Tactical Surveillance

Look at me now

THANK YOU

My Credentials?

-me

▪ Not a L33t H4x0r

▪ Old

▪ Loudmouth Security Punk who talks $hit

▪ Tells lies (professionally)

▪ Is called all sorts of bad words.. That I will likely say throughout this talk

▪ Cant code well

▪ I’ve done PenTesting and security work for the last 14+yrs

▪ Has a bunch of certs

▪ Helped create PTES

▪ Worked for Sprint, KPMG and others in InfoSec

▪ My opinions are my own (but also my companies)

▪ And…

What the F*ck is this talk about?

Corporate Surveillan

ceBusines

s ProfilingPersonn

el Profiling

Work 2.0

Individual Surveillan

ce

Social Profile

Doxin Like a boss

Gettin’ all up in it

24x7

Show Me

Onsite

Corporate Surveillance

Watching an entire company isn’t feasible so lets boil it down

▪ Employees

▪ Partners

▪ Competitors

▪ Adversaries

▪ Trustees

▪ Financials

▪ Sensitive Info Leakage

▪ Electronic Threat surface

▪ Social Threat surface

▪ Corporate communications

▪ Key relationships and individuals of influence

▪ Corporate events

▪ Manipulation points or general shadiness =)

Business intel goes a LONG wayHoovers

I’m a bit more of a visual learnerMARKETVISUAL.COM

Mucking around

Ask yer Littlesis

Linked IN anyone?

Jigsaw contact (target) listing

News and other fun with ENTITY CUBE

Personnel Intelligence

• Collusion• Relationship strengths• Relationship Age• Com. Patterns

• Raw Intel leakage• Tone• Timing• Key Terms

• Interaction Clients• Web Apps used• Type of hardware• Physical Locations• Carriers

• Names• Aliases• Emails• IM• Screen names• Social Landscape

Who What

WhyHow

Simon Says…

Who Am I?

Who am I?

Who Am I?

What am I doing??

If you are going to drink the ocean, you may as well have a straw

▪ Manipulations points

▪ Interests/ Habits

▪ Leverage areas

▪ Points of similarity

▪ Date Specific events (wedding,bday, etc)

▪ Religion

▪ Race

▪ Creed

▪ Affiliations

▪ Clubs / Hobbies

▪ Haunts

▪ Personal Relationships

▪ Business Relationships

▪ Photos

▪ Family Heritage

▪ Socioeconomic class

▪ Affinities

▪ Travel schedules & Physical movement patterns

Maps are awesome

Mapping relationships (this is an entire talk by itself, so I’ll go

fast)

▪ The ideas are simple– Find yow who you are– Who you know– Why you know them– Then do magic and build your relationship profile.

▪ We want to use them like a Vuln scanner– Get all of the info that is relevant to target ocmpany– Find all People– Target a few– Find the gaps– Exploit them ▪ *ex. Social Net vs IRL

And TONS of people are trying to use them to figure out how a person is connected to a company or another human

Finding the MASSESMALTEGO

www.paterva.com

Finding the MASSESSalesForce Apps

http://appexchange.salesforce.com/category/intelligence

Who is talking to who?

Touchgraph

Ps.. If all the graphical stuff doesn’t work. GO MANUAL

Other fun relationship maps generated from current content

LinkedIn Maps

There are TONs more, but remember you can “Roll your own”

Underlying Maps (Geo and some data)

▪ Map Data with API access – ESRI– UMAPPER– ArcGIS– Bing Maps– Openscales– Yandex (with facial

recognition)– MapQuest– OpenStreetMap

Overlay and analysis

▪ Linkedin

▪ Facebook

▪ Twitter

▪ Flickr

▪ Banjo

▪ Tripit

▪ 4square

▪ (everything u can get for free or “find free” api keys on github)

▪ Mo da bettah

NodeXL (omfgwtfBBQ awesome)

http://nodexl.codeplex.com/

NodeXL (omfgwtfBBQ awesome)

Now to pick a target using the Relationship paths identified

Yep… the big maps will now get to smaller maps =)

Finding People of SIGNIFIGANCE not just someone on higher influence

Maltego Casefile

Immunity Stalker

Snoopy

Snoopy (because “Eye of Saron and Big Brother” were taken) since its distributed sniffing and tracking network for wireless attack.

Figure out who u wanna go after yet?

If information is power, you now have a BIG ASS ARMY! Let’s get em some weapons!

Individual Surveillance

We Know who we want, so let’s take down the easy ones first

▪ Phishing

▪ External compromise

▪ Onsite Attack

▪ Creating spys & Intel leaks

▪ Corporate manipulation

▪ Creating Shell companies and potential partners

▪ Just get in… U have a whole con to learn how to do that.

How do you get all this $h1T near the person you REALLY want?

▪ Compromise the badge system

▪ Compromise the camera systems

▪ Find out where their boxxen is and OWN IT

▪ Bug all the things

▪ Make sure to own all of their closest relationships in the office and business

▪ Once ya get all that you think you want…. Stay in… you can never have too much root =)

Automate finding stuff

▪ Whip up some python (or whatever u write in) to import your nessus scan of the ports u are going after and open them all in a tab in the browser…remember.. LOOK at the results. Don’t just assume u know whats on the port

▪ Try logging ALL the banners in the scan and then pasre for the google dorks u would use if it was external

▪ Update frequently for new manuals u download =)

I WANNA SEE

▪ LOOK at anything that is running a website *allports* people rarely change defaults.

http://www.exoticliability.com/profiles/blog/show?id=3125850%3ABlogPost%3A15590&commentId=3125850%3AComment%3A18834

Make sure ya KNOW their passwords. Wouldn’t want ya to miss anything

meterpreter > run smartlocker[*] Found WINLOGON at PID:644[*] Migrating from PID:2532[*] Migrated to WINLOGON PID: 644 successfully[*] System has currently been idle for 12 seconds[*] Current Idletime: 12 seconds[*] Current Idletime: 42 seconds[*] Current Idletime: 73 seconds

[*] Starting the keystroke sniffer...[*] Keystrokes being saved in to /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt[*] Recording[*] They logged back in! Money time![*] Stopping keystroke sniffer...meterpreter > backgroundmsf > cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt[*] exec: cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txtdesign4life$uper12#07#76!

If u get impatient be smart =)

Also… don’t forget the obvious stuff

▪ Search for “password”

▪ Make password lists based on profiles

▪ Search for “keepass” and LOOk at all XML * edit config to unhide and decrypt too =)

▪ Batch updates to send keylogger traffic to you

▪ .purple = Pidgin shit

▪ Watch their MAIL! xfce4-mailwatch,Gwatch..etc

▪ If the AV fu is strong… don’t be embarrassed to use hardware. U HAVE to see it all.

http://keepass.info/plugins.html

Get up in it

Plan to watch them 24x7

Getting the target

Bug All the things

It’s ok to be cheap. Make stuff. Like a laser mic.

http://www.lucidscience.com/

Ewwweee…. bugs

GPS TRACKING

Geo Fencing.

Sometimes it’s better to be alerted when they leave the area for you to follow.

On Star

If you know where they are why not get a view from EVERY angle?

Wireless Data drive / podslurping GSM Cracked, Cloned,

spoofed

RFID Cloning / AttackingWireless SD Cards

BarCode Attacks

Transponder Cloning, trunk code rolling, bluetooth car jacking

RealID, Verichip, Wireless ID Theft

Mobile Computers, iPad, eReaders, UltraPortables. Let’s not go there…

Bluetooth Hijacking, Rogue pairing, Interception, sniffing, Cloning

Autonet In car internet. WiFi, 3g/4g, LTE, VoIP

Wireless headset Eavesdropping

Cordless Keyboard / Mouse sniffing

GPS Hacking and Forgery +OnStar

2.4ghz, 5.8ghz, x10 Wireless security systems

DECT Hacks

HID, RFID, Proxcard Badge system Hacking

http://www.youtube.com/watch?v=f3zUOZcewtA

-----THIS is an AWESOME listening device.

Go watch the ccc talk on the Thingpwner

Speaker: Ang Cui, Michael CostelloEventID: 5400Event: 29th Chaos Communication Congress (29c3) by the Chaos Computer Club [CCC]

Get the KIES to the kingdom

@cron_ talk at HackMiami http://mcaf.ee/pt5sy Yum

Use a GOOD Cellphone bugging kitwww.mobistealth.com www.flexispy.com

More cellphone bugging

▪ USRP (Software defined Radio Platform)– Set up a cell tower (OpenBTS), identify as the relevant cell

provider, either transmit stronger, or cause other towers to drop the targets…

– Associated targets still get connectivity (cell + data), just through YOU

– Push updates? – OsmocomBB, aeroprobe, etc..

Or… You can do it for free =)

Don’t forget to make it AWESOME

PS. Get a good Lawyer

And know the laws. Many states are 1 party and with a good lawyer it is 100% admissable if you do all of this stuff to prove your wife was cheating on ya. ;)