Training about FOCA 2.5.5 delivered by Chema Alonso (Informatica 64). Learn about FOCA PRO 2.5.5

1. FOCA 2.5.5 Chema Alonso

2. What’s a FOCA?

3. FOCA on Linux?

4. FOCA + Wine

5. Previously on FOCA….

6. FOCA 0.X

7. A documentis Whatyousee… And whatyoudon´t Templatepaths Usersworked in it. Departments. File & Printing Servers VersionHistory Embedded files …

8. What kind of data can be found? Metadata: Information stored to give information about the document. For example: Creator, Organization, etc.. Hidden information: Information internally stored by programs and not editable. For example: Template paths, Printers, db structure, etc… Lost data: Information which is in documents due to human mistakes or negligence, because it was not intended to be there. For example: Links to internal servers, data hidden by format, etc…

9. Metadata Metadata Lifecycle Wrongmanagement Badformatconversion Unsecureoptions Wrongmanagement Badformatconversion Unsecureoptions New apps orprogram versions Searchengines Spiders Databases Embedded files Hiddeninfo Lost Data Embedded files

10. MetadataRisks “Secret” relationships Government & companies Companies & providers Piracy discovery Reputation Social engineering attacks Targeting Malware

11. 2003 – MS Word bytes Tony Blair

12. Targeting Malware

13. Targeting Malware

14. Electing the entry point

15. Why you should be using FS

16. Linux installation guide

17. Social Engineering Attack

18. Metadatacreatedby Google

19. Lost Data

20. Lost data everywhere

21. Metadata in SearchEngines

22. Pictureswith GPS info.. EXIFREADER http://www.takenet.or.jp/~ryuuji/

23. Even Videos withusers… http://video.techrepublic.com.com/2422-14075_11-207247.html

24. And of course, printedtxt

25. OLE Streams In MS Office binaryformat files Storeinformationaboutthe OS Are notcleanedwiththese Tools FOCA findsthisinfo

27. Open Office documents.

28. MS Office documents.

29. PDF Documents.

30. XMP.

31. EPS Documents.

32. Graphic documents.

33. EXIFF.

34. XMP.

36. Creators.

37. Modifiers .

38. Users in paths.

39. C:ocuments and settingsfooyfile

40. /home/johnnyf

41. Operating systems.

42. Printers.

43. Local and remote.

44. Paths.

45. Local and remote.

46. Network info.

47. Shared Printers.

48. Shared Folders.

49. ACLS.

50. Internal Servers.

51. NetBIOS Name.

52. Domain Name.

53. IP Address.

54. Database structures.

55. Table names.

56. Colum names.

57. Devices info.

58. Mobiles.

59. Photo cameras.

60. Private Info.

61. Personal data.

62. History of use.

64. Sample: FBI.gov Total: 4841 files

65. Are theycleaned?

67. Search for documents in Google and Bing

68. Automatic file downloading

69. Capable of extracting Metadata, hidden info and lost data

70. Cluster information

72. AlternativeDomains

73. AlternativeDomains

74. Sample: Printer info found in odf files returned by Google

75. Types of Engineers

76. DNS Prediction

77. Google Sets Prediction

78. IP Scanning

79. Manually-added Data

81. Demo: Mda.mil

83. Recursivealgorithm

84. InformationGathering

85. SwRecognition

86. DNS Cache Snooping

88. DNS Search Panel

89. Búsqueda de URLS en buscadores

90. DNS Search & Zone Transfer IP resolution Well-Known records NS TXT (SPF) MX Zone Transfer Diccionarysearch

91. Bing IP

92. PTR Scannig

93. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc http -> Web server GET Banner HTTP domain.com is a domain Search NS, MX, SPF records for domain.com sub.domain.com is a subdomain Search NS, MX, SPF records for sub.domain.com Try allthe non verified servers onall new domains server01.domain.com server01.sub.domain.com Apple1.sub.domain.com is a hostname Try DNS Prediction (apple1) onalldomains Try Google Sets(apple1) onalldomains

94. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 11) Resolve IP Address 12) GetCertificate in https://IP 13) Searchfordomainnames in it 14) Get HTTP Banner of http://IP 15) Use Bing Ip:IPtofindalldomainssharingit 16) Repeatforevery new domain 17) Connecttotheinternal NS (1 orall) 18) Perform a PTR Scansearchingforinternal servers 19) Forevery new IP discovered try Bing IP recursively 20) ~chema-> chemaisprobably a user

95. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 21) / , /~chema/ and /~chema/dir/ are paths 22) Try directorylisting in allthepaths 23) Searchfor PUT, DELETE, TRACE methods in everypath 24) Fingerprint software from 404 error messages 25) Fingerprint software fromapplication error messages 26) Try commonnamesonalldomains (dictionary) 27) Try Zone Transfer onall NS 28) Searchforany URL indexedby web enginesrelatedtothehostname 29) Downloadthe file 30) Extractthemetadata, hiddeninfo and lost data 31) Sortallthisinformationand presentitnicely 32) Forevery new IP/URL startoveragain

97. How Foca found a data

98. Role Oriented View

99. Demo: fbi.gov whitehouse.gov

100. CustomizableSearch

101. FOCA + Spidering

102. FOCA + Spidering

103. Demo : Foca + Spidering

104. Internal PTR Scanningusing FOCA

105. Internal PTR Scanning

106. FingerprintingOptions 404 NotFoundmessages Domainnames and software Aspx Error Messages HTTP Banner Hostname IP Addres SMTP Banner Digital Certificates Shodan

107. Digital Certificates

108. FOCA 2.5 & Shodan

109. FOCA 2.5 URL Analysis

110. Unsecure Http Methods

111. Search & Upload

112. Searchingfor Server-Side Technologies

113. PlayingwithURLs

114. DNS Cache Snooping

115. DNS Cache Snooping

116. DNS Cache Snooping Internal Software Windows Update Gtalk Evilgrade Detecting vulnerable software toEvilgradeattacks AV evassion Detectinginternal AV systems Malware drivenby URL Hacking a web siteussuallyvisitedbyinternalusers

117. Demo: DNS Cache Snooping

118. Log filter

119. FOCA Reporting Module

120. FOCA Reporting Module

121. Demo: Log & Reporting

122. FearThe FOCA

123. FOCA Online http://www.informatica64.com/FOCA

125. IIS MetaShield Protector http://www.metashieldprotector.com

127. chema@informatica64.com

128. http://www.informatica64.com

129. http://www.elladodelmal.com

130. http://twitter.com/chemaalonso

131. http://www.forefront-es.com

132. http://www.seguridadapple.com

133. http://www.windowstecnico.com

134. http://www.puntocompartido.com

135. Workingon FOCA:

136. Chema Alonso

137. Alejandro Martín

138. Francisco Oca

139. Manuel Fernández «The Sur»

140. Daniel Romero

141. Enrique Rando

142. Pedro Laguna

143. SpecialThanksto: John Matherly [Shodan]