1 A fresh new look into Information Gathering Christian Martorella IV OWASP MEETING SPAIN
2 Who am i? Christian Martorella Manager Auditoria S21sec CISSP, CISA, CISM, OPST, OPSA OWASP WebSlayer Project Leader OISSG, Board of Directors FIST Conference, Presidente Edge-Security.com
3 Information Gathering Denotes the collection of information before the attack. The idea is to collect as much information as possible about the target which may be valuable later.
4 OSINT: Open Source INTelligence Is an information processing discipline that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.
5 Penetration test anatomy Information Gathering Discovery / Fingerprinting Vulnerability analysis Exploitation Reporting
6 Types of I.G Passive Active
7 I.G - Types of information Domain, subdomain/host names dev.target.com User names Accounts Person names jdoe John Doe
8 I.G what for? Infraestructure: Information for discovering new targets, to get a description of the hosts (NS,MX, AS,etc), shared resources People and organizations: For performing brute force attacks on available services, Spear phishing, social engineering, investigations, analysis, background checks, information leaks
9 How can we obtain this kind of info?
10 Obtaining host and Domains info - Classic Zone Transfer (active) Whois (passive) Reverse Lookup (active) BruteForce (active++) Mail headers (active) smtp (active++)
11 Zone-Transfer - DIG request: weak.dns -t AXFR Tester DNS server
12 DNS bruteforce Domain: target.com Tester host afrodita.target.com afrodita.target.com has DNS server Dictionary afrodita... hermes x.. matrix x neo... Discoverd hosts: afrodita neo
13 Mail Headers
14 Obtaining user info - Classic Search engines (passive) Web pages (active)
15 New sources for I.G...
16 Obtaining host and Domains info Search Engines (passive) Public PGP key servers (passive) serversniff.net and others (passive)
17 Obtaining host and Domains - Search engines Passive subdomain
18 Obtaining host and Domains info The PGP public key servers are only intended to help the user in exchanging public keys search=domain
19 Obtaining host and Domains info subdomains
20 Obtaining host and Domains Subdomainer Demo subdomainer
21 Obtaining host and Domains Subdomainer Once we have some host names, we can improve our dictionary using Google sets, and then try a brute force attack on the dns.
22 Obtaining host and Domains Subdomainer
23 WikiScanner Company IP ranges Anonymous Wikipedia edits, from interesting organizations
24 WikiScanner - IP ranges
25 WikiScanner - Wikipedia edits
26 Obtaining user info - New sources PgP key servers (passive) Social Networks (passive) Metadata (passive)
27 Obtaining user info - New sources Social networks LinkedIn is an online network of more than 15 million experienced professionals from around the world, representing 150 industries.
28 Obtaining user info - New sources Current Job Pasts Jobs Education Job description Etc...
34 Obtaining more data - New sources Metadata: is data about data. Is used to facilitate the understanding, use and management of data.
35 Obtaining more data - New sources - Metadata Provides basic information such as the author of a work, the date of creation, links to any related works, etc.
36 Metadata - Dublin Core (schema) Content & about the Resource Intellectual Property Electronic or Physical manifestation Title Author or Creator Date Subject Publisher Type Description Contributor Format Language Rights Identifier Relation Coverage
52 Metagoofil & Linkedin results Now we have a lot of information, what can i do? User profiling Spear Phishing / Social Engineering Client side attacks
53 Using results User profiling Dictionary creation John Doe john.doe jdoe j.doe johndoe johnd john.d jd doe john ATTACK!
54 Metadata - The Revisionist Tool developed by Michal Zalewski, this tool will extract comments and Track changes from Word documents.
55 Target information: account Google Finance, Reuters pipl.com Usercheck.com
56 Google Finance & Reuters
57 Searching for a target
59 Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon elf brainstorm Brute force ATTACK
60 There are more ways to get info
61 Facebook Phone in sick and treat himself to a day in bed. Kyle Doyle's Facebook profile makes it quite obvious he was not off work for a 'valid medical reason'
62 All together - Maltego Maltego is the only professional Information Gathering tool. Information is power Information is Maltego
65 Conclusions Clean your files before distribution Web applications should clean files on upload (if it s not needed) Web applications should try to represent the information in a non parseable way :/ Be careful what you post/send
Iomega EZ Media and Backup Center User Guide Table of Contents Setting up Your Device... 1 Setup Overview... 1 Set up My Iomega StorCenter If It's Not Discovered... 2 Discovering with Iomega Storage Manager...
SCHOLARONE MANUSCRIPTS Author Guide TABLE OF CONTENTS Select an item in the table of contents to go to that topic in the document. LOGGING ON AND OFF THE AUTHOR CENTER... 1 LOGGING IN...1 ORCID ACCOUNT
Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
- 1 - SmartStor Cloud Web Admin Manual Administrator Full language manuals are available in product disc or website. The SmartStor Cloud Administrator web site is used to control, setup, monitor, and manage
Submitted on: February 6, 2013 Biblioteca Digital del Patrimonio Iberoamericano: open source technology in the service of a major cooperative project. José Luis Bueren Gómez-Acebo Head of the Digital Library
Getting Started Guide Cloud Server powered by Mac OS X Getting Started Guide Page 1 Getting Started Guide: Cloud Server powered by Mac OS X Version 1.0 (02.16.10) Copyright 2010 GoDaddy.com Software, Inc.
Web Portal User Guide Version 6.0 2013 Pitney Bowes Software Inc. All rights reserved. This document may contain confidential and proprietary information belonging to Pitney Bowes Inc. and/or its subsidiaries
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 2.0 May 2013 Document Changes Date Version Description February 11, 2010 1.0 May 2013 2.0 Approved Scanning
WebEx Event Center User's Guide Version 6.5 Copyright 1997 2010 Cisco and/or its affiliates. All rights reserved. WEBEX, CISCO, Cisco WebEx, the CISCO logo, and the Cisco WebEx logo are trademarks or registered
SuccessFactors Admin: Recruiting Management Admin Guide v1204 (One Admin) For SuccessFactors v12 (One Admin) Last Modified 07/17/2012 2012 SuccessFactors, Inc. All rights reserved. Execution is the Difference
Evaluation Guide Powerful & Immediate Business Web Security via the Cloud Contents 1 Introduction & Product highlights 2 Set up & Configuration 3 Managing your WebTitan Cloud Service 4 Reporting 5 Support
Getting Started Guide Simple Control Panel for your Linux Server Getting Started Guide Page 1 Getting Started Guide: Simple Control Panel, Linux Server Version 2.1 (02.01.10) Copyright 2010. All rights
How to Use Swiftpage for Microsoft Outlook 1 Table of Contents Basics of the Swiftpage for Microsoft Outlook Integration.. 3 How to Install Swiftpage for Microsoft Outlook and Set Up Your Account...4 The
Adobe September 16, 2014 Step-by-Step Guide to Publishing ipad Apps with DPS, Single Edition Page In this guide Legal notice.... 3 Introduction... 4 A checklist for building your first app... 5 A checklist
Setting Up Person Accounts Salesforce, Summer 15 @salesforcedocs Last updated: June 30, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
Ohio Responds Volunteer Registry Message Guide Copyright 2012 All Rights Reserved. Ohio Department of Health Bureau of Health Preparedness All Rights Reserved. 35 E. Chestnut, 7 th Floor Columbus, OH 43215
E-Mail Campaign Manager 2.0 Marketer's Guide Rev: 2014-06-11 E-Mail Campaign Manager 2.0 for Sitecore CMS 6.6 Marketer's Guide User guide for marketing analysts and business users Table of Contents Chapter
GE Measurement & Control Remote Comms System Installation and User Reference Guide Contents BENEFITS OF REMOTE COMMS SYSTEM... 1 HOW THE REMOTE COMMS SYSTEM WORKS... 3 COMPONENTS OF REMOTE COMMS SYSTEM...