended to
help the user in exchanging public keys
/
domain
http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.mit.edu/http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.mit.edu/http://pgp.mit.edu/ -
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
19/68
Obtaining host and Domainsinfo
subdomains
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
20/68
Obtaining host and Domains
Subdomainer
Demo subDomainer
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
21/68
Once we have some host names, we can improve our
dictionary using Google sets, and then try a brute force
attack on the dns.
Obtaining host and Domains
Subdomainer
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
22/68
Obtaining host and Domains
Subdomainer
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
23/68
WikiScanner
Company IP ranges
Anonymous Wikipedia edits, from interestingorganizations
/
http://wikiscanner.virgil.gr/http://wikiscanner.virgil.gr/http://wikiscanner.virgil.gr/ -
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
24/68
WikiScanner - IP ranges
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
25/68
WikiScanner - Wikipedia edits
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
26/68
Obtaining user info- New sources
PgP key servers (passive)
Social Networks (passive)
Metadata (passive)
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
27/68
Obtaining user info- New sources
Social networks
LinkedIn is an online network of more than 15 millionexperienced professionals from around the world,
representing 150 industries.
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
28/68
Obtaining user info-
New sources
Current Job
Pasts JobsEducation
Job description
Etc...
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
29/68
Obtaining user info-
New sources
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
30/68
Obtaining user info- theHarvester
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
31/68
Obtaining Emails- theHarvester
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
32/68
Online tools
ServerSniff.net:
NameServers reports (NS)Autonomous Systems reports (AS)
Virtual hosts
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
33/68
Serversniff MX and NS
Graphs
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
34/68
Obtaining more data - New sources
Metadata: is data about data.
Is used to facilitate the understanding, use and
management of data.
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
35/68
Obtaining more data - New sources
- Metadata
Provides basic information such as the author of awork, the date of creation, links to any related
works, etc.
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
36/68
Metadata- Dublin Core (schema)
Content & about the
Resource
Intellectual Property Electronic or Physical
manifestation
Title Author or Creator Date
Subject Publisher Type
Description Contributor Format
Language Rights Identifier
Relation
Coverage
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
37/68
Metadata - example
logo-Ubuntu.pnglogo-Kubuntu.png
:/
http://www.inkscape.org/http://www.inkscape.org/ -
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
38/68
Metadata - Images
EXIF Exchangeable Image
File Format
GPS coordinates
Time
Camera type
Serial number
Sometimes unalteredoriginal photo can be
found in thumbnail
Online exif viewer.
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
39/68
Metadata - EXIF- Harry Pwner
Deathly EXIF?
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
40/68
Metadata
So where can we get interesting metadata?
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
41/68
Metadata
Ok, I understand metadata... so what?
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
42/68
Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables inthe target/victim websites.
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
43/68
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
44/68
Metagoofil
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
45/68
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
46/68
Metagoofil - results
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
47/68
Metagoofil - results
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
48/68
Metagoofil - results
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
49/68
Metagoofil - results
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
50/68
Metagoofil - results
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
51/68
Metagoofil - results
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
52/68
Metagoofil & Linkedin results
Now we have a lot of information, what can i do?
User profiling
Spear Phishing / Social Engineering
Client side attacks
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
53/68
Using resultsUser profiling
Dictionary creation John Doe
ATTACK!
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
54/68
Metadata - The Revisionist
Tool developed by Michal Zalewski, this tool will
extract comments and Track changes from Word
documents.
http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.dochttp://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.dochttp://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.dochttp://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc -
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
55/68
Target information:
Email account
Google Finance, Reuters
pipl.com
Usercheck.com
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
56/68
Google Finance & Reuters
S hi f t t
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
57/68
Searching for a target
U h k
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
58/68
Usercheck.com
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
59/68
Using results
Password profiling
Dictionary creation: words from the different user sites
Brute forceATTACK
Th t t
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
60/68
There are more ways to get
info
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
61/68
Facebook
Kyle Doyle's Facebook profile makes it quite
obvious he was not off work for a 'valid medical
reason'
Phone in sick and treat himself to a day in bed.
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
62/68
All together - Maltego
Maltego is the only professional InformationGathering tool.
Information is power
Information is Maltego
Maltego
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
63/68
Maltego
M lt
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
64/68
Maltego
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
65/68
Conclusions
Clean your files before distribution
Web applications should clean files on upload (if its notneeded)
Web applications should try to represent the
information in a non parseable way :/
Be careful what you post/send
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
66/68
References
blog.s21sec.com
carnal0wnage.blogspot.com
http://lcamtuf.coredump.cx/strikeout/http://www.gnunet.org/libextractor/http://lcamtuf.coredump.cx/strikeout/http://lcamtuf.coredump.cx/strikeout/http://lcamtuf.coredump.cx/strikeout/http://lcamtuf.coredump.cx/strikeout/http://www.gnunet.org/libextractor/http://www.gnunet.org/libextractor/http://www.s21sec.com/http://www.s21sec.com/http://www.edge-security.com/http://www.edge-security.com/ -
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
67/68
?
-
8/12/2019 Owasp Christianmartorella Information gathering via OSINT
68/68
Thank you for coming
mailto:[email protected]:[email protected]:[email protected]:[email protected]