2. Tactical
Information Gathering
Christian Martorella
Source Conference Barcelona 2009
3. Who am i ?
Christian Martorella
Security Services S21sec
CISSP, CISA, CISM, OPST, OPSA, C|EH
OWASP WebSlayer Project Leader
Edge-Security.com
4. Information Gathering
“Is the collection of information before the attack.
The idea is to collect as much information as
possible about the target which may be valuable
later.”
6. I.G Why use it?
It’s what the real attackers are doing
Attackers doesn’t have a restricted scope
Knowing what information about you or your company
is available online
Spear Phishing: 15.000 infected users, as results of 66
campaings.
7. I.G what for?
Infrastructure:
Information for discovering new targets, to get a
description of the hosts (NS,MX, AS,etc), shared
resources, applications, software, etc.
People and organizations :
For performing brute force attacks on available
services, Spear phishing, social engineering,
investigations, background checks, information leaks
14. Obtaining info - Old School way
DNS Zone Transfer (active)
DNS Reverse Lookup Search engines
(active) PGP Key Servers
DNS BruteForce (active++) Whois
Mail headers (active)
smtp Bruteforcing (active++)
15. Obtaining info - Old School way
Active Passive
DNS Zone Transfer (active)
DNS Reverse Lookup Search engines
(active) PGP Key Servers
DNS BruteForce (active++) Whois
Mail headers (active)
smtp Bruteforcing (active++)
17. Obtaining - New sources
Web 2.0 - Social Networks and Search engines (passive)
Metadata (passive)
Private data (passive paid) Intelius, Lexis Nexis
50. WikiScanner
When you edit the wikipedia:
You can edit leaving your username
You can edit anonymous using your IP address
51. WikiScanner
Company IP ranges
Anonymous Wikipedia edits, from interesting
organizations
Provide an ip for a wikipedia username
http://wikiscanner.virgil.gr/
54. Poor Man Check User
Provide an ip for a wikipedia username
55. New sources - Metadata
Metadata: is data about data.
56. New sources - Metadata
Metadata: is data about data.
Is used to facilitate the understanding, use and
management of data.
57. Obtaining more data - Metadata
Provides basic information such as the author of a
work, the date of creation, links to any related
works, etc.
58. Metadata - Dublin Core (schema)
Content & about the Intellectual Property Electronic or Physical
Resource manifestation
Title Author or Creator Date
Subject Publisher Type
Description Contributor Format
Language Rights Identifier
Relation
Coverage
61. Metadata - Images
EXIF Exchangeable Image
File Format
• GPS coordinates
• Time
• Camera type
• Serial number
• Sometimes unaltered
original photo can be
found in thumbnail
Online exif viewer.
62. Metadata - Images
EXIF Exchangeable Image
File Format
• GPS coordinates
• Time
• Camera type
• Serial number
• Sometimes unaltered
original photo can be
found in thumbnail
Online exif viewer.
72. Washington Post
Botmaster location exposed by the Washington Post
SLUG: mag/hacker
DATE: 12/19/2005
PHOTOGRAPHER: Sarah L. Voisin/TWP
id#: LOCATION: Roland, OK
CAPTION:
PICTURED: Canon Canon EOS 20D
Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah
L. Voisin
73. Washington Post
Botmaster location exposed by the Washington Post
SLUG: mag/hacker
DATE: 12/19/2005
PHOTOGRAPHER: Sarah L. Voisin/TWP
id#: LOCATION: Roland, OK
CAPTION:
PICTURED: Canon Canon EOS 20D
Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah
L. Voisin
There are only 1.500 males in Roland Oklahoma
75. Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables in
the target/victim websites.
76. Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables in
the target/victim websites.
77. Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables in
the target/victim websites.
78. Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables in
the target/victim websites.
93. Metadata - The Revisionist
Tool developed by Michal Zalewski, this tool will
extract comments and “Track changes” from Word
documents.
http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc
94. Metagoofil & Linkedin results
Now we have a lot of information, what can i do?
• User profiling
102. Using results
Password profiling
Dictionary creation: words from the different user sites
magic
serra angel
necropotence
Shivan dragon Brute force
elf ATTACK
brainstorm
...
...
109. Phone in sick and treat himself to a day in bed.
Kyle Doyle's Facebook profile makes it quite
obvious he was not off work for a 'valid medical
reason'
110. Phone in sick and treat himself to a day in bed.
I L
FA
Kyle Doyle's Facebook profile makes it quite
obvious he was not off work for a 'valid medical
reason'
111. Was shown the door after posting that her job was
'boring' on her Facebook page
112. I L
FA
Was shown the door after posting that her job was
'boring' on her Facebook page
117. Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:
Myspace page, applicant drinking beer from a
funnel
118. Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:
Myspace page, applicant drinking beer from a
funnel
Local police, applicant arrested 2 years before
for shoplifting
119. Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:
Myspace page, applicant drinking beer from a
funnel
Local police, applicant arrested 2 years before
for shoplifting
Personal blog, saying that she is applying for
menial jobs, and will quit as soon she sells
some paintings
120. Final thoughts
Be careful what you post/send, all stay online
Think twice what you post
Check the privacy configuration of your tools/sites
Too much information, difficult to classify
This is growing, more information is being indexed,
more search engines