A quick walkthrough of OSINT given in Null Delhi Chapter using this presentation. Speaker discussed various test cases which pen-testers can use while performing their daily assessments..
Tool which is demonstrated in ppt is hosted at https://github.com/upgoingstar/datasploit. Stay tuned for new feature releases.
2. Who Am I?
• Shubham Mittal
• 4+ years of experience ~ Offensive & Defensive roles.
• InfoSec Consultant. Trainer @ Nullcon.
• Interests in PT, OSINT, Infrastructure Security.
• Projects: Datasploit
• Biker, Beat Boxer, Blogger.
@upgoingstar | shubhammittal.net | shubham@shubhammittal.net
3. Internet gives you RAW Data. Harvest it.
OSINT – Open Source Intelligence
(Intelligence on Information publicly available)
4. WhoIs Records – First things first.
• Reveals Email ID
• Reveals Contact Person
• Some Other Basic information.
5. DNS Records
• CNAME Records – Gives you subdomains
• MX Records – Check for attacks on Mail Server.
• A records – IP Addresses
6. Domain History
• Abc.com uses Cloudflare / Incapsula / Sucuri.
• All DNS Traffic is routed.
• Domain History reveals earlier IP Addresses.
• If IP still hosts the website, Bypass all rate limiting, firewall rules, etc.
7. Wappalyzer
• Profiles the technologies a website is using.
• Vulnerabilities associated with these technologies can also be listed
via CVEDetails.com.
• Have fun. ;)
• Buildwith is also a good option, though automating Wappalyzer is
easy.
• Both available as Firefox Addons as well.
8. PunkSpider, OpenVuln, SSl labs, etc.
• Pass domain and check for vulnerabilities found by scanners / other
researchers.
• SSL Labs scans all the SSL / TLS related issue. You get niche testing
done without hitting from your own IP.
10. • Computer Search Engine
• Locate exposed portals / legacy dashboards.
• Code Search Engines
• Look for vulnerable codes. Juicy targets. Wow.
• People Search Engines
• Profiling specific User
• TrueCaller / ThatsThem
• Phone number lookup.
11. Enumerate Subdomains
• Trickiest part.
• Knock.py type scripts available for brute-forcing the subdomains.
• Too much noise, not that effective. Can’t brute force longer
subdomain names.
• WolfRamAlpha - Advanced Data
• DNSDumpster
• Netcraft
• Automate! Hit It!
12. Extract files, Extract meta data from them.
• Filetype search via Google /
Yandex / Bing / etc.
• Spider the site.
• Extract all files, eg. PDF, SWF, etc.
• Extract Metadata
• Run Exif Tool ~ Application
version, author, etc.
14. Breach Status?
• Have I Been Pwned?
• Breach or Clear?
• If email is found to be a part of breach? Is the breach data public?
• Quite often, people use same password for more than one account.
15. Osint on Email
• Find Gravatar
• Tinyeye.com / Google Reverse Image Search / FindFace
• Information from Facebook / Google Plus / Blog / Linkedin
• Harvest username.
• ClearBit
16. Osint on Username
• UserSherlock / NameCheck / Knowem
• Tweets. Woah! Woah! Woah!
• Instagram Check-ins / Facebook Check-ins
• Github repos > Employees don’t give a shit to Security.
• ApiKeys? Access Tokens? Passwords? DB Creds? What not?
• Secret keys once committed, cannot be deleted, Unless the whole repo is
deleted.
• Gravatar / Profile Image > Reverse Image Search.
18. Search domain in Github
• https://github.com/search?q=“example.com”&type=Code
• Specifically check Server side codes, .php, .py, .asp, .jsp, etc.
• No High Sev bug > Get creds from Git. w00t w00t. :D
21. Check S3 buckets / Windows blobs for access
controls.
• bucketfinder.rb < searches s3 buckets based on keywords.
• Bucket name nomenclature:
• https://bucketname.s3.amazonaws.com
• https://s3.amazonaws.com/bucketname
• Install aws-cli, configure it. Free credits from AWS will get you aws secret keys and api keys.
• By default AWS buckets are private. But devs are too smart sometimes ;)
• Simple checks
• aws s3 ls s3://bucketname
• aws s3 mv ../../Downloads/filename.txt s3://bucketname
22. Obtain Government Data [Pan Card / Voter
Card Information]
• Name + DoB = Pan Card Information
• Name + DoB + Native Place = Voter card Information
• http://electoralsearch.in/##resultArea
• DoB : Username Osint / Social media.
• DD/MM is public. YYYY can be enumerated from Linkedin profile.
24. Monitoring and Alerting
• Use streaming APIs if possible
• Dump data in ES / MongoDb / Db of your choice.
• Calculates hashes. Alerting on top of it.
• For Elasticsearch, ElastAlert is cool. (Frequency / Spike / Negation /
etc.) http://nullcon.net/website/nullcon-2016/training/attack-monitoring-using-elasticsearch-logstash-kibana.php
• Facilitates alerts on Jira, Hipcha, Slack, Email, Bash Commands ~
(Perform an action).
25. Null Humla on OSINT
https://bitbucket.org/null0x00/null-blr-humla-osint-
dec-
2015/src/5fdef0599552b46d632e57a7c2dc00d65e27d
613/HumlaSummary.txt?at=master&fileviewer=file-
view-default