Open Source IntelligenceWhat Does the Internet Know about you?

Who is this Guy?

• Incident Responder for the National Center for Atmospheric research

• Pentester and OSINT Investigator in both the public and private sector

• A Security Engineer obsessed with Threat Modeling, quantitative risk, managing attack surface, and implementing durable and lasting processes and procedures

House Keeping

• OSINT stands for Open Source intelligence and is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources)

• OSINT is a great tool for the recon phase of a Penetration test and can be a great source of information to find Shadow IT, Patch Levels, and attack surface within an organization

Agenda• Why would anyone attack you?

• Current OSINT techniques, tools, and opportunities for attackers

• Defensive techniques, tools, and ideas

• Breakout session

• Case Study

• Q&A

Why you?

Why You?

• Low Hanging Fruit

• Pivot through you to another target

• Just for fun

Low Hanging FruitAre you a target of opportunity?

— Elliot Alderson (Rami Malek), Mr. Robot, Season 1: eps1.2_d3bug.mkv

“This is the world we live in. People relying on each other’s mistakes to manipulate one another and use one another, even relate to one

another. A warm, messy circle of humanity.”

Hacking For Fun

OSINT Techniques, Tools, and Opportunities for attackers

The OSINT Framework

Recon-ng

• A tool created by Black Hills Information Security to Gather intelligence online using api calls and some magic python coding

• Think of it as the metasploit of the Recon Phase of a Pentest

PowerMeta

• Another Tool created by Black Hills Security, it is a very complex Powershell script which takes a domain as a seed and Uses OSINT sources to find files for that organization. It can then download all those files and extract the metadata

• “Shodan is the world’s first search engine for Internet-connected devices”

• One of the greatest tools in an attacker or a defenders arsenal

• Helps to map the attack surface

Google Dorks• A Google dork query, sometimes just referred to as a dork, is a search

string that uses advanced search operators to find information that is not readily available on a website. Google dorking, also known as Google hacking, can return information that is difficult to locate through simple search queries

• https://www.exploit-db.com/google-hacking-database has a great list of google dorks

• I go through a lot of these and add the site: operator with the target domain

• Has revealed some scary stuff at UCAR

GrayHatWarfare•A tool used to find open S3 buckets

•AWS just recently made buckets closed by default

•Huge leaks have been found in the past such as:

•Booz Allen Hamilton

•U.S. Voter Records

•Dow Jones & Co

•WWE

•Verizon Wireless

•Time Warner Cable

•Pentagon Exposures

•Accenture

•National Credit Federation

•Alteryx

Dehashed

• https://dehashed.com/

• A service that gathers breach data and makes it searchable by hash, cleartext (if available), and email addresses

• Not as complete as HIBP as they provide they actually passwords they tend to trail a while on new breaches as an ethical practice

• Super useful in tying together targets to multiple email addresses

Google Maps

• Something we all take for granted, provides very useful amounts of geospatial data

• Perfect passive source for trying to scout out a building before a physical pentest or a physical attack by an attacker

Youtube, Video, Radio, and Traditional Media

• So much available information available through interviews, youtube channels, etc

• Just need to be aware of these mediums

The Wayback Machine

• Great to find files that have become unavailable

• They have a great operations team that is willing to take down old snapshots, but they are understaffed and response time may be slow

Opportunities for attackers

• So what can an attacker do with this information?

Now let’s move on to Defensive

Measures

Using OSINT as a Defense

• DO NOT BLOCK SHODAN, CENSYS, OR OTHER SCANNING SITES! If I don’t see you on these sites I know you have something to hide. Blocking is not a remediation!

• Create a process to continually check these sites and remediate issues

• Patch your systems!

• Lock it down! Define files and file types that can and can’t be shared on external facing websites

Recon-ng

• Simulate an attack using Recon-ng in your own organization. I first did this at NCAR almost two years ago and was appauled at what I found!

PowerMeta

• Use it!

• If you are overly concerned about it there are tools to automate changing of metadata

• piexif is a tool that can do just that

• At a minimum I would definitely do this with photos

Shodan

• Use it! (Starting to see a pattern here?)

• Include the results with your vulnerability management tool of choice (tenable, saint, etc.)

• This and other tools like it are a great way to map your attack surface

Google Dorks• Processes and Procedures for maintaining wiki pages or other sources of

information

• Clearly defined procedures for open indexes, meeting notes, etc

• Can tell google to rescan sites when open files are no longer openly available

• Amazing tool from The University of Texas at Austin called dorkbot. It uses google dorks to find potential cross site scripting, sql injections, and other vulnerabilities

Intel Techniques• Hiding From The Internet 

• https://inteltechniques.com/data/workbook.pdf

• Help your critical and/or sensitive staff complete the workbooks if conducive to your threat model. Especially important for banks or other financial institutions

• Physical address is usually very available on the internet

• Stop the modus operandi of the sleepover bandits.

Processes and Procedures

• The only way to keep important documents from leaking to the internet is to create processes and procedures that feed back into themselves

• Need buy in from on-high

• Good place to start might be with your COO or privacy office

BREAKOUT SessionFocus on the following items:

1. Are there any files, documentation for procedures, or services that shouldn’t be expose to the internet?2. Who are the top 5 targets in your organization?3. Try a few of these against your organizational websites https://www.exploit-db.com/google-hacking-database

Case Study

• Based on an amalgam of real companies

• I was personally involved in each and every one of these findings

• So today we are looking at The Springfield Nuclear Power Plant! (SNPP)

Why Us? Just For FunIt seems someone in Springfield joined a

hacking team and is trying to deface websites and gain some for his team, the

Depression Crew

Hacked By LittleJok3r - DepressionTeam is now included as text on the SNPP Website

Why Us?Low Hanging Fruit

Bart is going to get in because he found telnet expose directly

to the internet

Pivoting to another Target

Attackers want access to the Shelbyville Nuclear Powerplant’s network which is connected to the Springfield one. One has

much better IT Security

Recon-ng• The IT guy at the SNPP decides to see what he can find about his company using Recon-

ng, he creates a report that details some of the following:

• Procedural documents on how to change direct deposit are available to the internet for anyone to see

• Controlled information is exposed to the internet on one of their servers and a Nationstate group appears to have gained access to it

• He reports these and a year later the procedural document leads to an employees salary being deposited to an attackers bank account

• Mr. Burns is concerned that his salary could be affected in the future and creates a policy mandating that all procedural information be kept behind access control on internal websites (Win for IT guy!)

PowerMeta

• IT guy decides to do some testing with PowerMeta to see what he can find. He discovers that months after a Remote code execution bug was discovered in ImageMagick the company hasn’t updated the version they were using. He escalates to management and they patch the software avoiding any attackers finding and exploiting this bug

• IT Guy used Shodan to find telnet, Cisco Smart install, and VNC all exposed to the internet

Google Dorks

• IT guy found open indexes from a conference with information like food preferences, home address, job title, and phone number

• IT guy found a compromised website serving up advertising for sites, drugs, etc. using the site: and ext: operators

• IT guy subscribed to dorkbot and quickly found 5 websites with XSS and Sql Injection vulnerabilities

GrayHatWarfare

• Mr. Burns didn’t pay enough money to hire someone to work on their S3 buckets secured. All the employee information including PII was exposed to the internet. This was discoverable and downloadable via GrayHatWarfare, luckily IT guy found it quickly and was able to lock it down

Dehashed

• IT guy heard about Dehashed and decided to check for passwords within his organization. He found that Mr. Burns uses the same password on multiple sites

Google Maps

• IT guy decided to use Google maps to see what information he could get from Google maps

• He found a side door by the dumpster that didn’t have a badge reader and was propped open

Youtube/Traditional Media

• IT guy checked the corporate youtube channel and found procedures for filling out timecards and other information

The Wayback Machine

• IT Guy finds a list of high profile clients and their contacts on a webpage snapshot in the wayback machine

• IT Guy finds snapshots of sensitive diagrams

Questions?