O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Empowering Red and Blue Teams with OSINT c0c0n 2017, Le Meridian, Kochi.
://$ whoami • Shubham Mittal • Security Consultant @ NotSoSecure • Perimeter Security and OSINT • Author - @datasploit • C...
Agenda ● OSINT Overview ● For Red Teams (Offensive) ● Company Profiling ● Perimeter Scoping ● Employee Profiling ● Tools o...
OSINT – Open Source Intelligence (Intelligence on Information publicly available) Internet gives you RAW Data. Harvest it.
Open Source Intelligence (OSINT) is the collection and analysis of information gathered from publicly available sources.
Should be used by? ● Pen-testers ● Security Engineers ● Product Security Companies ● Cyber Investigators ● Sales / Market ...
How OSINT can help Red Teams
Red Teams ● Scoping Attack Surface ● Technology Profiling ● Github ● Paste(s) ● Employee Profiling ● Breach Data ● Nerdy D...
Digital Asset Scoping • whoIs (who.is) > ASN ID • Reverse WhoIs • whois -h whois.radb.net -- '-i origin ASN-ID' | grep -Eo...
Digital Asset Scoping – Subdomain Enumeration ● Sub-domain Enumeration ● DNSSEC Walking (Kudos to @jhaddix for suggesting)...
dnssecwalk (part of the ipV6 Toolkit) https://www.thc.org/thc-ipv6/ Custom Script(Certificate Transparency Report) - DEMO ...
Quick Checks ● HTTP / HTTPS? ● 404 Not Found? 403 Forbidden? ● 500 Internal Server Error? ● .git / .svn / htaccess.txt / b...
Pro-active Search
Technology Profiling - BuildWith
Wappalyzer
Github https://hackerone.com/reports/248693
Paste(s) Sites
Public Password Dumps
Not ‘Google’ Search Engines ● Metasearch engine – Polymeta.com ● People search engine -Pipl.com, Peekyou, Marketvisual ● B...
Domain IP History
Domain IP History • Cloudflare / Incapsula / Sucuri. • Domain History reveals earlier IP Addresses. • IP still Live = Bypa...
Public Scan Engines • https://www.qualys.com/forms/freescan/ • https://urlscan.io • https://asafaweb.com
MetaData Data about the Data. Can find: ● Applications used to generate PDF/Docx./etc. on servers ● Exif Data (Media File ...
Employee Profiling ● Email-harvestor ● DataSploit ● LinkedIn ● https://www.linkedin.com/search/results/companies/?keywords...
Linked employee email extract using Skrapp / Hunter
Custom Script RapportiveCode
Email-id to Username? Social Media Accounts Forum Searches (boardreader.com) Clearbit / Full Contact DataSploit >> User to...
Email-id to Username?
Blue Team. ● Active Monitoring on keywords. ● Alerting (while reducing noise) ● Scan/OSINT your Attack Surface Area ● Scop...
Tweetmonitor.py / Tweetdeck
Tweetmonitor.py / Tweetdeck
Scumblr
Google Alerts
Page Monitor - ChangeDetect / Follow.net
SIEM << Threat Intel Feed (robtex,etc., check for already blacklisted IPs) Collective Intelligence Framework
Tools of Trade Spiderfoot Recon-ng Scmublr DataSploit Sublist3r theHarvestor Foca Maltego Gosint Belati X-ray Exiftool Tin...
Future Research ● Data Co-relation ● Noise Reduction ● Tap Darknet
upgoingstaar@gmail.com | @upgoingstar
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
Próximos SlideShares
Carregando em…5
×

Empowering red and blue teams with osint c0c0n 2017

2.719 visualizações

Publicada em

This talk will discuss Open Source Intelligence (OSINT) gathering tools and techniques that are highly useful and effective for both Blue teams and Red teams.

Publicada em: Apresentações e oratória
no profile picture user

  • Entre para ver os comentários

Empowering red and blue teams with osint c0c0n 2017

  1. 1. Empowering Red and Blue Teams with OSINT c0c0n 2017, Le Meridian, Kochi.
  2. 2. ://$ whoami • Shubham Mittal • Security Consultant @ NotSoSecure • Perimeter Security and OSINT • Author - @datasploit • Core Organizer - @reconvillage • Bike Rider, Beat Boxer @upgoingstar | upgoingstaar@gmail.com @upgoingstar | shubhammittal.net | upgoingstaar@gmail.com
  3. 3. Agenda ● OSINT Overview ● For Red Teams (Offensive) ● Company Profiling ● Perimeter Scoping ● Employee Profiling ● Tools of Trade ● Future Research Areas ● For Blue Team (Defensive) ● Monitoring and Alerting ● Intelligent SIEM Rules ● DLP
  4. 4. OSINT – Open Source Intelligence (Intelligence on Information publicly available) Internet gives you RAW Data. Harvest it.
  5. 5. Open Source Intelligence (OSINT) is the collection and analysis of information gathered from publicly available sources.
  6. 6. Should be used by? ● Pen-testers ● Security Engineers ● Product Security Companies ● Cyber Investigators ● Sales / Market Research
  7. 7. How OSINT can help Red Teams
  8. 8. Red Teams ● Scoping Attack Surface ● Technology Profiling ● Github ● Paste(s) ● Employee Profiling ● Breach Data ● Nerdy Data
  9. 9. Digital Asset Scoping • whoIs (who.is) > ASN ID • Reverse WhoIs • whois -h whois.radb.net -- '-i origin ASN-ID' | grep -Eo "([0-9.]+){4}/[0-9]+" | sort -n | uniq -c • https://mxtoolbox.com/SuperTool.aspx • Nslookup (terminal) • Dig (dig reconvillage.org, dig reconvillage.org cname) • Acquisitions.
  10. 10. Digital Asset Scoping – Subdomain Enumeration ● Sub-domain Enumeration ● DNSSEC Walking (Kudos to @jhaddix for suggesting) ● Certificate Transparency Reports, Forums ● Shodan/Censys, Cname Records, DNS Dumpster, Netcraft, WolframAlpha ● Tools - Sublist3r, DataSploit.
  11. 11. dnssecwalk (part of the ipV6 Toolkit) https://www.thc.org/thc-ipv6/ Custom Script(Certificate Transparency Report) - DEMO https://blog.webernetz.net/2016/11/22/how-to-walk-dnssec-zones-dnsrecon/
  12. 12. Quick Checks ● HTTP / HTTPS? ● 404 Not Found? 403 Forbidden? ● 500 Internal Server Error? ● .git / .svn / htaccess.txt / bash_history / web.config / admin / , etc.
  13. 13. Pro-active Search
  14. 14. Technology Profiling - BuildWith
  15. 15. Wappalyzer
  16. 16. Github https://hackerone.com/reports/248693
  17. 17. Paste(s) Sites
  18. 18. Public Password Dumps
  19. 19. Not ‘Google’ Search Engines ● Metasearch engine – Polymeta.com ● People search engine -Pipl.com, Peekyou, Marketvisual ● Business/Company Search - Zoominfo ● Social Search Engine - Socialmention.com ● Phone Number Search Engine – Truecaller ● Wayback machine ● Computational knowledge engine – Wolframalpha ● Clustering Search Engine - search.carrot2.org
  20. 20. Domain IP History
  21. 21. Domain IP History • Cloudflare / Incapsula / Sucuri. • Domain History reveals earlier IP Addresses. • IP still Live = Bypass rate limiting, firewall rules, etc.
  22. 22. Public Scan Engines • https://www.qualys.com/forms/freescan/ • https://urlscan.io • https://asafaweb.com
  23. 23. MetaData Data about the Data. Can find: ● Applications used to generate PDF/Docx./etc. on servers ● Exif Data (Media File Data) ● Geolocations ● Author ● Platform TCPDF CVE-2017-6100 - Local File Include Vulnerability
  24. 24. Employee Profiling ● Email-harvestor ● DataSploit ● LinkedIn ● https://www.linkedin.com/search/results/companies/?keywords= company&origin=SWITCH_SEARCH_VERTICAL ● Email Hunter ● Skrapp
  25. 25. Linked employee email extract using Skrapp / Hunter
  26. 26. Custom Script RapportiveCode
  27. 27. Email-id to Username? Social Media Accounts Forum Searches (boardreader.com) Clearbit / Full Contact DataSploit >> User to Images , Reverse Image Search, User profiling (More useful for SE) >> Find leaked creds, tokens, confidential urls/IPs, slack keys, api key, etc.
  28. 28. Email-id to Username?
  29. 29. Blue Team. ● Active Monitoring on keywords. ● Alerting (while reducing noise) ● Scan/OSINT your Attack Surface Area ● Scoping is not required - Simply find the perimeter from Devops/Central Deployment Team. ● Keep an eye on Employees (Profile their personal code share accounts). ● Review Job Openings / Questions in Forums, etc. ● Defensive Measures - Data Loss Prevention ● Strip off metadata from files going outside.
  30. 30. Tweetmonitor.py / Tweetdeck
  31. 31. Tweetmonitor.py / Tweetdeck
  32. 32. Scumblr
  33. 33. Google Alerts
  34. 34. Page Monitor - ChangeDetect / Follow.net
  35. 35. SIEM << Threat Intel Feed (robtex,etc., check for already blacklisted IPs) Collective Intelligence Framework
  36. 36. Tools of Trade Spiderfoot Recon-ng Scmublr DataSploit Sublist3r theHarvestor Foca Maltego Gosint Belati X-ray Exiftool Tinfoleak Gitrob
  37. 37. Future Research ● Data Co-relation ● Noise Reduction ● Tap Darknet
  38. 38. upgoingstaar@gmail.com | @upgoingstar

×