owasp-modern information gathering.ppt · modern information gathering interesting information:...
TRANSCRIPT
![Page 1: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/1.jpg)
Modern Modern informationinformationgatheringgathering
Onderwerp:
Datum:
Aanwezigen:
Classificatie:
gatheringgathering
Modern Information Gathering
26-JUN-2012
OWASP
Public
![Page 2: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/2.jpg)
Who Am I
Dave van Stein
38 years38 years
Tester > 11 years
(Application) Security Testing
“Certified Ethical Hacker”
![Page 3: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/3.jpg)
Agenda
Goal of the presentation
What is Information Gathering ?
Domain scanning
Search engine ‘abuse’
Other tools
Some Social EngineeringSome Social Engineering
Remedies
Conclusions
![Page 4: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/4.jpg)
Give insight in amount of information anonymously available on internet about your system (and users)
Give insight in the amount and possibilities of tools freely available
Goal of this presentation
Identify entrypoint
Gain access
Secure access
Do stuff
Clear up the mess
Come back another time
(simplified procedure)
![Page 5: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/5.jpg)
‘Classic’ Domain Scanning
Steps involved:Get network information with ping and traceroute
Get DNS information with WHOIS and LOOKUP
Do DNS zone transfer for subdomains
Download website for extra info
Scan serversScan servers
Problems:DNS zone transfers often not authorized
Active connection with target => detectable
![Page 6: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/6.jpg)
Modern Information Gathering
Interesting information:
Domains and subdomains
IP adresses
Applications and technologies
Hotspots (known vulnerabilities)
Usernames and passwordsUsernames and passwords
Sensitive information
Passive
As little contact as possible with target
No direct scanning, no intrusion
No logging and no alarm triggering !
![Page 7: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/7.jpg)
Sources of information
Public records WHOIS: information about owner
DNS : information about IP adresses
Search engines Often little restrictions on websites
Cache all information gathered
Tweaking provides additional informationTweaking provides additional information
Various websites Anonymous
Combine above techniques
Sort results for nice presentation
Advanced and Automated Specialized (offline) Tools
scanning
![Page 8: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/8.jpg)
Shodanhq.com
Shodan
IP adresses
Server banner
X-Powered-by banner
CookiesCookies
Search filters
City, Country, Geo
Hostname, ip address / net block
Os, port
date (before / after)
ssl cert version, bits, issuer
ssl cipher support, bit support , protocol
![Page 9: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/9.jpg)
ServerSniff.net
Server Sniff
NS reports
Domain reports
SubdomainsSubdomains
Various (trace)routes
Various ping types
Shows robots.txt
Anonymous !
![Page 10: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/10.jpg)
Domain Scanning: Server Sniff
![Page 11: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/11.jpg)
Robtex.com
![Page 12: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/12.jpg)
Domain Scanning: Robtex
Domain ‘Swiss Army Knife’
Provides ALL information linked to a domain
![Page 13: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/13.jpg)
Domain scanning: Robtex
![Page 14: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/14.jpg)
Google Advanced search
filetype: (or ext:)Find documents of the specified type.
E.g. PDF, XLS, DOC
intext:The terms must appear in the text of the page.The terms must appear in the text of the page.
intitle:The terms must appear in the title of the page.
inurl:The terms must appear in the URL of the page.
![Page 15: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/15.jpg)
Google Hacking Database
www.johnny.ihackstuff.com
(edit: http://johnny.ihackstuff.com/ghdb.php)
Collection of queries for
finding ‘interesting’ stuff
No longer updated
Possible results of GHD:
Identify systems in use (including version)
Identify known exploits
Locations of sensitive information
User-id’s & passwords
Logging files
Many other things
![Page 16: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/16.jpg)
The NEW and IMPROVED GHDB
![Page 17: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/17.jpg)
Bing.com
Finds subdomains with ‘IP:x.x.x.x’
![Page 18: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/18.jpg)
Baidu
inurl:
intitle:
site:
![Page 19: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/19.jpg)
Example
![Page 20: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/20.jpg)
SearchDiggity
![Page 21: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/21.jpg)
Stach & Liu
![Page 22: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/22.jpg)
SEO Tools
![Page 23: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/23.jpg)
Domain Scanning ‘on-the-fly’
Passive Recon (Firefox add-on)
![Page 24: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/24.jpg)
FOCA
![Page 25: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/25.jpg)
Maltego
Intelligence and forensics tool
Connects many different sources of info
Represents in graphical way
Very extensive capabilities
![Page 26: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/26.jpg)
Maltego
Can also be used for social engineering
- Facebook & twitter
- Email adresses
- Phone numbers
- etc
![Page 27: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/27.jpg)
theHarvester
![Page 28: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/28.jpg)
Conclusions
What search engines see, hackers can abuse
Anonymous, online and offline, Highly automated
Many tools are freely availableMany tools are freely available
Networks can be mapped with much detail in minutes
Much information about your company, systems and users available on internet
![Page 29: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/29.jpg)
Remedies (1/2)
Limit access • Allow search engines only to see what they need to see. • Make sure unauthorized users are not able to look into or even see files
they do not need to see. • Force possible intruders to use methods that can be scanned and
monitored.
Use the tools of hackersUse the tools of hackers• Scan your systems with the tools hackers use and check the information
that is found. • Scan for error messages and other things that reveal information about
the system and services and remove them.
Check what spiders can see• Use a spider simulator to check what spiders can see and if your
application still functions correctly.
![Page 30: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/30.jpg)
Remedies (2/2)
Awareness • Be aware of all possible sources of information. Create awareness
among employees. Assume all information will possibly abused
Clean documents • Remove al metadata from documents before publishing. • Remove al metadata from documents before publishing.
Audit frequently• Keep your knowledge up-to-date and scan regularly for
information that can be found about your systems or hire professionals do to it for you.
![Page 31: OWASP-Modern Information Gathering.ppt · Modern Information Gathering Interesting information: Domains and subdomains IP adresses Applications and technologies Hotspots (known vulnerabilities)](https://reader034.vdocuments.site/reader034/viewer/2022042417/5f3318cb168f5343ac1802f0/html5/thumbnails/31.jpg)
Interesting books on the subject