foca 2.5
DESCRIPTION
FOCA 2.5. Chema Alonso. What’s a FOCA?. FOCA on Linux?. FOCA + Wine. Previously on FOCA…. FOCA 0.X. FOCA: File types supported. Office documents: Open Office documents. MS Office documents. PDF Documents. XMP. EPS Documents. Graphic documents. EXIFF. XMP. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/1.jpg)
FOCA 2.5Chema Alonso
![Page 2: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/2.jpg)
What’s a FOCA?
![Page 3: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/3.jpg)
FOCA on Linux?
![Page 4: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/4.jpg)
FOCA + Wine
![Page 5: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/5.jpg)
Previously on FOCA….
![Page 6: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/6.jpg)
FOCA 0.X
![Page 7: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/7.jpg)
FOCA: File types supported
• Office documents:– Open Office documents.– MS Office documents.– PDF Documents.• XMP.
– EPS Documents.– Graphic documents.• EXIFF.• XMP.
– Adobe Indesign, SVG, SVGZ (NEW)
![Page 8: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/8.jpg)
What can be found? • Users:
– Creators.– Modifiers .– Users in paths.
• C:\Documents and settings\jfoo\myfile
• /home/johnnyf
• Operating systems.• Printers.
– Local and remote.• Paths.
– Local and remote.• Network info.
– Shared Printers.– Shared Folders.– ACLS.
• Internal Servers.– NetBIOS Name.– Domain Name.– IP Address.
• Database structures.– Table names.– Colum names.
• Devices info.– Mobiles.– Photo cameras.
• Private Info.– Personal data.
• History of use.• Software versions.
![Page 9: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/9.jpg)
Pictures with GPS info..
![Page 10: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/10.jpg)
Demo:Single files
![Page 11: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/11.jpg)
Sample: FBI.gov
Total: 4841 files
![Page 12: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/12.jpg)
Are they cleaned?
![Page 13: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/13.jpg)
FOCA 1 v. RC3
• Fingerprinting Organizations with Collected Archives– Search for documents in Google and Bing– Automatic file downloading– Capable of extracting Metadata, hidden info and
lost data– Cluster information – Analyzes the info to fingerprint the network.
![Page 14: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/14.jpg)
Sample: Printer info found in odf files returned by Google
![Page 15: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/15.jpg)
Types of Engineers
![Page 16: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/16.jpg)
DNS Prediction
![Page 17: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/17.jpg)
Google Sets Prediction
![Page 18: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/18.jpg)
Demo:Mda.mil
![Page 19: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/19.jpg)
![Page 20: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/20.jpg)
FOCA 2.0
![Page 21: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/21.jpg)
What’s new in FOCA 2.5?• Network Discovery• Recursive algorithm• Information Gathering• Sw Recognition• DNS Cache Snooping• Reporting Tool
![Page 22: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/22.jpg)
FOCA 2.5: Exalead
![Page 23: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/23.jpg)
PTR Scannig
![Page 24: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/24.jpg)
Bing IP
![Page 25: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/25.jpg)
FOCA 2.5 & Shodan
![Page 26: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/26.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
1) http -> Web server 2) GET Banner HTTP3) domain.com is a domain4) Search NS, MX, SPF records for domain.com5) sub.domain.com is a subdomain6) Search NS, MX, SPF records for sub.domain.com7) Try all the non verified servers on all new domains
1) server01.domain.com2) server01.sub.domain.com
8) Apple1.sub.domain.com is a hostname9) Try DNS Prediction (apple1) on all domains10) Try Google Sets(apple1) on all domains
![Page 27: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/27.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
11) Resolve IP Address12) Get Certificate in https://IP13) Search for domain names in it14) Get HTTP Banner of http://IP15) Use Bing Ip:IP to find all domains sharing it16) Repeat for every new domain 17) Connect to the internal NS (1 or all)18) Perform a PTR Scan searching for internal servers19) For every new IP discovered try Bing IP recursively20) ~chema -> chema is probably a user
![Page 28: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/28.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
21) / , /~chema/ and /~chema/dir/ are paths22) Try directory listing in all the paths23) Search for PUT, DELETE, TRACE methods in every path24) Fingerprint software from 404 error messages25) Fingerprint software from application error messages26) Try common names on all domains (dictionary)27) Try Zone Transfer on all NS28) Search for any URL indexed by web engines related to the hostname29) Download the file30) Extract the metadata, hidden info and lost data31) Sort all this information and present it nicely32) For every new IP/URL start over again
![Page 29: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/29.jpg)
![Page 30: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/30.jpg)
FOCA 2.5 URL Analysis
![Page 31: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/31.jpg)
FOCA 2.5 URL Analysis
![Page 32: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/32.jpg)
Demo: fbi.govwhitehouse.gov
![Page 33: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/33.jpg)
Customizable Search
![Page 34: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/34.jpg)
FOCA + Spidering
![Page 35: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/35.jpg)
FOCA + Spidering
![Page 36: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/36.jpg)
DNS Cache Snooping
![Page 37: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/37.jpg)
DNS Cache Snooping
![Page 38: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/38.jpg)
DNS Cache Snooping• DNS Cache Snooping + Evilgrade• DNS Cache Snooping + AV bypassing
![Page 39: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/39.jpg)
FOCA Reporting Module
![Page 40: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/40.jpg)
FOCA Reporting Module
![Page 41: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/41.jpg)
Demo: DNSCache Snooping
![Page 42: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/42.jpg)
FOCA Onlinehttp://www.informatica64.com/FOCA
![Page 43: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/43.jpg)
Cleaning documents• OOMetaExtractor
http://www.codeplex.org/oometaextractor
![Page 45: FOCA 2.5](https://reader036.vdocument.in/reader036/viewer/2022062310/56816204550346895dd22b30/html5/thumbnails/45.jpg)
Questions at Q&A room 113- Chema Alonso
- [email protected] http://www.informatica64.com - http://www.elladodelmal.com - http://twitter.com/chemaalonso
- Working on FOCA:- Chema Alonso- Alejandro Martín- Francisco Oca- Manuel Fernández «The Sur»- Daniel Romero- Enrique Rando- Pedro Laguna- Special Thanks to: John Matherly [Shodan]