owasp christianmartorella information gathering via osint

8/12/2019 Owasp Christianmartorella Information gathering via OSINT

1/68

A fresh new look into

Information Gathering

Christian Martorella

IV OWASP MEETING SPAIN


2/68

Who am i ?

Christian Martorella

Manager Auditoria S21secCISSP, CISA, CISM, OPST, OPSA

OWASP WebSlayer Project Leader

OISSG, Board of Directors

FIST Conference, Presidente

Edge-Security.com


3/68

Information Gathering

Denotes the collection of information before the

attack. The idea is to collect as much informationas possible about the target which may bevaluable later.


4/68

OSINT:

Open Source INTelligence

Is an information processing discipline that involves

finding, selecting, and acquiring information from

publicly available sources and analyzing it to produce

actionable intelligence.


5/68

Penetration test anatomy


6/68

Typesof I.G


7/68

I.G - Types of information

Domain, subdomain/host names dev.target.comUser names jdoe

Email Accounts

Person names John Doe
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


8/68

I.G what for?

Infraestructure:

Information for discovering new targets, to get a

description of the hosts (NS,MX, AS,etc), sharedresources

People and organizations:

For performing brute force attacks on availableservices, Spear phishing, social engineering,

investigations, analysis, background checks,

information leaks


9/68

How can we obtain this kindof info?


10/68

Obtaining host and Domainsinfo -

ClassicZone Transfer (active)

Whois (passive)Reverse Lookup (active)

BruteForce (active++)

Mail headers (active)

smtp (active++)


11/68

Zone-Transfer - DIG

request: dig @srv.weak.dns weak.dns -t AXFR


12/68

DNS bruteforce

Domain: target.com

host afrodita.target.com

afrodita.target.com has 192.168.1.1

x

x

Discoverd hosts:

afroditaneo


13/68

Mail Headers


14/68

Obtaining user info- Classic

Search engines (passive)

Web pages (active)


15/68

New sources for I.G ...


16/68

Obtaining host and Domainsinfo

Search Engines (passive)

Public PGP key servers (passive)

serversniff.net and others (passive)


17/68

Obtaininghost and Domains-

Search engines

subdomain


18/68

Obtaininghost and Domainsinfo

The PGP public keyservers are only intended to

help the user in exchanging public keys

/

domain
http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.mit.edu/http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.rediris.es:11371/pks/lookup?search=http://pgp.mit.edu/http://pgp.mit.edu/


19/68

Obtaining host and Domainsinfo

subdomains


20/68

Obtaining host and Domains

Subdomainer

Demo subDomainer


21/68

Once we have some host names, we can improve our

dictionary using Google sets, and then try a brute force

attack on the dns.


Subdomainer


22/68


Subdomainer


23/68

WikiScanner

Company IP ranges

Anonymous Wikipedia edits, from interestingorganizations

/
http://wikiscanner.virgil.gr/http://wikiscanner.virgil.gr/http://wikiscanner.virgil.gr/


24/68

WikiScanner - IP ranges


25/68

WikiScanner - Wikipedia edits


26/68

Obtaining user info- New sources

PgP key servers (passive)

Social Networks (passive)

Metadata (passive)


27/68

Obtaining user info- New sources

Social networks

LinkedIn is an online network of more than 15 millionexperienced professionals from around the world,

representing 150 industries.


28/68

Obtaining user info-

New sources

Current Job

Pasts JobsEducation

Job description

Etc...


29/68

Obtaining user info-

New sources


30/68

Obtaining user info- theHarvester


31/68

Obtaining Emails- theHarvester


32/68

Online tools

ServerSniff.net:

NameServers reports (NS)Autonomous Systems reports (AS)

Virtual hosts


33/68

Serversniff MX and NS

Graphs


34/68

Obtaining more data - New sources

Metadata: is data about data.

Is used to facilitate the understanding, use and

management of data.


35/68

Obtaining more data - New sources

- Metadata

Provides basic information such as the author of awork, the date of creation, links to any related

works, etc.


36/68

Metadata- Dublin Core (schema)

Content & about the

Resource

Intellectual Property Electronic or Physical

manifestation

Title Author or Creator Date

Subject Publisher Type

Description Contributor Format

Language Rights Identifier

Relation

Coverage


37/68

Metadata - example

logo-Ubuntu.pnglogo-Kubuntu.png

:/
http://www.inkscape.org/http://www.inkscape.org/


38/68

Metadata - Images

EXIF Exchangeable Image

File Format

GPS coordinates

Time

Camera type

Serial number

Sometimes unalteredoriginal photo can be

found in thumbnail

Online exif viewer.


39/68

Metadata - EXIF- Harry Pwner

Deathly EXIF?


40/68

Metadata

So where can we get interesting metadata?


41/68

Metadata

Ok, I understand metadata... so what?


42/68

Metagoofil

Metagoofil is an information gathering tool

designed for extracting metadata of public

documents (pdf,doc,xls,ppt,etc) availables inthe target/victim websites.


43/68


44/68

Metagoofil


45/68


46/68

Metagoofil - results


47/68



48/68



49/68



50/68



51/68



52/68

Metagoofil & Linkedin results

Now we have a lot of information, what can i do?

User profiling

Spear Phishing / Social Engineering

Client side attacks


53/68

Using resultsUser profiling

Dictionary creation John Doe

ATTACK!


54/68

Metadata - The Revisionist

Tool developed by Michal Zalewski, this tool will

extract comments and Track changes from Word

documents.
http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.dochttp://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.dochttp://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.dochttp://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc


55/68

Target information:

Email account

Google Finance, Reuters

pipl.com

Usercheck.com


56/68

Google Finance & Reuters

S hi f t t


57/68

Searching for a target

U h k


58/68

Usercheck.com


59/68

Using results

Password profiling

Dictionary creation: words from the different user sites

Brute forceATTACK

Th t t


60/68

There are more ways to get

info


61/68

Facebook

Kyle Doyle's Facebook profile makes it quite

obvious he was not off work for a 'valid medical

reason'

Phone in sick and treat himself to a day in bed.


62/68

All together - Maltego

Maltego is the only professional InformationGathering tool.

Information is power

Information is Maltego

Maltego


63/68

Maltego

M lt


64/68

Maltego


65/68

Conclusions

Clean your files before distribution

Web applications should clean files on upload (if its notneeded)

Web applications should try to represent the

information in a non parseable way :/

Be careful what you post/send


66/68

References

blog.s21sec.com

carnal0wnage.blogspot.com
http://lcamtuf.coredump.cx/strikeout/http://www.gnunet.org/libextractor/http://lcamtuf.coredump.cx/strikeout/http://lcamtuf.coredump.cx/strikeout/http://lcamtuf.coredump.cx/strikeout/http://lcamtuf.coredump.cx/strikeout/http://www.gnunet.org/libextractor/http://www.gnunet.org/libextractor/http://www.s21sec.com/http://www.s21sec.com/http://www.edge-security.com/http://www.edge-security.com/


67/68

?


68/68

Thank you for coming
mailto:[email protected]:[email protected]:[email protected]:[email protected]

owasp christianmartorella information gathering via osint

Documents