The Power of FOCA 3
•Descargar como PPTX, PDF•
5 recomendaciones•3,277 vistas
Presentación de funciones de FOCA 3 a lo largo de la historia.
Recomendados
Más contenido relacionado
Destacado
Destacado (20)
Más de Chema Alonso
Más de Chema Alonso (19)
The Power of FOCA 3
- 1. The Power of FOCA 3 Chema Alonso
- 2. At the begining was the metadata Chema Alonso 20/03/2013 2
- 5. The breasts of Hacker’s girlfriend Chema Alonso 20/03/2013 5
- 6. Social Engineering Attack Chema Alonso 20/03/2013 6
- 7. Metadata Risks • Hidden Relations • Tactical information –Companies –Targeted Attacks –People –Internal knowledge • Software Piracy • Ploting events • History of documents –Places –Time Chema Alonso 20/03/2013 7
- 8. Forensic FOCA Chema Alonso 20/03/2013 http://www.elladodelmal.com/2012 /02/forensic-foca-beta-trial.html 8
- 9. Metadata, hidden info & lost data New apps Bad Format conversion New versions Bad management Embedded Searchers Files Spyders Doc DB Bad management Embedded objects Embedded Files Chema Alonso 20/03/2013 9
- 10. Show Me Your Metadata Chema Alonso 20/03/2013 10
- 13. Hidden Info: Printers Chema Alonso 20/03/2013 13
- 14. Electing the entry point Chema Alonso 20/03/2013 14
- 15. Internal Fingerprinting with FOCA Chema Alonso 20/03/2013 15
- 16. Phase 1: Metadata Chema Alonso
- 18. Recursive Network Discovery • Servers • Domains • HostNames • IP Address • Roles Chema Alonso 20/03/2013 18
- 19. Network Discovery: WebSearcher Chema Alonso 20/03/2013 19
- 20. Network Discovery: DNS SOA, MX, SPF, DKIM, LDAP, Well Known Records VoIP, Active Directory…. Zone Transfer AXFR Server1, Intranet, Private, Diccionary Search DNS, etc…. Chema Alonso 20/03/2013 20
- 23. Network Discovery: Bing IP Chema Alonso 20/03/2013 23
- 24. Network Discovery: PTR Scannig Chema Alonso 20/03/2013 24
- 25. Network Discovery: Robtex Chema Alonso 20/03/2013 25
- 26. Network Discovery: Shodan Chema Alonso 20/03/2013 26
- 29. Google Slash Trick Chema Alonso 20/03/2013 29
- 30. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 1) http -> Web server 2) GET Banner HTTP 3) domain.com is a domain 4) Search NS, MX, SPF records for domain.com 5) sub.domain.com is a subdomain 6) Search NS, MX, SPF records for sub.domain.com 7) Try all the non verified servers on all new domains 1) server01.domain.com 2) server01.sub.domain.com 8) Apple1.sub.domain.com is a hostname 9) Try DNS Prediction (apple1) on all domains 10) Try Google Sets(apple1) on all domains Chema Alonso 20/03/2013 30
- 31. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 11) Resolve IP Address 12) Get Certificate in https://IP 13) Search for domain names in it 14) Get HTTP Banner of http://IP 15) Use Bing Ip:IP to find all domains sharing it 16) Repeat for every new domain 17) Connect to the internal NS (1 or all) 18) Perform a PTR Scan searching for internal servers 19) For every new IP discovered try Bing IP recursively 20) ~chema -> chema is probably a user Chema Alonso 20/03/2013 31
- 32. Network Discovery Algorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 21) / , /~chema/ and /~chema/dir/ are paths 22) Try directory listing in all the paths 23) Search for PUT, DELETE, TRACE etc.. methods in every path 24) Fingerprint software from 404 error messages 25) Fingerprint software from application error messages 26) Try common names on all domains (dictionary) 27) Try Zone Transfer on all NS 28) Search for any URL indexed by web engines related to the hostname 29) Download the file 30) Extract the metadata, hidden info and lost data 31) Sort all this information and present it nicely 32) For every new IP/URL start over again Chema Alonso 20/03/2013 32
- 33. Click & Go Chema Alonso 20/03/2013 33
- 34. How Foca found a data Chema Alonso 20/03/2013 34
- 35. Multiple Search Engines Chema Alonso 20/03/2013 35
- 36. Huge domain case Chema Alonso 20/03/2013 36
- 37. Fingerprinting Options • 404 messages • Apps Error Messages • HTTP Banner – Hostname – IP Addres • SMTP Banner • Digital Certificates • Shodan • Version.bind Chema Alonso 20/03/2013 37
- 38. Phase 2: Network Discovery Chema Alonso
- 40. Phase 3: Vulnerabilities Chema Alonso
- 44. DNS Cache Snooping Chema Alonso 20/03/2013 44
- 45. DNS Cache Snooping Chema Alonso 20/03/2013 45
- 46. DNS Cache Snooping • Internal Software – Windows Update – Gtalk • Evilgrade – Detecting vulnerable software to Evilgrade attacks • AV evassion – Detecting internal AV systems • Malware driven by URL – Hacking a web site ussually visited by internal users Chema Alonso 20/03/2013 46
- 48. PHP CGI CODE EXECUTION BUG Chema Alonso 20/03/2013 48
- 49. Insecure Http Methods Chema Alonso 20/03/2013 49
- 50. Search & Upload Chema Alonso 20/03/2013 50
- 51. Juicy files White/black list of matches for keywords and extensions Chema Alonso 20/03/2013 51
- 55. .svn/entries A .svn/entries file looks like: Chema Alonso 20/03/2013 55
- 56. .svn/entries There is a plugin that parse the file Chema Alonso 20/03/2013 56
- 57. IIS Short Name bug Chema Alonso 20/03/2013 57
- 58. Proxy Server detection • Mod_proxy • Ad-hoc –Normal –Transparent Chema Alonso 20/03/2013 58
- 59. Proxy Server Detection Chema Alonso 20/03/2013 59
- 60. Leaks: modsecurity_crs_50_outbound.conf Chema Alonso 20/03/2013 60
- 63. User directories Search for ~USER in Apache webservers Chema Alonso 20/03/2013 63
- 64. All your Foca needs is URLs • Network Discovery • Domain Crawling • Document Search – Bing • File parsing – Google – Directory Listing • Technology Recognition – Robots.txt • Custom Search – .Listing • Manual load – .DS_Store (not yet) Chema Alonso 20/03/2013 64
- 67. FOCA + Spidering Chema Alonso 20/03/2013 67
- 68. FOCA + Spidering Chema Alonso 20/03/2013 68
- 69. Phase 4: Plugins Chema Alonso
- 70. Plugins: FOCA API 0.1 From FOCA to plugins (Events) - OnNewDomain - OnNewNetrange - OnNewURL - OnNewRelation - OnNewIP - OnNewProject From Plugins to FOCA (Calls) - AddDomain - AddSQLi - AddProxy - AddIp …. And much more…. Chema Alonso 20/03/2013 70
- 71. Plugins: .svn/Entries parser Chema Alonso 20/03/2013 71
- 72. Plugins: .svn/Entries parser Chema Alonso 20/03/2013 72
- 74. Plugins: Auto SQLi searcher Chema Alonso 20/03/2013 74
- 75. IIS Short Name Fuzzer Chema Alonso 20/03/2013 75
- 76. Making an esay Plugin Chema Alonso
- 77. FOCA Reporting Module Chema Alonso 20/03/2013 77
- 78. Chema Alonso 20/03/2013 78
- 79. Threat Analisys & Modeling Chema Alonso 20/03/2013 79
- 80. Reporting OSSTMM 3.0: STAR Chema Alonso 20/03/2013 80
- 81. OWASP Report Generator Chema Alonso 20/03/2013 81
- 82. “i64” Web Audit Report Chema Alonso 20/03/2013 82
- 83. Fear The FOCA Chema Alonso 20/03/2013 83
- 85. Cleaning ODF: OOMetaExtractor http://www.codeplex.org/oometaextractor Chema Alonso 20/03/2013 85
- 86. IIS MetaShield Protector Chema Alonso 20/03/2013 http://www.metashieldprotector.com 86
- 88. Thanks to Apple Chema Alonso 20/03/2013 88
- 89. Thanks to Apple (2) Chema Alonso 20/03/2013 89
- 90. Chema Alonso • chema@informatica64.com • @chemaalonso • http://elladodelmal.com • http://www.informatica64.com Chema Alonso 20/03/2013 90
- 91. FOCA http://www.informatica64.com/foca.aspx amigosdelafoca@informatica64.com Chema Alonso 20/03/2013 91