Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Empowering Red and
Blue Teams with OSINT
c0c0n 2017, Le Meridian, Kochi.
://$ whoami
• Shubham Mittal
• Security Consultant @ NotSoSecure
• Perimeter Security and OSINT
• Author - @datasploit
• C...
Agenda
● OSINT Overview
● For Red Teams (Offensive)
● Company Profiling
● Perimeter Scoping
● Employee Profiling
● Tools o...
OSINT – Open Source Intelligence
(Intelligence on Information publicly available)
Internet gives you RAW Data. Harvest it.
Open Source Intelligence (OSINT) is the
collection and analysis of information
gathered from publicly available sources.
Should be used by?
● Pen-testers
● Security Engineers
● Product Security Companies
● Cyber Investigators
● Sales / Market ...
How OSINT can help Red Teams
Red Teams
● Scoping Attack Surface
● Technology Profiling
● Github
● Paste(s)
● Employee Profiling
● Breach Data
● Nerdy D...
Digital Asset Scoping
• whoIs (who.is) > ASN ID
• Reverse WhoIs
• whois -h whois.radb.net -- '-i origin ASN-ID' | grep -Eo...
Digital Asset Scoping – Subdomain Enumeration
● Sub-domain Enumeration
● DNSSEC Walking (Kudos to @jhaddix for suggesting)...
dnssecwalk (part of the ipV6 Toolkit)
https://www.thc.org/thc-ipv6/
Custom Script(Certificate
Transparency Report) - DEMO
...
Quick Checks
● HTTP / HTTPS?
● 404 Not Found? 403 Forbidden?
● 500 Internal Server Error?
● .git / .svn / htaccess.txt / b...
Pro-active Search
Technology Profiling - BuildWith
Wappalyzer
Github
https://hackerone.com/reports/248693
Paste(s) Sites
Public Password Dumps
Not ‘Google’ Search Engines
● Metasearch engine – Polymeta.com
● People search engine -Pipl.com, Peekyou, Marketvisual
● B...
Domain IP History
Domain IP History
• Cloudflare / Incapsula / Sucuri.
• Domain History reveals earlier IP Addresses.
• IP still Live = Bypa...
Public Scan Engines
• https://www.qualys.com/forms/freescan/
• https://urlscan.io
• https://asafaweb.com
MetaData
Data about the Data.
Can find:
● Applications used to generate
PDF/Docx./etc. on servers
● Exif Data (Media File ...
Employee Profiling
● Email-harvestor
● DataSploit
● LinkedIn
● https://www.linkedin.com/search/results/companies/?keywords...
Linked employee
email extract using
Skrapp / Hunter
Custom Script
RapportiveCode
Email-id to Username?
Social Media Accounts
Forum Searches (boardreader.com)
Clearbit / Full Contact
DataSploit
>> User to...
Email-id to Username?
Blue Team.
● Active Monitoring on keywords.
● Alerting (while reducing noise)
● Scan/OSINT your Attack Surface Area
● Scop...
Tweetmonitor.py / Tweetdeck
Tweetmonitor.py / Tweetdeck
Scumblr
Google Alerts
Page Monitor - ChangeDetect / Follow.net
SIEM << Threat Intel Feed (robtex,etc., check for already blacklisted IPs)
Collective Intelligence Framework
Tools of Trade
Spiderfoot
Recon-ng
Scmublr
DataSploit
Sublist3r
theHarvestor
Foca
Maltego
Gosint
Belati
X-ray
Exiftool
Tin...
Future Research
● Data Co-relation
● Noise Reduction
● Tap Darknet
upgoingstaar@gmail.com | @upgoingstar
Empowering red and blue teams with osint   c0c0n 2017
Empowering red and blue teams with osint   c0c0n 2017
Próxima SlideShare
Cargando en…5
×

Empowering red and blue teams with osint c0c0n 2017

2.359 visualizaciones

Publicado el

This talk will discuss Open Source Intelligence (OSINT) gathering tools and techniques that are highly useful and effective for both Blue teams and Red teams.

  • Sé el primero en comentar

Empowering red and blue teams with osint c0c0n 2017

  1. 1. Empowering Red and Blue Teams with OSINT c0c0n 2017, Le Meridian, Kochi.
  2. 2. ://$ whoami • Shubham Mittal • Security Consultant @ NotSoSecure • Perimeter Security and OSINT • Author - @datasploit • Core Organizer - @reconvillage • Bike Rider, Beat Boxer @upgoingstar | upgoingstaar@gmail.com @upgoingstar | shubhammittal.net | upgoingstaar@gmail.com
  3. 3. Agenda ● OSINT Overview ● For Red Teams (Offensive) ● Company Profiling ● Perimeter Scoping ● Employee Profiling ● Tools of Trade ● Future Research Areas ● For Blue Team (Defensive) ● Monitoring and Alerting ● Intelligent SIEM Rules ● DLP
  4. 4. OSINT – Open Source Intelligence (Intelligence on Information publicly available) Internet gives you RAW Data. Harvest it.
  5. 5. Open Source Intelligence (OSINT) is the collection and analysis of information gathered from publicly available sources.
  6. 6. Should be used by? ● Pen-testers ● Security Engineers ● Product Security Companies ● Cyber Investigators ● Sales / Market Research
  7. 7. How OSINT can help Red Teams
  8. 8. Red Teams ● Scoping Attack Surface ● Technology Profiling ● Github ● Paste(s) ● Employee Profiling ● Breach Data ● Nerdy Data
  9. 9. Digital Asset Scoping • whoIs (who.is) > ASN ID • Reverse WhoIs • whois -h whois.radb.net -- '-i origin ASN-ID' | grep -Eo "([0-9.]+){4}/[0-9]+" | sort -n | uniq -c • https://mxtoolbox.com/SuperTool.aspx • Nslookup (terminal) • Dig (dig reconvillage.org, dig reconvillage.org cname) • Acquisitions.
  10. 10. Digital Asset Scoping – Subdomain Enumeration ● Sub-domain Enumeration ● DNSSEC Walking (Kudos to @jhaddix for suggesting) ● Certificate Transparency Reports, Forums ● Shodan/Censys, Cname Records, DNS Dumpster, Netcraft, WolframAlpha ● Tools - Sublist3r, DataSploit.
  11. 11. dnssecwalk (part of the ipV6 Toolkit) https://www.thc.org/thc-ipv6/ Custom Script(Certificate Transparency Report) - DEMO https://blog.webernetz.net/2016/11/22/how-to-walk-dnssec-zones-dnsrecon/
  12. 12. Quick Checks ● HTTP / HTTPS? ● 404 Not Found? 403 Forbidden? ● 500 Internal Server Error? ● .git / .svn / htaccess.txt / bash_history / web.config / admin / , etc.
  13. 13. Pro-active Search
  14. 14. Technology Profiling - BuildWith
  15. 15. Wappalyzer
  16. 16. Github https://hackerone.com/reports/248693
  17. 17. Paste(s) Sites
  18. 18. Public Password Dumps
  19. 19. Not ‘Google’ Search Engines ● Metasearch engine – Polymeta.com ● People search engine -Pipl.com, Peekyou, Marketvisual ● Business/Company Search - Zoominfo ● Social Search Engine - Socialmention.com ● Phone Number Search Engine – Truecaller ● Wayback machine ● Computational knowledge engine – Wolframalpha ● Clustering Search Engine - search.carrot2.org
  20. 20. Domain IP History
  21. 21. Domain IP History • Cloudflare / Incapsula / Sucuri. • Domain History reveals earlier IP Addresses. • IP still Live = Bypass rate limiting, firewall rules, etc.
  22. 22. Public Scan Engines • https://www.qualys.com/forms/freescan/ • https://urlscan.io • https://asafaweb.com
  23. 23. MetaData Data about the Data. Can find: ● Applications used to generate PDF/Docx./etc. on servers ● Exif Data (Media File Data) ● Geolocations ● Author ● Platform TCPDF CVE-2017-6100 - Local File Include Vulnerability
  24. 24. Employee Profiling ● Email-harvestor ● DataSploit ● LinkedIn ● https://www.linkedin.com/search/results/companies/?keywords= company&origin=SWITCH_SEARCH_VERTICAL ● Email Hunter ● Skrapp
  25. 25. Linked employee email extract using Skrapp / Hunter
  26. 26. Custom Script RapportiveCode
  27. 27. Email-id to Username? Social Media Accounts Forum Searches (boardreader.com) Clearbit / Full Contact DataSploit >> User to Images , Reverse Image Search, User profiling (More useful for SE) >> Find leaked creds, tokens, confidential urls/IPs, slack keys, api key, etc.
  28. 28. Email-id to Username?
  29. 29. Blue Team. ● Active Monitoring on keywords. ● Alerting (while reducing noise) ● Scan/OSINT your Attack Surface Area ● Scoping is not required - Simply find the perimeter from Devops/Central Deployment Team. ● Keep an eye on Employees (Profile their personal code share accounts). ● Review Job Openings / Questions in Forums, etc. ● Defensive Measures - Data Loss Prevention ● Strip off metadata from files going outside.
  30. 30. Tweetmonitor.py / Tweetdeck
  31. 31. Tweetmonitor.py / Tweetdeck
  32. 32. Scumblr
  33. 33. Google Alerts
  34. 34. Page Monitor - ChangeDetect / Follow.net
  35. 35. SIEM << Threat Intel Feed (robtex,etc., check for already blacklisted IPs) Collective Intelligence Framework
  36. 36. Tools of Trade Spiderfoot Recon-ng Scmublr DataSploit Sublist3r theHarvestor Foca Maltego Gosint Belati X-ray Exiftool Tinfoleak Gitrob
  37. 37. Future Research ● Data Co-relation ● Noise Reduction ● Tap Darknet
  38. 38. upgoingstaar@gmail.com | @upgoingstar

×