open source intelligence (osint)- testcases for pentesters
TRANSCRIPT
Who Am I?• Shubham Mittal• 4+ years of experience ~ Offensive & Defensive roles.• InfoSec Consultant. Trainer @ Nullcon. • Interests in PT, OSINT, Infrastructure Security.• Projects: Datasploit • Biker, Beat Boxer, Blogger.
@upgoingstar | shubhammittal.net | [email protected]
Internet gives you RAW Data. Harvest it.
OSINT – Open Source Intelligence(Intelligence on Information publicly available)
WhoIs Records – First things first.• Reveals Email ID• Reveals Contact Person• Some Other Basic information.
DNS Records• CNAME Records – Gives you subdomains• MX Records – Check for attacks on Mail Server.• A records – IP Addresses
Domain History• Abc.com uses Cloudflare / Incapsula / Sucuri. • All DNS Traffic is routed.• Domain History reveals earlier IP Addresses. • If IP still hosts the website, Bypass all rate limiting, firewall rules, etc.
Wappalyzer• Profiles the technologies a website is using. • Vulnerabilities associated with these technologies can also be listed
via CVEDetails.com.• Have fun. ;)
• Buildwith is also a good option, though automating Wappalyzer is easy. • Both available as Firefox Addons as well.
PunkSpider, OpenVuln, SSl labs, etc.• Pass domain and check for vulnerabilities found by scanners / other
researchers. • SSL Labs scans all the SSL / TLS related issue. You get niche testing
done without hitting from your own IP.
Search Engines• Shodan | Censys | ZoomEye – Computer Search Engines• NerdyData | GitRob | MeanPath – Code Search Engines• Pipl | Yasni – People Search Engines• TrueCaller - Phone number Search Engine• Google | Yandex | Bing – General Search Engines• DuckDuckGo – Combines multiple search engine• WolfRamAlpha – Computational Search Engine
• Computer Search Engine• Locate exposed portals / legacy dashboards.
• Code Search Engines• Look for vulnerable codes. Juicy targets. Wow.
• People Search Engines• Profiling specific User
• TrueCaller / ThatsThem• Phone number lookup.
Enumerate Subdomains• Trickiest part. • Knock.py type scripts available for brute-forcing the subdomains.• Too much noise, not that effective. Can’t brute force longer subdomain
names. • WolfRamAlpha - Advanced Data • DNSDumpster• Netcraft
• Automate! Hit It!
Extract files, Extract meta data from them.• Filetype search via Google /
Yandex / Bing / etc.• Spider the site. • Extract all files, eg. PDF, SWF, etc. • Extract Metadata• Run Exif Tool ~ Application
version, author, etc.
Enumerate Emails Associated.• Emailhunter• SimplyEmail.py
Breach Status?• Have I Been Pwned?• Breach or Clear?• If email is found to be a part of breach? Is the breach data public?• Quite often, people use same password for more than one account.
Osint on Email• Find Gravatar• Tinyeye.com / Google Reverse Image Search / FindFace• Information from Facebook / Google Plus / Blog / Linkedin• Harvest username. • ClearBit
Osint on Username• UserSherlock / NameCheck / Knowem• Tweets. Woah! Woah! Woah!• Instagram Check-ins / Facebook Check-ins• Github repos > Employees don’t give a shit to Security. • ApiKeys? Access Tokens? Passwords? DB Creds? What not?• Secret keys once committed, cannot be deleted, Unless the whole repo is
deleted.
• Gravatar / Profile Image > Reverse Image Search.
Create list of targeted passwords ~ username
Search domain in Github• https://github.com/search?q=“example.com”&type=Code
• Specifically check Server side codes, .php, .py, .asp, .jsp, etc.
• No High Sev bug > Get creds from Git. w00t w00t. :D
Trace check-ins from Instagram / Facebook
Facebook Stuff.• http://graph.tips/• https://inteltechniques.com/intel/OSINT/facebook.html
Check S3 buckets / Windows blobs for access controls. • bucketfinder.rb < searches s3 buckets based on keywords.
• Bucket name nomenclature:• https://bucketname.s3.amazonaws.com• https://s3.amazonaws.com/bucketname
• Install aws-cli, configure it. Free credits from AWS will get you aws secret keys and api keys.
• By default AWS buckets are private. But devs are too smart sometimes ;)
• Simple checks• aws s3 ls s3://bucketname• aws s3 mv ../../Downloads/filename.txt s3://bucketname
Obtain Government Data [Pan Card / Voter Card Information]• Name + DoB = Pan Card Information
• Name + DoB + Native Place = Voter card Information • http://electoralsearch.in/##resultArea
• DoB : Username Osint / Social media.
• DD/MM is public. YYYY can be enumerated from Linkedin profile.
Visualize Data• Maltego • Various python Libraries• Lumio• ElasticSearch / Kibana
Monitoring and Alerting• Use streaming APIs if possible• Dump data in ES / MongoDb / Db of your choice.• Calculates hashes. Alerting on top of it. • For Elasticsearch, ElastAlert is cool. (Frequency / Spike / Negation /
etc.) http://nullcon.net/website/nullcon-2016/training/attack-monitoring-using-elasticsearch-logstash-kibana.php
• Facilitates alerts on Jira, Hipcha, Slack, Email, Bash Commands ~ (Perform an action).
Null Humla on OSINThttps://bitbucket.org/null0x00/null-blr-humla-osint-dec-2015/src/5fdef0599552b46d632e57a7c2dc00d65e27d613/HumlaSummary.txt?at=master&fileviewer=file-view-default
Quick Basic Demo?https://github.com/upgoingstar/datasploit
