1 A fresh new look into Information Gathering Christian Martorella IV OWASP MEETING SPAIN
2 Who am i? Christian Martorella Manager Auditoria S21sec CISSP, CISA, CISM, OPST, OPSA OWASP WebSlayer Project Leader OISSG, Board of Directors FIST Conference, Presidente Edge-Security.com
3 Information Gathering Denotes the collection of information before the attack. The idea is to collect as much information as possible about the target which may be valuable later.
4 OSINT: Open Source INTelligence Is an information processing discipline that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence.
5 Penetration test anatomy Information Gathering Discovery / Fingerprinting Vulnerability analysis Exploitation Reporting
6 Types of I.G Passive Active
7 I.G - Types of information Domain, subdomain/host names dev.target.com User names Accounts Person names jdoe John Doe
8 I.G what for? Infraestructure: Information for discovering new targets, to get a description of the hosts (NS,MX, AS,etc), shared resources People and organizations: For performing brute force attacks on available services, Spear phishing, social engineering, investigations, analysis, background checks, information leaks
9 How can we obtain this kind of info?
10 Obtaining host and Domains info - Classic Zone Transfer (active) Whois (passive) Reverse Lookup (active) BruteForce (active++) Mail headers (active) smtp (active++)
11 Zone-Transfer - DIG request: weak.dns -t AXFR Tester DNS server
12 DNS bruteforce Domain: target.com Tester host afrodita.target.com afrodita.target.com has DNS server Dictionary afrodita... hermes x.. matrix x neo... Discoverd hosts: afrodita neo
13 Mail Headers
14 Obtaining user info - Classic Search engines (passive) Web pages (active)
15 New sources for I.G...
16 Obtaining host and Domains info Search Engines (passive) Public PGP key servers (passive) serversniff.net and others (passive)
17 Obtaining host and Domains - Search engines Passive subdomain
18 Obtaining host and Domains info The PGP public key servers are only intended to help the user in exchanging public keys search=domain
19 Obtaining host and Domains info subdomains
20 Obtaining host and Domains Subdomainer Demo subdomainer
21 Obtaining host and Domains Subdomainer Once we have some host names, we can improve our dictionary using Google sets, and then try a brute force attack on the dns.
22 Obtaining host and Domains Subdomainer
23 WikiScanner Company IP ranges Anonymous Wikipedia edits, from interesting organizations
24 WikiScanner - IP ranges
25 WikiScanner - Wikipedia edits
26 Obtaining user info - New sources PgP key servers (passive) Social Networks (passive) Metadata (passive)
27 Obtaining user info - New sources Social networks LinkedIn is an online network of more than 15 million experienced professionals from around the world, representing 150 industries.
28 Obtaining user info - New sources Current Job Pasts Jobs Education Job description Etc...
34 Obtaining more data - New sources Metadata: is data about data. Is used to facilitate the understanding, use and management of data.
35 Obtaining more data - New sources - Metadata Provides basic information such as the author of a work, the date of creation, links to any related works, etc.
36 Metadata - Dublin Core (schema) Content & about the Resource Intellectual Property Electronic or Physical manifestation Title Author or Creator Date Subject Publisher Type Description Contributor Format Language Rights Identifier Relation Coverage
52 Metagoofil & Linkedin results Now we have a lot of information, what can i do? User profiling Spear Phishing / Social Engineering Client side attacks
53 Using results User profiling Dictionary creation John Doe john.doe jdoe j.doe johndoe johnd john.d jd doe john ATTACK!
54 Metadata - The Revisionist Tool developed by Michal Zalewski, this tool will extract comments and Track changes from Word documents.
55 Target information: account Google Finance, Reuters pipl.com Usercheck.com
56 Google Finance & Reuters
57 Searching for a target
59 Using results Password profiling Dictionary creation: words from the different user sites magic serra angel necropotence Shivan dragon elf brainstorm Brute force ATTACK
60 There are more ways to get info
61 Facebook Phone in sick and treat himself to a day in bed. Kyle Doyle's Facebook profile makes it quite obvious he was not off work for a 'valid medical reason'
62 All together - Maltego Maltego is the only professional Information Gathering tool. Information is power Information is Maltego
65 Conclusions Clean your files before distribution Web applications should clean files on upload (if it s not needed) Web applications should try to represent the information in a non parseable way :/ Be careful what you post/send
Si no quieres que sepa tu nombre, por que llevas el DNI en la frente? Christian Martorella CISSP, CISA 1 Penetration testing Information Gathering Discovery / Fingerprinting Vulnerability analysis Exploitation
Modern information gathering Dave van Stein 9 april 2009 Who Am I Dave van Stein 34 years Functional tester > 7 years Specializing in (Application) Security Testing Certified Ethical Hacker Agenda Goal
2010: and still bruteforcing OWASP Webslayer Christian Martorella July 18th 2010 Barcelona Who am I Manager Auditoria CISSP, CISA, CISM, OPST, OPSA,CEH OWASP WebSlayer Project Leader FIST Conference, Presidente
Modern information gathering Onderwerp: Modern Information Gathering Datum: 26-JUN-2012 Aanwezigen: OWASP Classificatie: Public Who Am I Dave van Stein 38 years Tester > 11 years (Application) Security
25-04-2010 Author: Mohd Izhar Ali Email: firstname.lastname@example.org Website: http://johncrackernet.blogspot.com Table of Contents How-to: DNS Enumeration 1: Introduction... 3 2: DNS Enumeration... 4 3: How-to-DNS
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests
NCS490 Penetration Testing Ronny L. Bull, MS Lecturer Computer Science Department Spring 2014 Outline General Overview Target Selection OSINT Covert Gathering Foot-printing Identifying Protection Mechanisms
PKF Avant Edge Penetration Testing Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP What is Penetration Testing (PenTest)? A way to identify vulnerabilities that exists in a system/network that has existing
The Power of FOCA 3 What s a FOCA? 5/25/12 2 Al principio fue el Metadato 5/25/12 3 Metadata, hidden info Mala ges.ón Mala conversión Opciones inseguras & lost data Buscadores Arañas Bases de datos Mala
Don t Spill Your Candy in the Lobby Managing the Corporate Infosec Risks From Open Source Intelligence (OSINT) For Countermeasure 2014 Scott Wright Chief Security Researcher & Security Coach Security Perspectives
Comprehensive Questions/Practical Based :- 040020305-Penetration Testing 2014 1. Demonstrate the installation of BackTrack using Live DVD. Also list all the steps. 2. Demonstrate the installation of BackTrack
Kerem Kocaer 1 EHLO Kerem is: a graduate from ICSS a security consultant at Bitsec Consulting AB a security enthusiast Kerem works with: administrative security security standards and frameworks, security
Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or
Talk-101 User Guide DNSGate What is DNSGate? DNSGate is a management interface to allow you to make DNS changes to your domain. The interface supports A, CNAME, MX and TXT records. What is DNS? DNS stands
Maltego Tungsten as a collaborative attack platform BlackHat 2013 About us Schedule Why did we do this? Introduction to Maltego Tungsten Maltego with Teeth Design principles Infrastructure attacks Attacking
Internet Security  VU 184.216 Engin Kirda email@example.com Christopher Kruegel firstname.lastname@example.org Administration Challenge 2 deadline is tomorrow 177 correct solutions Challenge 4 will
Javier Marcos de Prado Juan Galiana Lara Pwning Intranets with HTML5 2009 IBM Corporation Agenda How our attack works? How we discover what is in your network? What does your infrastructure tell us for
How to use ArGoSoft Mail Server.NET Freeware So, you have registered your own domain name (we will use myargosoft.net as an example), and are willing to host your own mail in the house. ArGoSoft Mail Server.NET
Switching Your DNS Switching your DNS Now that you have your new account with us it is time to start planning on moving your current hosting over to your new server. This getting started guide covers switching
1 Penetration Testing NTS330 Unit 1 Penetration V1.0 February 20, 2011 Juan Ortega Juan Ortega, email@example.com 1 Juan Ortega, firstname.lastname@example.org 2 Document Properties Title Version V1.0 Author Pen-testers
Don t scan, just ask A new approach of identifying vulnerable web applications Summary It s about identifying web applications and systems Classical network reconnaissance techniques mostly rely on technical
MIS 5208 Week 4 Cybersecurity & Fraud Ed Ferrara, MSIA, CISSP email@example.com Hacking Source: www.youtube.com Computer Crime A cyber breach is any event that intentionally or unintentionally causes
June 2014 WMLUG Meeting Kali Linux "the quieter you become, the more you are able to hear" Patrick TenHoopen Kali Linux Kali Linux is a free and open source penetration testing Linux distribution designed
Configuring a Domain to work with your Server If you have a domain name registered with a third party and would like to use that domain with your Tagadab server (Virtual or Dedicated) then you have several
Penetration Testing Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014 Part one: the concept of penetration testing 2 What is a penetration test?(informal) Port scanning Vulnerability Scanning
Demystifying Penetration Testing for the Enterprise Presented by Pravesh Gaonjur Pravesh Gaonjur Founder and Executive Director of TYLERS Information Security Consultant Certified Ethical Hacker (CEHv8Beta)
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions
ONLINE RECONNAISSANCE HOW YOUR INTERNET PROFILE CAN BE USED AGAINST YOU May 2013 Most people and organisations put information about themselves on the web. Companies advertise their work and achievements
Course Content: Session 1 Ethics & Hacking Hacking history : How it all begin Why is security needed? What is ethical hacking? Ethical Hacker Vs Malicious hacker Types of Hackers Building an approach for
1. Installing DNS on Windows Server 2003: If using the new style Start menu: Click on "Start", "Control Panel", "Add or Remove Programs" and select the "Add/Remove Windows Components" tab on the left-hand
Client logo placeholder XXX REPORT Page 1 of 37 Report Details Title Xxx Penetration Testing Report Version V1.0 Author Tester(s) Approved by Client Classification Confidential Recipient Name Title Company
Vulnerability Assessment and Penetration Testing Presenters: Bruce Upton CISSP, CISA, C EH firstname.lastname@example.org Jerry McClurg CISSP, CISA, C EH email@example.com Agenda and Overview:
R e p o r t s. I n f o r m a t i o n W e e k. c o m Next M a r c h 2 0 1 2 Using Google to Find Vulnerabilities In Your IT Environment Attackers are increasingly using a simple method for finding flaws
Universitat Politècninca de Catalunya Final Thesis Penetration Testing Automation System Author: Oriol Caño Bellatriu Supervisor: Manuel Garcia-Cervignon Gutierrez A thesis submitted in fulfilment of the
Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the
Abstract Advanced Persistent Threat (APT) attacks are highly organized, continue for prolonged periods, and exhibit discernible attributes or patterns. To maintain command and control network redundancy,
Ethical Hacking Course Layout Introduction to Ethical Hacking o What is Information Security? o Problems faced by the Corporate World o Why Corporate needs Information Security? Who is a Hacker? o Type
Hack Yourself First A Beginner s Guide to Penetration Testing Copyright 2013 by LCI Technology Group, LLC This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
Computer Security and Penetration Testing Chapter 2 Reconnaissance Objectives Identify various techniques for performing reconnaissance Distinguish and discuss the methods used in social engineering Discuss
Vulnerability Assessment and Penetration Testing Module 1: Vulnerability Assessment & Penetration Testing: Introduction 1.1 Brief Introduction of Linux 1.2 About Vulnerability Assessment and Penetration
SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015 The Usual Players Indebtedness for driving on toll road Transaction receipts Notice to appear Major and Emerging Trends
CHAPTER 7 Reconnaissance INFORMATION IN THIS CHAPTER Website Mirroring Google Searches Google Hacking Social Media Job Sites DNS and DNS Attacks CHAPTER OVERVIEW AND KEY LEARNING POINTS This chapter will
Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you
Understand Names Resolution Lesson Overview In this lesson, you will learn about: Domain name resolution Name resolution process steps DNS WINS Anticipatory Set 1. List the host name of 4 of your favorite
Response Policy Zones for the Domain Name System (DNS ) By Paul Vixie, ISC (et.al.) 2010 World Tour Overview Motivation for DNS Response Policy Zones Relationship to DNS RBL (DNSBL) Constraints and Goals
Spear Phishing October 12, 2015 TLP: WHITE www.excellium-services.com Agenda How it s made Soo easy to find victims Inventory of evils documents The art of spoofing How to react to phishing Basics things
In order to find resources on the network, computers need a system to look up the location of resources. This video looks at the DNS records that contain information about resources and services on the
T R A N C H U L A S W O R K S H O P S A N D T R A I N I N G S Hands-On Penetration Testing Training Course About Tranchulas Tranchulas is a multinational information security company having its offices
Lab Exercise DNS Objective DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses. Step 1: Analyse the supplied DNS Trace Here we examine the supplied trace of a
Student Name: ISA 656: Network Security Midterm Examination GENERAL INSTRUCTIONS The midterm is worth 110 points (including 10 extra credit points): 25 points of True/False and 75 points of short answer.
Part I - Gathering WHOIS Information Exercise 1: command-line WHOIS queries: in the following exercise you will use a Linux system to perform WHOIS lookups from a command-line. This requires outbound TCP
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
Overview Domain Name System We look first at how the Domain Name System (DNS) is implemented and the role it plays in the Internet We examine some potential DNS vulnerabilities and in particular we consider
Appendix A Developer Architectures and Application Screenshots ISI Software Architecture Diagram Figure 6 April, 2003 25 ISI Communications Architecture Appendix A con t Figure 7 ISI GUI Control Page Figure
DNS and BIND David White DNS: Backbone of the Internet Translates Domains into unique IP Addresses i.e. developcents.com = 184.108.40.206 Distributed Database of Host Information Works seamlessly behind
Firewall Server 7.2 Release Notes BorderWare Technologies is pleased to announce the release of version 7.2 of the Firewall Server. This release includes the following new features and improvements. What's
WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available
PENETRATION TESTING A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
SCADA Security Example Christian Paulino and Janusz Zalewski Florida Gulf Coast University December 2012 1. Introduction SCADA systems are always connected to a network, so they are vulnerable to attack.
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London
ecogent User Guide 2012 Cogent Communications, Inc. All rights reserved. Every effort has been made to ensure that the information in this User Guide is accurate. Information in this document is subject
Lesson 13: DNS Security Javier Osuna firstname.lastname@example.org GMV Head of Security and Process Consulting Division Introduction to DNS The DNS enables people to use and surf the Internet, allowing the translation
Penetration Testing University of Sunderland CSEM02 Harry R Erwin, PhD Resources Qinetiq Information Security Foundation Course (2002) Tittle, Stewart, and Chapple, 2004, CISSP: Certified Information Systems
H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources 1. LAB
INFOSECURITY WITH PLYMOUTH UNIVERSITY TESTING OUR SECURITY DEFENCES Dr Maria Papadaki email@example.com 1 1 Do we need to test our defences? Can penetration testing help to improve security?
Basheer Al-Duwairi Jordan University of Science & Technology Outline Examples of using network measurements /monitoring Example 1: fast flux detection Example 2: DDoS mitigation as a service Future trends
APPLICATION NOTE App. Note Code: 3T-Z CC5MPX Digital Camera and IPn3Gb Cellular Modem 10/14 C o p y r i g h t 2 0 1 3-2 0 1 4 C a m p b e l l S c i e n t i f i c ( C a n a d a ) C o r p. Table of Contents
Assignment One ITN534 Network Management Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition) Unit Co-coordinator, Mr. Neville Richter By, Vijayakrishnan Pasupathinathan
BackTrack 4: Assuring Security by Penetration Testing Master the art of penetration testing with BackTrack Shakeel Ali Tedi Heriyanto rpafktl Pen I I llv. I\ 1 J community expe PUBLISHING- - BIRMINGHAM
The OWASP Foundation http://www.owasp.org Bust a cap in a web app with OWASP ZAP Adrien de Beaupré GSEC, GCIH, GPEN, GWAPT, GCIA, GXPN ZAP Evangelist Intru-Shun.ca Inc. SANS Instructor, Penetration Tester,
The following topics describe how to manage policies on the Management Center: Policy Deployment, page 1 Policy Comparison, page 8 Policy Reports, page 10 Out-of-Date Policies, page 11 Policy Warnings,
About Zone-H Attacks techniques (%) File Inclusion Shares misconfiguration SQL Injection DNS attack through social engineering Web Server external module intrusion Attack against the administrator/user
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation s Course,
External Network Penetration Test Report Jared Doe firstname.lastname@example.org C O N F I D E N T I A L P a g e 2 Document Information Assessment Information Assessor Kirit Gupta email@example.com
Emerging Network Security Threats and what they mean for internal auditors December 11, 2013 John Gagne, CISSP, CISA 0 Objectives Emerging Risks Distributed Denial of Service (DDoS) Attacks Social Engineering