AIDE 2018 Practical OSINT Tools of the trade Tom Moore

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
well woman alright thanks for coming thanks for having me we're gonna be talking a little bit about practical ascent so how many of you are going to school for offensive security or defensive security so forensics okay this can really be used in any one of the disciplines of information security in one way or another the two that I most commonly see it used in our are generally offensive or defensive security but we'll get into that in a little bit on how how you can leverage it for whatever you're doing if you're doing digital forensics and you need to perform some sort of you know open source and these have a lot more resources now than what we had when I was here so be thankful for the staff that you have knowledgeable staff and and the curriculums that they put in place for you I'm a Christian husband father and I'm an unrelenting geek and pretty much anything I do has some sort of a geek flair to it and it drives my family crazy Second Amendment supporter you guys can read I don't need to read all that stuff right but um I love hacking competitions and I'll be competing in another one this coming weekend at Carolina clong which is where I'm located in North Carolina so so let's uh we'll go ahead and and get started on into it so disclaimer I've done a lot of those things I don't know all the tools I don't know all the resources and I don't claim to write there are so many different resources out there that you can leverage that it's a ridiculous really but I do know what works well and and I can show you what I've learned in my profession that can help you in yours it's it's it's very critical to maintain ethics when you're looking at open source intelligence gathering and so as a result I have a little agreement here basically don't use this stuff for for bad you can you can completely take full ownership of an organization's network by information you can glean from outside of their network okay I've done it on several occasions you can really destroy someone's personal life by releasing information about them they call it daxing most of the time right so you can you can really really harm someone and their personal life by releasing too much information about them so so use it with with care and with caution we'll look at the agenda real fast we'll do a couple times to get started I know Bill has given you guys some some OSINT courses probably some of you have it have attended but we're gonna we're gonna do a little bit of just getting started some of the available tools the the common tools that are generally known and then some of the efficient tools that I like to use when I'm doing an ascent assessment to be able to wrap multiple things into fewer processes anytime we can save time we save money and and we can save some some frustration and clicking the same button multiple times right so then we'll do a little QA most likely before we do the QA we will cut camera because we will go through some ascent you guys will pick some targets and I don't want that stuff recorded in the event that we come up with something that's extremely sensitive okay cool all right so we'll go ahead and get started here so what is sent open source intelligence and and so it's basically data collected from public sources right oh saint was a term that was generally generated by our military but it's been around a lot longer than that gathering information from open and public resources that can give you a more educated grasp of a scenario of a layout of another opposing force so OSINT can give you a lot of information without having to go directly to the source okay that's that's the purpose of OSA and so you know you know it's been around for centuries and we've seen it used a lot on the battlefield okay any time glean information about your enemy that can give you some sort of a some sort of an advantage or understand where their weaknesses so that you can attack their you're going to use it so on the opposite side of OSA what's OPSEC that's operational security or operational security in the same fashion OPSEC is the the process of protecting your your sensitive information right if you go out and post everything you do and every meal that you eat on Facebook everyone's gonna know what you like and what you dislike right could people potentially use that against you yeah yeah so OPSEC is is making smarter decisions and maintaining some of the personal details that are sensitive to you a lot of time think about this stuff I know and it's happened multiple times but a few years back there was a Facebook app created that you know asked pretty much every one of the security questions that you might have if you banked at a certain financial institution and then they they spread it out there but then they targeted multiple individuals that they had already performed Osen on and realized that that's where they banked and they ended up netting I think around twelve million dollars out of calling into the customer service using the information that they obtained publicly off the internet and off of Facebook to reset questions go through the process of of you know getting the I think someone is just taunting me with my phone I need to silence it but you know going through the process of getting all of your your details and and misusing them in the way that you probably wouldn't have them so what I just you alright back to this alright so everyone understands what a Centon OPSEC are right what would be the the purpose of needing good OPSEC right would it be avoiding having information pulled against you right there they're kind of counter opposites so if you if you want to think of them that way so who sent works the best on people with that OPSEC okay that's that's the the first kicker here the downside is that most people really suck at OPSEC today we don't have a desire to have privacy we want attention for things that we do and so we post a lot of information we probably wouldn't post otherwise and as a result that gets misused have you all heard of swatting right very dangerous situation there right we have one recently killed as a result of a little bit of social engineering trying to get his phone number once they had his phone number they were able to look up where he lived once they were able to look up where he lived then they were able to send SWAT to his home and so like I said this stuff can be used very very dangerously so kind of keep at an understanding that that great power comes great responsibility right everyone see it's a fighter and it seems like something that's not not a real real dangerous scenario in most cases but assent is something that if you become a penetration tester or if you're doing blue team work or red team you will generally use those sent on any engagement where there's an external surface that you have to you have to look after on on one side as a as a as an offensive security practitioner I'm going to look for any weaknesses that I can find I'm going to look for individuals that I can target I'm going to look for systems that may be vulnerable and I'm going to build a path to to take to try to ride into that organization as a defensive practitioner you can use o scent in the same way to determine where others might see weaknesses against your organization so you can shore those up and get them fixed before someone gets in that's that's not not intended alright so there's all kinds of tools out there so you collect o scent there's hundreds of tools and we'll show you some of those but we're gonna go over about the top five or so just to kind of give you a rundown of what kind of information they can collect what they can do and so one of the ones that you may have heard of is recon ng and this is this is by Tim tomes and he was at Black Hills then I think he's at envision now but great tool why do I keep clicking that okay he's still up there but yeah so it's a it's a great tool and let's let's just take a look at it see if I can switch over here so if we just run recon in GE I deleted all my API keys so I didn't leak those long video but so within recon ng see if I can resize this window because I'm having all kinds of display issues can you all see that yep okay all right so recon ng has a lot of capabilities that it ties in it uses what are called API keys and so you can go to different resources that recon ng can pull from and you can request an API key and you can configure it within this tool and it allows you to make more requests through the command line than what you would normally be able to to make to a specific tool you have a specific resource but we'll look at show modules and so this recon section is for the most part all open source intelligence resources that recon ng can query so being linked in jigsaw a sea mail tester some of these are basically ways to create user lists let's see pone lists I'm sure you've probably heard of that one built with will show you what something's built with Google Site API showed an net craft so you can go through with this one tool here's here's the ones I know you've seen right Flickr Instagram Casas showed an Twitter YouTube and so you can go through with this tool and query for an organization for a specific individual and so one tool has the ability to to go through quite a bit of that stuff so if we continue on the next one that we'll look at is is the harvester and so this one is a a tool I do not know why it keeps doing that I'm having some technical difficulties but is written by Christian I'm gonna butchers lastname Mariela and basically what the harvester does is it'll go through and gather subdomains for an organization so if you have a TLD a top-level domain the harvester can go through and gather subdomains that you can look at it will gather email addresses or gather virtual hosts open ports banners employee names from distant there's different public resources and so it can it can build a dossier of an organization pretty quickly one thing that it does do that would be direct communication is when it pulls subdomains it has to query the DNS servers so if the DNS servers are on site for an organization or if they're in-house then that that action would not be technically Oh sent that would that would be requesting something from the organisation Oh sent as a whole should be something that you can collect information that from and never touch the organisation that you're targeting and that's another reason that it makes it really really dangerous right because as a defender are you going to know if someone's doing Oh sent on you generally not and then you can set up Google alerts and things of that sort to let you know if someone's searching for your organisation but most of these are not leveraging Google this one does but most of these do not so you know you have to you have to kind of play that by ear the next one that we'll look at and that's that's a great tool we we can we can dig into it later but the next one if I can get my slide deck to work I don't know what's going on here Adrian it keeps jumping out of presenter of you I'm locked alright anyways nope let me back up she shares it up there but nothing's changing joy hang on just a moment yeah so it says it's back alright I'm goin out look her PowerPoint all right please all right all right we're going again all right so who's heard of googled works okay awesome all right how much have you used Google tours you should use them every day huh yeah yeah bill bill should know them better than most he made you buy the book that's a way to to buffer your sales ha oh hey yeah so Google dorks were originally made popular by Johnny long with hackers for charity you guys should know him and so Johnny long kind of made this made this popular and and now we have what's what's now the Google hacking database and that is maintained over the guise of offensive security and so I don't know if you can see that screen from there but generally anyone in the community that finds a a good Google dork that could potentially allow you to compromised an organization can submit it for addition to the Google hacking database and so there are some dangerous strings on there a couple of these file type in URL log server software and you can find some some juicy info in there like configuration info CakePHP in URL database dot PHP in text DB underscore password we'll have passwords in clear-text and the document that it returns okay and if people aren't configuring their web services correctly if they're not limiting the permissions on specific files on their web servers then they can leak that information without even realizing it once someone finds it they can post it up here and everyone now has access to it so a great source for Osen and I did it again I don't understand how that's happening I know but I can't I can't advance the slide all right try it again all right who's heard of sure Dan yeah all right that's the firehose of fun it can be very dangerous to write shooting and allows you to understand what the what the external surface of some of the most vulnerable services are of your target without ever having to scan them so if you if you didn't have something like sure-tan or if if you didn't have that what would you have to do right what tool would you use what would be a go-to tool to scan and network if you were trying to find in map right the go to Trinity used it right so when when you look at show Dan you have to take into consideration okay this this tool allows me to gather information about a remote attack surface of an organization and never touch that organization so like like one let's look a slicker fast so if we look for apache' in the city of Huntington right you can if you knew the IP scope of the organization you're looking at that's just one small example of what shooting can do so if you're looking for an organization in Huntington that you know is running Apache you may be able to find their server information here without necessarily them having a domain name attached to them it's pretty valuable let's do this again I don't know why it's failing but it's a it's trying me alright so one of the ones that is there's a trial version or used to be a trial version in Cali is multi go multigo is extremely powerful the the trial version or the free version of mousey go is very limited though a Multi go works off what's called transforms and and so these offer real-time data that it's able to gather about relational information between different data sources and and when you when you get into it it allows it allows you to visualize what the relationships are between different different resources that belong to the organization you're looking at or person you can go straight personal with it so I don't do a lot of mouths to you just because of the cost of the the the full version but I have used it on several occasions as the professional version and it is it's flat-out amazing some of the stuff that you could pull out of it if you're doing private investigative work if you're doing I could see it on a on a red team scale I could see it as a pen tester it it's worth the money when it comes to Osen and digging up information about the the target organization this was a search that I did on github just this morning for Oh Sam's and there are four hundred and seventy different different tools out there that are open source and that are that are built generally purpose-built for a specific ascent path right something that someone has found that another tool didn't do so they wrote the room and my buddies are at the second one there will look at it a little bit later Osen framework all right so so there are there are many many tools rosing i've found several to be very very valuable to me because they save me time and they save me the frustration of having to try to pull a lot of different information into a common format so one of the things you're going to run into when you start doing digital forensics or blue teaming or red teaming or pin testing you're gonna have you're gonna have a lot of information that you're querying about a specific subject or our target and once you've collected all of that information from different sources it's all in different formats alright and now you have to try to get all of that stuff put back together and that can be a true pain and tail they can it can waste a lot of time so what we're going to do is we're going to look through the names of some of these tools and then just kind of give you a an understanding of why why I use these regularly and then we will most likely cut camera for a little bit and try some of them out and you guys can pick some targets and we'll we'll see what we can discover right hmm I heard that we can do that all right so the first one and you guys have probably met Lee Lee Baird is discover and so this is a set of scripts Lee Baird is the is the curator maintainer of this and while it does do a lot of direct enumeration about an organization the thing I love about discover is that you can do fully open source intelligence gathering and reconnaissance and it builds out a report now you remember earlier when we were looking at the harvester and and we were looking at recon and gee okay discover does those for you and I will show you that actually will kick one off here so discover will launch hopefully sooner than later and it's it is basically a wrapper script for some of the other tools we've been looking at and will help you automate that so we make we may come back to this hopefully when we come back to it we'll be ready I'm not sure what's going on I'm having all kinds of issues bill did you show my box before I got up here but yeah discover is awesome if you haven't taken a look at it it's github.com /li Baird's slash discover get you can get clone that if you're on a linux distribution and otherwise you can you can download it it's primarily all written in shell script bash and it runs really well awesome framework written my buddy Justin or Dean and so you can you can install this locally as a service it's a github repo or you can just use it on on ascent - framework comm I believe when we pull it up here yeah Osen framework calm and so just a quick view of this if you wanted to look for a specific user name all right you can look under search engines or you can look under a specific site say you want to check out name check that link is right there for you okay you can go through and and and dig through it if you if you want to look on Amazon wish list for Bill's Christmas wish list right you can you can use the links that are in this OSA framework as a very fast way of going through if you know what you're looking for getting to those resources that are that are something that you want this is all written in JavaScript uses nodejs and so it's a great tool I use it quite a bit again one of those tools that you don't have to go through a bunch of bookmarks and try to figure out a little where did I see that before because as you go through it logically into what you're looking for and how specific you want that to be Oh some framework just kind of lays it all out there for you so the next one that I use pretty frequently and I just recently found this CTF are alright so we talked about DNF or DNS and and if you are pulling DNS entries from an organization what are you generally requesting those from a DNS server right so if you're requesting them from a DNS server that server could potentially be inside the organization that you're targeting right if you're going after an organization so CTF are takes advantage of something different what is essentially SSL transparency reporting so let's take a look at this real fast this one this one's a fun one that we can show up look it loaded up we'll leave that running all right so we're gonna look for a domain we're gonna use Marshall for right now someone give me a doing this is something anyone can pull off so irony calm all right how many SSL certificates do you have I know the site now use HTTPS you use it but I don't know okay well we'll take a look so give it a D for the domain you can give it tak Oh for the output file and run this and basically what it's going to do is it's going to query the oh just one all right we have to we have to go after bigger domain so let's do Amazon right alright that works they have all of our information anyways right so any subdomains that Facebook has that has an SSL certificate that they have disclosed the SSL transparency report and I didn't do in axfr I didn't touch their network right generally you have to have a misconfigured DNS server in order to be able to gather that many domain names that quickly that or you have to brute-force them you can use a tool like fierce and go through and brute force with a dictionary attack and look for domains that are there but I didn't touch one of their servers I didn't send more than one request all right I love that tool I've used it every assessment since since I found it written by Sheila a birder and that's that's an awesome tool if you're going after an organization you want to take a look at what their domains are CTF are alright and again showed an is something that I used pre frequently there's really nothing else out there that I found as effective as show dam when it comes to trying to get an understanding of of what your attack surface is for an organization you get a free API key you can you can have assigned to you when you when you sign up for an account with that API key you can write your own tools in Python or whatever to query the certain API and pull information back so if you have a specific site or range for the organization you're looking at you can craft a request to show Dan's API and then will return all that information to you in a possible format that you can go through and continue your assessment this is a github repository that I found is called awesome ascent and I've been really bad about having links and stuff in here so I will I will post all those or get them to Bill so that you can you can go through these and dig through them but this this one let me see if I have it pulled up my web server our web browser yeah so it's a it's a github repository right but it's basically it's an essentially another list of links that you can use so it kind of breaks it down by the you know my higher level here's the top but you can you can just dig right in so if you want to social media tools that go after Twitter users well here's multiple ones that that can query the Twitter API Facebook right you can go through and find the tool that you want to to be able to go through and do targeted OSINT on on a Facebook user now where we see this as a red teamer we're even as a pin tester right if I'm going after an organization I can I can have a pretty solid case before I ever touched that network whether or not I'm going to be successful at penetrating that Network I'll go and I'll all query organizations that that may have information about them and we'll see some more that stuff from the harvester and the stuff that discover pulls will do that run before we finish here today but after running that and going through and looking so I'll go out to the website and look to see what jobs are available then I can go to LinkedIn and I can query LinkedIn for anyone that works at that organization right I can find some someone that's close to the position that I'm going to be looking at and I can go look through their there because everyone wants to praise I can go through and look through their resume or basically and find out okay what really have they been doing so I can I can research that I can look at what they're saying that they have knowledge in and know that they probably have resources on their network in that specific area okay and I can run that CTF are I can go through and pull all the domain names to be able to see what what may be a juicy target to go after we can go through and if I find someone that I think may have credentials that are gonna be beneficial to me from the outside I I dig into them on on LinkedIn and then I'd switch over to Facebook to Twitter to places where they're gonna be less worried about their OPSEC me that you know basically direct targeting for a specific individual that I see will have the the permissions that I want and before long you can go through and and build a very good understanding of who this person is what their likes and dislikes are what kind of information they are willing to share with with you know with the public whereas what they may be more withholding of and as as you get to that point you could do a targeted Spearfish against that individual with a Great backstory that they're going to believe and work along with you could spoof one of their co-workers that they're trusting of that you've made that correlation of based on their social communications online it's pretty dangerous right but with these with these resources I mean this is huge there's all kinds of them here that you can look through and it just continues these are these are all the breakouts and I could scroll for days write all kinds of resources that you guys can use in open source intelligence gathering and so one of the other ones that that has been pretty valuable is Intel techniques by Michael Brazil so I don't know if you've if you've worked with this one at all but it also is a great resource with multiple links I thought I had it up here yeah so this one is for Facebook and you can you can basically specifically look for individuals that just have relationships with someone that you're trying to find and you you can leverage this to look for that chatty person that is one of their friends that has no permission set on their account and will allow you to befriend her just so she can raise her number or him and and then once you want you are in that second level friendship relationship on Facebook with an order you know with with your target then you can gather a lot more information about them people think that just because they have good permissions set on their social media accounts that other people can't and won't get into their their stuff because they won't friend them well that's not necessarily the case if you trust friends and friends then that's I'm just going to attack the weakest link I'm not gonna go after you if I know that you have better OPSEC I'm going after the least OPSEC individual that I can find that has a relationship with you and I'll get in that way yeah so that's that's another good one and they've got he's got things in there for Facebook and Twitter and Tumblr and the whole deal so this one has not been released yet no we'll show it real fast just to give him a quick props but we'll Genovese it will if you know him if you don't he's brilliant and so he's writing a tool called Skip tracer and just a real fast teaser on this tool no well we'll stop right after this all right I cannot see the bottom line on my screen so we can't even that's probably best let's see all right let me find a phone number real fast anyone want to offer up your phone number Oh all right hang on second I'll type it in wrong should be it give me a name and we'll look and see if there's any information out there on them all right so actually it's going to go better if we do up phone number give me just a moment I'm going to mm-hmm share my screen for just a second yeah really easy way wouldn't it all right basically have you ever had a phone number call you and heavy breathe or do something stupid and you always want to try to figure out who that might be Skip tracer jet basically goes after about I think it's upwards of a dozen different databases that could maintain information on a specific number and we'll help you do some very quick reconnaissance to find out who that might be one other thing that that I think it would be very very beneficial for would be if you're trying to determine whether or not a specific number that's associated with an account like maybe two-factor authentication belongs to a specific individual and allows you to build build a better dossier that way all right just about there okay we jump back in here [Music] all right here we go notice that name a few times maybe so you can see it's just going through and querying multiple sources for any information on that and it's pretty pretty damaging right you got an address with multiple sources here associated directly with that number so he hasn't released that yet but once he does I would look it up huh yeah he was gracious enough to let me kind of tease some people with it but it's gonna be a great tool he's got it he's got some more work he wants to do before he releases it to the public
Info
Channel: Adrian Crenshaw
Views: 22,414
Rating: 4.8248849 out of 5
Keywords: hacking, security, infosec, irongeek, marshall, west, virginia
Id: nvdsQlT9_xY
Channel Id: undefined
Length: 48min 7sec (2887 seconds)
Published: Thu Apr 05 2018
Related Videos
Michael Bazzell, OSINT & Privacy Consultant - Paul's Security Weekly #548
Security Weekly
20K
DEF CON 25 Wifi Village - Aardvark, Darkmatter - WIGLE Like You Mean It Maximizing Your Wardriving
DEFCONConference
16K
519 Open Source Intelligence What I learned by being an OSINT creeper Josh Huff
Adrian Crenshaw
46K
How to Make Your Own VPN (And Why You Would Want to)
Wolfgang's Channel
1.2M
DEF CON 25 Wifi Village - Matt Blaze - Sigint for the rest of us
DEFCONConference
23K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.1M
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
you need to learn Python RIGHT NOW!! // EP 1
NetworkChuck
373K
The Simplest Math Problem No One Can Solve - Collatz Conjecture
Veritasium
13M
DEF CON 25 - Roger Dingledine - Next Generation Tor Onion Services
DEFCONConference
74K
Open Source Intelligence Gathering with Maltego
DFIR.Science
88K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.