O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Practical White Hat Hacker Training - Passive Information Gathering(OSINT)

1.090 visualizações

Publicada em

This presentation part of Prisma CSI's Practical White Hat Hacker Training v1

PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com

This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

Publicada em: Educação
  • Entre para ver os comentários

Practical White Hat Hacker Training - Passive Information Gathering(OSINT)

  1. 1. www.prismacsi.com © All Rights Reserved. 1 Practical White Hat Hacker Training #2 Passive Information Gathering This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
  2. 2. www.prismacsi.com © All Rights Reserved. 2 OSINT • Open Source Intelligence (OSINT) • No communication with the target that may create an anomaly • Gathering information using internet services • Do searches on search engines • Analyze developer sites • Assemble all the information you obtained • Have an overview before active scanning to obtain the most accurate data
  3. 3. www.prismacsi.com © All Rights Reserved. 3 Sceriano • We are a group of Zambian hackers. • Capital: Lusaka • Language: English • Let’s suppose we are a hacker group for hire. • We need to collect information. • We need to look from every point of view.
  4. 4. www.prismacsi.com © All Rights Reserved. 4 OSINT • Let's start by identifying the basics. • Finding the main site by Google search • IP detection by Pinging • IP Range Detection • IANA • Arın , Ripe , Apnic , Japnic may be used • Researching the location with IP2Location
  5. 5. www.prismacsi.com © All Rights Reserved. 5 IP Range Detection - DEMO ripe.net
  6. 6. www.prismacsi.com © All Rights Reserved. 6 IP Range Detection - DEMO Netname üzerine kayıtlı tüm IP aralıkları iplocation.com
  7. 7. www.prismacsi.com © All Rights Reserved. 7 OSINT • What we can find through domain information? • Whois record analysis - Who.is • Discovering the other domains by using Reverse Whois • Whois history analysis • Discovering the attack area through subdomain detection • Detecting virtual hosts is important! • Detecting Email addresses • Detection of email structure • Important for creating missing mail addresses!
  8. 8. www.prismacsi.com © All Rights Reserved. 8 Whois Analysis - DEMO who.is
  9. 9. www.prismacsi.com © All Rights Reserved. 9 Reverse Whois Analysis - DEMO whoisology.com
  10. 10. www.prismacsi.com © All Rights Reserved. 10 Subdomain, Virtualhost and Email Discovery - DEMO theharvester
  11. 11. www.prismacsi.com © All Rights Reserved. 11 Subdomain, Virtualhost and Email Discovery theharvester
  12. 12. www.prismacsi.com © All Rights Reserved. 12 Aquatone - DEMO https://github.com/michenriksen/aquatone
  13. 13. www.prismacsi.com © All Rights Reserved. 13 Aquatone-Discover - DEMO aquatone-discover –d yandex.com
  14. 14. www.prismacsi.com © All Rights Reserved. 14 Sublist3r - DEMO https://github.com/aboul3la/Sublist3r
  15. 15. www.prismacsi.com © All Rights Reserved. 15 OSINT • What can we collect from DNS? • Analysis via Robtex.com • Analysis through Mxtoolbox.com • Analysis via Dnsstuff.com • Analysis with Dig
  16. 16. www.prismacsi.com © All Rights Reserved. 16 DNS Information - DEMO robtex.com
  17. 17. www.prismacsi.com © All Rights Reserved. 17 DNS Information dnsdumpster.com
  18. 18. www.prismacsi.com © All Rights Reserved. 18 DNS Information - DEMO mxtoolbox.com
  19. 19. www.prismacsi.com © All Rights Reserved. 19 DNS Information- DEMO dnsstuff.com
  20. 20. www.prismacsi.com © All Rights Reserved. 20 Subdomain, Virtualhost and Email Discovery- DEMO dig
  21. 21. www.prismacsi.com © All Rights Reserved. 21 Subdomain, Virtualhost and Email Discovery dig
  22. 22. www.prismacsi.com © All Rights Reserved. 22 OSINT • Discovery through the other useful resources has its benefits! • Analysis can be done via Yougetsignal. • Subdomain discovery • Analysis through Bing • Subdomain discovery • Analysis via Netcraft • Technology and service analysis • Analysis through Archive.org • Content analysis by time
  23. 23. www.prismacsi.com © All Rights Reserved. 23 Yougetsignal - DEMO yougetsignal.com
  24. 24. www.prismacsi.com © All Rights Reserved. 24 Bing - DEMO bing.com
  25. 25. www.prismacsi.com © All Rights Reserved. 25 Netcraft - DEMO netcraft.com
  26. 26. www.prismacsi.com © All Rights Reserved. 26 Wayback Machine - DEMO Archive.org
  27. 27. www.prismacsi.com © All Rights Reserved. 27 Wayback Machine - DEMO archive.org
  28. 28. www.prismacsi.com © All Rights Reserved. 28 OSINT • It is useful to take advantage of the internet's active analysis resources! • Analysis should be done via Shodan • Analysis should be done via Censys • Haveibeenpwned.com • Have email addresses detected previously been used at a given address and have these addresses been previously hacked? • Have they been shared in Paste sites? • Are the passwords of these e-mail addresses still in use?
  29. 29. www.prismacsi.com © All Rights Reserved. 29 Shodan - DEMO shodan.io
  30. 30. www.prismacsi.com © All Rights Reserved. 30 Censys - DEMO censys.io
  31. 31. www.prismacsi.com © All Rights Reserved. 31 Haveibeenpwned - DEMO haveibeenpwned.com
  32. 32. www.prismacsi.com © All Rights Reserved. 32 Serversniff - DEMO • Online Research Resources – Serversniff.net
  33. 33. www.prismacsi.com © All Rights Reserved. 33 Hackertarget - Demo • Online Research Resources – Hackertarget.com
  34. 34. www.prismacsi.com © All Rights Reserved. 34 OSINT • Developer sites are one of the most critical points! • Analysis must be done through Alexa • Pastebin sites must definitely be examined • Critical data can be captured by analysis via Stackoverflow • Analysis through Github can give access to source code and perhaps internal critical data.
  35. 35. www.prismacsi.com © All Rights Reserved. 35 Alexa - Demo alexa.com
  36. 36. www.prismacsi.com © All Rights Reserved. 36 Pastebin- Demo pastebin.com
  37. 37. www.prismacsi.com © All Rights Reserved. 37 Pastebin Search - Demo https://inteltechniques.com/OSINT/pastebins.html
  38. 38. www.prismacsi.com © All Rights Reserved. 38 Stackoverflow - Demo stackoverflow.com
  39. 39. www.prismacsi.com © All Rights Reserved. 39 Github - Demo github.com
  40. 40. www.prismacsi.com © All Rights Reserved. 40 Google Hacking DB • Google Hacking DB • Dork concept • Frequently used parameters • Site , -site, Inurl, intitle, intext • Filetype: , ext : , cache:
  41. 41. www.prismacsi.com © All Rights Reserved. 41 Google Hacking DB • Example Dorks • Intitle:index.of url:domain.com • Intitle:index.of inurl:domain.com filetype:sql • Site:domain.com –site:www.domain.com unique • Filetype:log intext:”putty” • Filetype:xls “username | password” • Ext:phps “mysql_connect” • inurl:/view/index/shtml
  42. 42. www.prismacsi.com © All Rights Reserved. 42 Google Hacking DB - Demo • https://www.exploit-db.com/google-hacking-database/
  43. 43. www.prismacsi.com © All Rights Reserved. 43 Google Hacking DB - Demo • Google Images
  44. 44. www.prismacsi.com © All Rights Reserved. 44 Tineye - Demo • https://www.tineye.com/
  45. 45. www.prismacsi.com © All Rights Reserved. 45 OSINT • Important data can be obtained from search engines and social media thereby expanding the attack surface. • User login screens must be discovered. (For social engineering attacks) • Job postings must be analyzed • Social media analysis must be done
  46. 46. www.prismacsi.com © All Rights Reserved. 46 OSINT • One can obtain data on people using search engines • Linkedin.com • Jigsaw.com • People123.com • Pipl.com • Peekyou.com
  47. 47. www.prismacsi.com © All Rights Reserved. 47 OSINT • Metadata analysis should be done, important data can also be obtained from this. • Office files can be examined • Pdf files can be inspected • Images – EXIF data can be analyzed. • Available tools • Exif-reader • Foca • Metagoofil
  48. 48. www.prismacsi.com © All Rights Reserved. 48 List of Additional Tools Processes handled manually with these tools can be automated for a wide-scale application. • theHarvester • Spiderfoot • Recon-ng • Foca • Metagoofil • Maltego • Searchsploit
  49. 49. www.prismacsi.com © All Rights Reserved. 49 In the end • Domains have been determined • IP ranges have been determined • Technologies used have been analyzed and preparations done • Used software have been analyzed and preparations done • Leak data have been analyzed and added to password lists • We are now ready for active scanning!
  50. 50. www.prismacsi.com © All Rights Reserved. 50 Demo Practice
  51. 51. www.prismacsi.com © All Rights Reserved. 51 Questions ?
  52. 52. www.prismacsi.com © All Rights Reserved. 52 www.prismacsi.com info@prismacsi.com 0 850 303 85 35 /prismacsi Contacts

×