OFFENSIVE OSINT CHRISTIAN MARTORELLA
OSIRA SUMMIT 2014
LONDON, UK
About me
Chris&an Martorella: – I work in Skype (MS), Product Security team
– Founder of Edge-‐security.com
– Developed open source projects like theHarvester, Metagoofil, Wfuzz and Webslayer
– Presented in many Security conferences (Blackhat Arsenal, Hack.lu, WhaNheHack, OWASP, Source)
– Over 12 years focusing on offensive security
Disclaimer
Any views or opinions presented in this presentation are solely those of the author and do not necessarily represent those of the employer
OSINT - Intro Open-‐source intelligence (OSINT) is intelligence collected from publicly available sources.
• “Open" refers to overt, publicly available sources (as opposed to covert or clandes&ne sources)
• It is not related to open-‐source soUware or public intelligence.
OSINT
What is Threat Intelligence / Cyber Intelligence ?
OSINT PROCESS Source Identification
Data harvesting
Data Analysis
Data processing and Integration
Results Delivery
Source Identification
Data Harvesting
Data processing
Data Analysis
Results Delivery
Offensive OSINT
Offensive vs. Defensive OSINT
From the security perspec&ve we can separate OSINT: Offensive: Gathering informa&on before an aNack. Defensive: Learning about aNacks against the company
Offensive OSINT
• Finding as much informa&on as possible that will facilitate the aNack
• S&ll now, many Penetra&on Tes&ng companies skip this phase
• ANackers usually spend more &me than testers on this phase
Typical Pentesting Methodology
I.G Scan Enumerate Exploit Post-Exploit
Cover Tracks
Write report
What everyone focus on:
I.G Scan Enumerate Exploit
Post-‐Exploit
Cover Tracks
Write report
Attacker Methodology
Discover what makes the company money
Discover what is valuable to the aNacker
Do whatever it takes... Steal it
Informa&on Gathering
Data Harves:ng
Data Harvesting A.K.A: • Informa:on Gathering:
The act of collec&ng informa&on • Foot prin:ng:
Is the technique of gathering informa&on about computer systems and the en&&es they belong to.
• Web mining: The act of collec&ng informa&on from the web
Data Harvesting – How? Techniques: • Scraping (raw) • Open APIs • Commercial APIS • Network Scanning • Purchasing data • Open source Data sets • Databases • Logfiles
Data Harves&ng -‐ Passive vs Ac&ve
• Passive data harves:ng: Our ac&ons can’t be detected by the target (Non aNribu&on)
• Ac:ve data harves:ng: our ac&ons leave traces that can be detected by the target
Offensive OSINT targets
Offensive OSINT – end goals
• Phishing • Social Engineering • Denial of Services • Password brute force aNacks • Target infiltra&on
What data is interesting?
Emails Users / Employees names
-Interests -People relationships -Alias
Emails
• PGP servers • Search engines • Whois
Employees / Usernames / Alias
linkedin.com jigsaw.com people123.com pipl.com peekyou.com Google Finance / Etc. Usernamecheck.com checkusernames.com
Glassdoor.com Hoovers.com Corpwatch.org intelius.com
Username checks
Social Media
• Employees of a company • Profile picture • Special&es • Role • Country • Emails
Simon LongboNom [email protected] Product defini&on, proposi&on research, pricing, product marke&ng, product promo&on, market research, new product introduc&on pictureUrl': 'hNp://m.c.lnkd.licdn.com/mpr/mprz/’}
Google+
GRAPH SEARCH: “People who work at Amazon.com” “People who work at Amazon.com and live in SeaNle Washington”
@google. News and updates from Google. Mountain @googlenexus. Phones and tablets from Google @GoogleDoodles @googlewmc. News and resources from @googleindia @GoogleChat. Twee&ng about all things Google @googleaccess. The official TwiNer @googleglass. Geing technology out of the way. @googlenonprofit. News and updates from @googlewallet. News @googlereader. News @googlefiber @googleio. Google @googledevs for updates. San Francisco @GoogleIO for ... If you @GoogleMsia. Official Google Malaysia on TwiNer. Kuala @googlejobs. Have you heard we
@googleapps. Google Apps news for ISVs @GooglePlay. Music @GoogleAtWork. The official TwiNer home of Google Enterprise. Mountain View @FaktaGoogle. Googling Random Facts. Don @googlemobileads. Official Google Mobile @googlepoli&cs. Trends @ericschmidt. Execu&ve Chairman @GoogleMobile. News @googledownunder. Google Australia and @AdSense. News and updates from the Google AdSense @googlecalendar. The official TwiNer home of @googledevs. News about and from @googlenews. Breaking news @GoogleB2BTeam. @GoogleB2BTeam Google @Jus&nCutroni
Google query: site:twiNer.com in&tle:"on TwiNer" ”Google"
Domain name
Geo-location
• People loca&on • Servers loca&on • Wireless AP loca&on
Geo-location
Social media posts Foursquare Pictures TwiNer Facebook
Twitter - Creepy
Images
Reverse image search Face iden&fica&on Exif Metadata analysis: Profile pictures ANachments
Images
• Pic from “Novartis” search on TwwepSearch
INFRASTRUCTURE IP Hostnames Services Networks Geo-location Software version CDN Multitenant Hosting
Infrastructure
Internet Census project Whois ServerSniff Jobsites Search engines ShodanHQ
Infrastructure
• Once we have iden&fied the Infrastructure components, what can we do?
ShodanHQ
Bugs databases
INDICATORS OF COMPROMISE (IOC)
IP addresses Domains URLs Hashes Stolen Passwords
IOC
Collec&ve Intelligence Framework sources (70) Abuse.CH Shadowserver.org Nothink.org Virustotal.com Malwr Seculert
DATA LEAKS Pastebin.com @pastebindorks Pastebin clones
Infrastructure • DNS
o Bruteforce o Zone Transfer
• SMTP o Header analysis o Vrfy, expn
• Web sites o Hidden files / directories bruteforce
• Network scanning • Metadata
Metadata
• Office documents • Openoffice documents • PDF documents • Images EXIF metadata • Others
Metadata: is data about data. Is used to facilitate the understanding, use and management of data.
Cat Schwartz - Tech TV
Washington Post Botmaster location exposed by the Washington Post
SLUG: mag/hacker!DATE: 12/19/2005!PHOTOGRAPHER: Sarah L. Voisin/TWP!id#: LOCATION: Roland, OK!CAPTION:!PICTURED: Canon Canon EOS 20D!Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin!
There are only 1.500 males in Roland Oklahoma
Metagoofil - Results
Metagoofil - Results
Metagoofil - results
INFORMATION GATHERING TOOLS
• FOCA • Spiderfoot • Tapir • Creepy • theHarvester • Metagoofil
This tool is intended to help Penetra&on testers in the early stages of the penetra&on test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an aNacker can see about their organiza&on and reduce exposure of the company.
-‐ Sources
google googleCSE bing bingapi pgp linkedin
people123 jigsaw twiNer GooglePlus
shodanhq
• Open source soUware • Command line • Extendable
• python theHarvester.py -‐d lacaixa.es -‐b googleCSE -‐l 500 -‐v -‐h
- Intelligence
Implement en&&es Cross reference en&&es Image reverse search / profile pictures Geo-‐loca&on Iden&fy vulnerable services Username search in other services Target priori&za&on
Challenges
• Source availability (APIs) • Changes in Terms of Use • Genera&ng valid intelligence
? TwiNer: @laramies Email: cmartorellaW@edge-‐security.com