Agenda:
New School?
OSINT (open origin news gathering tool)
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools (serversniff/domain tools/centralops/clez.net/robtex/spoke)
Maltego
Example:
baytsp.com
WTF is baytsp.com?
How many spider web servers?
How many ship service servers?
How many advert servers?
IP range/netblocks?
Location(s)?
Usernames, telephone numbers, e-mail addresses?
New School?
BayTSP is an innovator inwards digital copyright,image, trademark, music as well as textprotection. Located inwards the pump of SiliconValley, BayTSP offers a revolutionary wayfor digital content owners to rail downtheir valuable online property, inwards gild toeffectively deter its theft as well as misuse.
OSINT: Information Gathering as well as File Search:
New School?
OSINT (open origin news gathering tool)
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools (serversniff/domain tools/centralops/clez.net/robtex/spoke)
Maltego
Example:
baytsp.com
WTF is baytsp.com?
How many spider web servers?
How many ship service servers?
How many advert servers?
IP range/netblocks?
Location(s)?
Usernames, telephone numbers, e-mail addresses?
New School?
New School, only a “new” agency of looking at Information Gathering, less only discovering network blocks amongst whois as well as to a greater extent than accept a “full spectrum” expect at your target.
• OSINT, Open Source Intelligence:
– Out on the cyberspace for everyone to find, if you lot know what to expect for
– Domain Names
– Files containing useful information
– Email addresses
– Website Source
OSINT
• Generally no at in i trial contact amongst victim’s servers OR no non-standard traffic directed toward victim
• End Result?
Organization's cyberspace blocks, external servers IPs as well as domain names, internal IP ranges, emails to ship phishing attacks to, telephone numbers to call, trust relationships amongst other
organizations, & other relevant information for your audit as well as hopefully identifying exploitable flaws inwards the target’s network.
Isn't that what Google is for?
• Yeah kinda, Google-fu is of import but we’re non going to verbalize much close Google hacking, become read the book.
BayTSP is an innovator inwards digital copyright,image, trademark, music as well as textprotection. Located inwards the pump of SiliconValley, BayTSP offers a revolutionary wayfor digital content owners to rail downtheir valuable online property, inwards gild toeffectively deter its theft as well as misuse.
OSINT: Information Gathering as well as Domain Name Search:
- whois info, NS as well as AS reports
- search using target domain advert as well as subdomain
- who's treatment mail, DNS, cyberspace blocks, spider web hosting, etc
OSINT: Information Gathering as well as Key Words:
- role that google-fu
- password
- login
- target specific keywords
- database/secret/yak yak
- google dorks
- role SEAT/Goolag to audit a specific domain
OSINT: Information Gathering as well as File Search:
We're looking for:
- network diagrams (.vsd, .jpg, gif)
- databases (.mdb)
- papers as well as documents (.doc, .pdf, .sdw)
- spreadsheets (.xls, .ods, .sdc)
- configuration files (.txt, .rft)
Thanks metagoofil!
OSINT: Information Gathering as well as e-mail addresses
- Information Gathering as well as e-mail addresses (email harvesting scripts as well as frameworks)
- Information Gathering as well as Cached Data/Links (archive.org, waybackmachine, google)
- Information Gathering as well as Source Code (spider the site, expect at HTML origin as well as comments, file paths, file names, scripts used on the site)
FierceDNS
- meant specifically to locate probable targets both within as well as exterior a corporate network
- tries your criterion DNS tricks but also does only about bruteforcing of domain names as well as tries to throw only about news into the searches
- bruteforce exclusively equally skillful equally your wordlist
SEAT (Search Engine Assessment Tool)
“SEAT uses information stored inwards search engine databases, cache repositories, as well as other world resources to scan a site for potential vulnerabilities. It’s multi-threaded, multi-database, as well as multi-searchengine capabilities permit slow navigation through vast amounts of information amongst a destination of scheme safety assessment.”
Google Mail Harvesters
• Goog-mail.py
• theHarvester.py
• There are enough others
• Consider changing the regex to search for dissimilar @ variations: [at] <at> (at)
• Goog-mail.py
• theHarvester.py
• There are enough others
• Consider changing the regex to search for dissimilar @ variations: [at] <at> (at)
Metagoofil
- Meta-what???
- MetaGoofil - Metadata analyzer, information gathering tool.
- Created yesteryear Christian Martorella of Edge Security.
- http://www.edge-security.com/metagoofil.php
- “Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) available inwards the target/victim websites.
- “It volition generate a html page amongst the results of the metadata extracted, summation a listing of potential usernames as well as path disclosure, tin toilet move useful for preparing a bruteforce laid upwards on on opened upwards services similar ftp, pop3,web applications, vpn, etc.”
Why Metadata?
• Metadata can:
• Reveal the creator of a document, as well as fifty-fifty a possible
network username or derive naming convention.
• Reveal the application that created the document.
• Reveal the version of the software that created the
document.
• Reveal creation date. Document was created recently
with vulnerable version.
• We at nowadays get got possible usernames, applications used yesteryear those individuals as well as the software versions. Now nosotros tin toilet deliver a directed customer side laid upwards on for something installed inwards the enterprise.
• Metadata can:
• Reveal the creator of a document, as well as fifty-fifty a possible
network username or derive naming convention.
• Reveal the application that created the document.
• Reveal the version of the software that created the
document.
• Reveal creation date. Document was created recently
with vulnerable version.
• We at nowadays get got possible usernames, applications used yesteryear those individuals as well as the software versions. Now nosotros tin toilet deliver a directed customer side laid upwards on for something installed inwards the enterprise.
• Also endeavor running your give-and-take documents through The Revisionist yesteryear Michael Zalewski
http://lcamtuf.coredump.cx/strikeout/
• The Revisionist tin toilet push clit out deleted comments as well as text if the “track changes” had been used as well as dump the document amongst deleted text to an HTML file.
http://lcamtuf.coredump.cx/strikeout/
• The Revisionist tin toilet push clit out deleted comments as well as text if the “track changes” had been used as well as dump the document amongst deleted text to an HTML file.
ServerSniff.net
http://serversniff.net/
NS/MX Reports
AS Reports
Subdomains
TLDs
Hostnames on an IP
Domains on webserver
Web Tools
HTML Comments
HTML Code
SSL Certificate Info
Links within page
Web Server Headers
http://serversniff.net/
NS/MX Reports
AS Reports
Subdomains
TLDs
Hostnames on an IP
Domains on webserver
Web Tools
HTML Comments
HTML Code
SSL Certificate Info
Links within page
Web Server Headers
http://www.domaintools.com/
Hosting history: Track previous spider web hosts as well as hosting providers
Domain history: viewing contact information earlier it was privatized
Registrant Alert: Find novel registrations yesteryear someone
Registrant Search: Find all domains someone owns
Links to Wikipedia references
Best/Most tools on site are for pay :-(
Domain history: viewing contact information earlier it was privatized
Registrant Alert: Find novel registrations yesteryear someone
Registrant Search: Find all domains someone owns
Links to Wikipedia references
Best/Most tools on site are for pay :-(
http://centralops.net/co/
http://clez.net/net
• Query port as well as service scan information
• dns, ping, whois, ssl info, traceroutes
• e-mail verification, opened upwards relay checking
• dns, ping, whois, ssl info, traceroutes
• e-mail verification, opened upwards relay checking
http://www.robtex.com/
spoke.com
Search for people locate their company
Search for companies as well as think names
Search for people locate their company
Search for companies as well as think names
TouchGraph
• http://touchgraph.com
• “TouchGraph's powerful visualization solutions break relationships betwixt people,
organizations, as well as ideas.”
• Visually present the large painting present on how things are tied together using Google results.
• http://touchgraph.com
• “TouchGraph's powerful visualization solutions break relationships betwixt people,
organizations, as well as ideas.”
• Visually present the large painting present on how things are tied together using Google results.
Maltego
http://www.paterva.com/web2/Maltego/maltego.html
• By Roelof Temmingh from Paterva
• What is it?
• Maltego is a plan that tin toilet move used to decide the relationships and
real basis links between:
– People
– Groups of people (social networks)
– Companies
– Organizations
– Web sites
– Internet infrastructure such as:
– Affiliations
– Documents as well as files
• All using opened upwards origin news (OSINT)
http://www.paterva.com/web2/Maltego/maltego.html
• By Roelof Temmingh from Paterva
• What is it?
• Maltego is a plan that tin toilet move used to decide the relationships and
real basis links between:
– People
– Groups of people (social networks)
– Companies
– Organizations
– Web sites
– Internet infrastructure such as:
• Domains
• DNS names
• Netblocks
• IP addresses
– Phrases• DNS names
• Netblocks
• IP addresses
– Affiliations
– Documents as well as files
• All using opened upwards origin news (OSINT)
• What else tin toilet Maltego do?
• Technorati transforms, weblog tags, search blogs for phrases
• Incoming links, who links to your domain
• Social network transforms; honor a name, honor their email, blog, telephone number, etc
• Print graphs on several pages
• Can export the information into .csv, tin toilet salve the maltego file as well as move opened yesteryear whatever other maltego instance
• Save pieces of graphs equally images
• Can write your ain transforms or stand upwards up your ain server.
• ** version 2 is for pay but inexpensive $430 USD for outset year
• Technorati transforms, weblog tags, search blogs for phrases
• Incoming links, who links to your domain
• Social network transforms; honor a name, honor their email, blog, telephone number, etc
• Print graphs on several pages
• Can export the information into .csv, tin toilet salve the maltego file as well as move opened yesteryear whatever other maltego instance
• Save pieces of graphs equally images
• Can write your ain transforms or stand upwards up your ain server.
• ** version 2 is for pay but inexpensive $430 USD for outset year
So What?
• Ok lots of information what did I larn from all of it?
– If you lot are allowed to ship social engineered emails or create customer side attacks, you lot get got an initial target listing of e-mail addresses. Using e-mail dossier/maltego I tin toilet verify working e-mail addresses. I exclusively involve i someone to open/click that e-mail for my foothold.
– Naming conventions, users as well as offices, telephone numbers, relationships betwixt organizations
– Target organization’s IP Space as well as footprint. VPN server’s IP, Terminal/Citrix server IPs, firewall’s IP, etc.
– Software versions of software that is typically targeted inwards customer side attacks (MS office)
– Using Maltego nosotros run into the relationships betwixt our site as well as other sites inwards improver to the above.
– All gained without your typical definition of “scanning”
• Ok lots of information what did I larn from all of it?
– If you lot are allowed to ship social engineered emails or create customer side attacks, you lot get got an initial target listing of e-mail addresses. Using e-mail dossier/maltego I tin toilet verify working e-mail addresses. I exclusively involve i someone to open/click that e-mail for my foothold.
– Naming conventions, users as well as offices, telephone numbers, relationships betwixt organizations
– Target organization’s IP Space as well as footprint. VPN server’s IP, Terminal/Citrix server IPs, firewall’s IP, etc.
– Software versions of software that is typically targeted inwards customer side attacks (MS office)
– Using Maltego nosotros run into the relationships betwixt our site as well as other sites inwards improver to the above.
– All gained without your typical definition of “scanning”
