This presentation shows new sources where information could be gathered from a target victim or company. Useful for penetration testers :)

1. Christian Martorella
Source Conference Barcelona 2009

2. Tactical
Information Gathering
Christian Martorella
Source Conference Barcelona 2009

3. Who am i ?
Christian Martorella
Security Services S21sec
CISSP, CISA, CISM, OPST, OPSA, C|EH
OWASP WebSlayer Project Leader
Edge-Security.com

4. Information Gathering
“Is the collection of information before the attack.
The idea is to collect as much information as
possible about the target which may be valuable
later.”

5. Tactical
“Designed or implemented to gain a temporary
limited advantage”
Wikipedia

6. I.G Why use it?
It’s what the real attackers are doing
Attackers doesn’t have a restricted scope
Knowing what information about you or your company
is available online
Spear Phishing: 15.000 infected users, as results of 66
campaings.

7. I.G what for?
Infrastructure:
Information for discovering new targets, to get a
description of the hosts (NS,MX, AS,etc), shared
resources, applications, software, etc.
People and organizations :
For performing brute force attacks on available
services, Spear phishing, social engineering,
investigations, background checks, information leaks

8. Typical Pentesting Methodology
Post- Cover Write
I.G Scan Enumerate Exploit
Exploit Tracks report

9. What everyone focus on:
Enumera Post- Cover Write
I.G Scan Exploit
te Exploit Tracks report

10. Real world Methodology
I.G
Discover what
makes the company
money
Do whatever it
Steal it
takes...
Discover what is
valuable to the
attacker

11. Types of I.G

12. Types of I.G
Passive Active
Semi Passive

13. Where / how can we obtain
this kind of info?

14. Obtaining info - Old School way
DNS Zone Transfer (active)
DNS Reverse Lookup Search engines
(active) PGP Key Servers
DNS BruteForce (active++) Whois
Mail headers (active)
smtp Bruteforcing (active++)

15. Obtaining info - Old School way
Active Passive
DNS Zone Transfer (active)
DNS Reverse Lookup Search engines
(active) PGP Key Servers
DNS BruteForce (active++) Whois
Mail headers (active)
smtp Bruteforcing (active++)

16. New sources for I.G

17. Obtaining - New sources
Web 2.0 - Social Networks and Search engines (passive)
Metadata (passive)
Private data (passive paid) Intelius, Lexis Nexis

18. Obtaining people info - New sources
Professional and Business Social networks

19. Obtaining people info -
New sources

20. Obtaining people info -
New sources
Current Job
Pasts Jobs
Education
Job description
Etc...

21. Obtaining employees names
from a company

22. Obtaining employees names
from a company

23. Linkedin I.G example

24. Linkedin I.G example
I L
FA

25. Obtaining people info -
New sources

26. Obtaining Emails from a
company

27. Obtaining Emails from a
company

28. Google Finance & Reuters

29. People information:

30. People search

31. People search

32. People search
Name
Username
Email
Phone
Business

33. Nick name / username
verification

34. Nick name / username
verification

35. Nick name / username
verification

36. Nick name / username
verification

37. Private data - pay per view

38. Microblogs
Small posts up to 140 characters

39. Microblogs
Small posts up to 140 characters

44. Bookmarks

45. Bookmarks

46. Bookmarks

47. Bookmarks
A IL
F

48. Reverse Image search
Pic from
“Novartis”
search on
TwwepSearch

49. Reverse Image search
Pic from
“Novartis”
search on
TwwepSearch

50. WikiScanner
When you edit the wikipedia:
You can edit leaving your username
You can edit anonymous using your IP address

51. WikiScanner
Company IP ranges
Anonymous Wikipedia edits, from interesting
organizations
Provide an ip for a wikipedia username
http://wikiscanner.virgil.gr/

52. WikiScanner - IP ranges

53. WikiScanner - Wikipedia edits

54. Poor Man Check User
Provide an ip for a wikipedia username

55. New sources - Metadata
Metadata: is data about data.

56. New sources - Metadata
Metadata: is data about data.
Is used to facilitate the understanding, use and
management of data.

57. Obtaining more data - Metadata
Provides basic information such as the author of a
work, the date of creation, links to any related
works, etc.

58. Metadata - Dublin Core (schema)
Content & about the Intellectual Property Electronic or Physical
Resource manifestation
Title Author or Creator Date
Subject Publisher Type
Description Contributor Format
Language Rights Identifier
Relation
Coverage

59. Metadata example

60. Metadata example

61. Metadata - Images
EXIF Exchangeable Image
File Format
• GPS coordinates
• Time
• Camera type
• Serial number
• Sometimes unaltered
original photo can be
found in thumbnail
Online exif viewer.

62. Metadata - Images
EXIF Exchangeable Image
File Format
• GPS coordinates
• Time
• Camera type
• Serial number
• Sometimes unaltered
original photo can be
found in thumbnail
Online exif viewer.

63. Metadata - example

64. Metadata - example
logo-Kubuntu.png
logo-Ubuntu.png
software - www.inkscape.org software - Adobe ImageReady
size - 1501x379 size - 1501x391
mimetype - image/png mimetype - image/png

65. Metadata - example
logo-Kubuntu.png
logo-Ubuntu.png
software - www.inkscape.org software - Adobe ImageReady
size - 1501x379 size - 1501x391
mimetype - image/png mimetype - image/png
:/

66. Metadata - EXIF- Harry Pwner
Deathly EXIF?

67. Cat Schwartz - Tech TV

68. Cat Schwartz - Tech TV

69. Cat Schwartz - Tech TV

70. Cat Schwartz - Tech TV
I L
FA

71. Washington Post
Botmaster location exposed by the Washington Post

72. Washington Post
Botmaster location exposed by the Washington Post
SLUG: mag/hacker
DATE: 12/19/2005
PHOTOGRAPHER: Sarah L. Voisin/TWP
id#: LOCATION: Roland, OK
CAPTION:
PICTURED: Canon Canon EOS 20D
Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah
L. Voisin

73. Washington Post
Botmaster location exposed by the Washington Post
SLUG: mag/hacker
DATE: 12/19/2005
PHOTOGRAPHER: Sarah L. Voisin/TWP
id#: LOCATION: Roland, OK
CAPTION:
PICTURED: Canon Canon EOS 20D
Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah
L. Voisin
There are only 1.500 males in Roland Oklahoma

74. Metadata
Ok, I understand metadata... so what?

75. Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables in
the target/victim websites.

76. Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables in
the target/victim websites.

77. Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables in
the target/victim websites.

78. Metagoofil
Metagoofil is an information gathering tool
designed for extracting metadata of public
documents (pdf,doc,xls,ppt,etc) availables in
the target/victim websites.

79. Metagoofil

80. Metagoofil
Workers
User names Server names
names
Software
Paths
versions + Date
Mac Address

81. Metagoofil
Workers
User names Server names
names
Computer Software
Paths
names versions + Date
Mac Address

82. Metagoofil

83. Metagoofil
site:nasa.gov filetype:ppt

84. Metagoofil
site:nasa.gov filetype:ppt

85. Metagoofil
Downloaded files

86. Metagoofil
Downloaded files
ppt 1
pptx 2
parsers /
Results.html
doc 3 filtering
Libextractor
docx 3 Hachoir
Regexp
pdf n Own libs

87. Metagoofil - results

88. Metagoofil - results

89. Metagoofil - results

90. Metagoofil - results

91. Metagoofil - results

92. Metagoofil - results

93. Metadata - The Revisionist
Tool developed by Michal Zalewski, this tool will
extract comments and “Track changes” from Word
documents.
http://download.microsoft.com/download/3/4/9/349c2166-4d53-43f6-b1fd-970090e23216/PARTNER/MSFreeShop.doc

94. Metagoofil & Linkedin results
Now we have a lot of information, what can i do?
• User profiling

95. Using results

96. Using results
User profiling
• User list creation John Doe
john.doe
jdoe
j.doe
johndoe
johnd
john.d
jd
doe
john

97. Using results
User profiling
• User list creation John Doe
john.doe
jdoe
j.doe
johndoe
johnd
john.d
jd
doe
john

98. Using results
User profiling
• User list creation John Doe
john.doe
jdoe
j.doe
johndoe
johnd ATTACK!
john.d
jd
doe
john

99. Using results

100. Using results
Password profiling
Dictionary creation: words from the different user sites
magic
serra angel
necropotence
Shivan dragon
elf
brainstorm
...
...

101. Using results
Password profiling
Dictionary creation: words from the different user sites
magic
serra angel
necropotence
Shivan dragon
elf
brainstorm
...
...

102. Using results
Password profiling
Dictionary creation: words from the different user sites
magic
serra angel
necropotence
Shivan dragon Brute force
elf ATTACK
brainstorm
...
...

103. One password to rule them
all

104. Maltego the ultimate I.G Tool

105. Maltego the ultimate I.G Tool

106. Maltego the ultimate I.G Tool

107. Maltego the ultimate I.G Tool

108. Other examples

109. Phone in sick and treat himself to a day in bed.
Kyle Doyle's Facebook profile makes it quite
obvious he was not off work for a 'valid medical
reason'

110. Phone in sick and treat himself to a day in bed.
I L
FA
Kyle Doyle's Facebook profile makes it quite
obvious he was not off work for a 'valid medical
reason'

111. Was shown the door after posting that her job was
'boring' on her Facebook page

112. I L
FA
Was shown the door after posting that her job was
'boring' on her Facebook page

113. More than meet the eyes

114. More than meet the eyes

115. More than meet the eyes

116. Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:

117. Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:
Myspace page, applicant drinking beer from a
funnel

118. Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:
Myspace page, applicant drinking beer from a
funnel
Local police, applicant arrested 2 years before
for shoplifting

119. Daily life I.G
Looking for a Housekeeper on Craiglist, 3 interesting
resumes came up:
Myspace page, applicant drinking beer from a
funnel
Local police, applicant arrested 2 years before
for shoplifting
Personal blog, saying that she is applying for
menial jobs, and will quit as soon she sells
some paintings

120. Final thoughts
Be careful what you post/send, all stay online
Think twice what you post
Check the privacy configuration of your tools/sites
Too much information, difficult to classify
This is growing, more information is being indexed,
more search engines

121. References
www.edge-security.com
blog.s21sec.com
www.s21sec.com
carnal0wnage.blogspot.com
www.gnunet.org/libextractor
lcamtuf.coredump.cx/strikeout/
www.paterva.com
http://sethgodin.typepad.com/seths_blog/2009/02/personal-branding-in-the-age-
of-google.html
laramies.blogspot.com
http://www.eweek.com/c/a/Security/Washington-Post-Caught-in-Metadata-Gaffe/
Chris Gates Carnal0wnage Brucon 2009 Presentation
http://www.neuroproductions.be/twitter_friends_network_browser/

122. ?

123. Thank you for coming
cmartorella@s21sec.com http://laramies.blogspot.com
cmartorella@edge-security.com http://twitter.com/laramies