Introduction. Things are changing

Содержание

Слайд 2

Agenda Introduction Things are changing... Part I – Finding info Demo

Agenda

Introduction
Things are changing...
Part I – Finding info
Demo
Interlude
Part II – uses of

the information collected
Conclusion
Слайд 3

Introduction Who I am? Roelof Temmingh Completed Bachelor's degree in Electronic

Introduction

Who I am?
Roelof Temmingh
Completed Bachelor's degree in Electronic Engineering
Started SensePost with

friends in 2000
Talked/trained at BlackHat, RSA, Defcon, FIRST etc.
Co-wrote some Syngress books
Built tools @ SensePost – Wikto, Suru, BiDiBLAH, Crowbar
Today
Started Paterva beginning of 2007
R&D
Слайд 4

Think deep...introspection Why do we hack? No...I mean...really... “See if it's

Think deep...introspection

Why do we hack?
No...I mean...really...
“See if it's safe because I

bank there” - yeah...OK if you say so.
The pleasure from seeing the lock open == the info appearing on your screen. Control over the lock.
It's being able to do things normal people can't, knowing things that normal people don't.
It's less about applying the information->knowledge
Слайд 5

Things are changing (at least from the outside) When last did

Things are changing (at least from the outside)

When last did you fully

own a box? (root/system)
When last did you fully own a database?
When was the last proper worm?
Where have all the script kiddies gone??
At least from outside – you are dealing with 3 ports – 80,443 and 25.
If you own something today it's probably via a web application gone wrong, or it's a client via a vuln in a client side app (think browser, email client).
Слайд 6

Job security - NOT! Company X asks for a external security

Job security - NOT!

Company X asks for a external security assessment.
Company

X has one static website (and email)
As security expert you need to assess it.
Nmap,Nessus,Wikto/Nikto – now what?
The most used tab in Wikto?
Are they really worried about an 0day on their IIS6?
Or that 'bad things happen on the Internet' ?
The unknown almost always scares..
Слайд 7

Hacker's 6th sense People regularly ask me - what can you

Hacker's 6th sense

People regularly ask me - what can you find

out about...?
... without touching/hacking them
... without them knowing
Most of the time it turns out there is a lot to be found
“Why couldn't you do this??”
Because we know the fabric of the 'net
Because we think different thoughts
Because we are have built-in deviousness
Because we know who and how to ask
“But why would you like to know this?”
Hackers are not interested in the application of data, but know how to get to it.
Слайд 8

People always ask me... Non-tech people ask “what can you tell

People always ask me...

Non-tech people ask “what can you tell me

about this:
Email address
Company
Person
Word/phrase
Website
...and us tech people think:
IP addresses, virtual hosts
Netblocks / AS routes
Affiliations (Linkedin,Myspace,Orkut,Zoominfo,Facebook etc)
Microformats - XFN, vCards, hCards etc. etc.
Forward and reverse DNS – MX/NS records
Whois records / rWhois and referring registrars
Google fu / Deep web search
Services like ip2geo, wayback machine, Google Earth,Zoominfo
Meta information in documents
Слайд 9

Part I – relationship collection The thinking behind the framework Step

Part I – relationship collection The thinking behind the framework

Step 1: What

can you tell me about...
How would you do it as a human? =>
Information transforms in the framework
Step 2: Collect information
Searching, surfing
Deep web & services
Step 3: Parse/convert information to new entities
Step 4: Goto 1
Find the hidden information -
A -> B -> C and
X -> Y -> C
..then A =~ X
Слайд 10

Part I – relationship collection Thinking behind the framework Entity or

Part I – relationship collection Thinking behind the framework

Entity or Entities ->

Transform -> Entity or Entities
Repeat
Entities I have now are:
core/entities roeloftemmingh$ ls -1
AffiliationEntity.java
DNSNameEntity.java
DocumentEntity.java
DomainEntity.java
EmailAddressEntity.java
IPAddressEntity.java
LocationEntity.java
PersonEntity.java
PhraseEntity.java
TelephoneNumberEntity.java
WebSiteEntity.java
Слайд 11

Part I – relationship collection: Transforms Transforms are: (as of 3

Part I – relationship collection: Transforms

Transforms are: (as of 3 April

2007):
/core/transforms roeloftemmingh$ ls -1
DNSNameToDomain.java
DNSNameToIPAddress.java
DNSNameToWebSite.java
DomainToDNSNameBrute.java
DomainToDNSNameMX.java
DomainToDocument.java
DomainToEmailPhoneSiteGoogle.java
DomainToEmailWhois.java
DomainToTelephoneWhois.java
EmailToAffMySpace.java
EmailToDomain.java
EmailToEmailPhoneSiteGoogle.java
IPAddressToDNSName.java
IPAddressToDNSNameVH.java
IPAddressToEmailPhoneWhois.java
IPAddressToLocation.java
PersonToAffLinkedIn.java
PersonToEmailPhoneSiteGoogle.java
PersonToEmailPhoneSiteGoogleBlog.java
PhraseToEmailPhoneSiteGoogle.java
PhraseToEmailPhoneSiteGoogleBlog.java
TelephoneToEmailPhoneSiteGoogle.java
WebSiteToDNSName.java
WebSiteToWebSiteIncomingLink.java
_WebSiteGetFirstSeen.java
_WebSiteGetServerVersion.java

26 transforms
and growing steadily..

Слайд 12

Part I – relationship collection The thinking behind the framework Transforms

Part I – relationship collection The thinking behind the framework

Transforms - “who

can do anything with a ...?”
Entities open and expandable
Transforms uses plugin architecture
Thus, you are only limited by your own imagination
If you are in the Lexis/Nexis club...
If you work for the phone company
If you have access to any other juicy databases etc.
Слайд 13

Transforms Some really easy examples DNS name -> IP number(s) IP

Transforms

Some really easy examples
DNS name -> IP number(s)
IP number -> DNS

name
Domain (whois) -> email address(es)
IP address (whois) -> telephone number
Telephone number -> Geo location
IP number -> Geo location
Слайд 14

Transforms tel -> email Some more interesting examples: Consider Telephone number

Transforms tel -> email

Some more interesting examples:
Consider Telephone number -> email

address
How would a human do it?
Step 1: Google the telephone number
Step 2: Look at the snippet/Surf to the result
Step 2: Look for email addresses
Step 3: See which are clearly connected to the telephone number
But it gets nasty...
Слайд 15

Transforms: tel- > email Assume the number is +27 83 448

Transforms: tel- > email

Assume the number is +27 83 448 6996
=~

083 448 6996
=~ (0)83 448 6996
=~ 083 4486996
=~ +2783 4486996
=~ etc
Option 1: only look for 448 6996.
Your friendly plumber in Burundi
Option 2: Try combinations
But “+27 83 448 6996” is more likely to be correct than 083 448 6996
Слайд 16

Transforms – confidence levels Same goes for First Name/Last Name Results

Transforms – confidence levels

Same goes for First Name/Last Name
Results on search

query for “Roelof Temmingh” is more likely to contains the correct email address for me that a query for R Temmingh.
So – let's do all the queries, but give each a 'confidence index'
Are there other parameters we can use to increase the quality of our results?
Слайд 17

Transforms: factors when sorting by relevance Frequency of the parsed result

Transforms: factors when sorting by relevance

Frequency of the parsed result
If, after

parsing, I get roelof.temmingh@gmail.com 100 times it's likely to be more relevant that something that appears 2 times.
Significance of the site where the term is located
Especially necessary when working with phrases.
Correlation to the original search term.
roelof.temmingh@gmail.com is more likely to be Roelof Temmingh's email address than kosie.kramer@yahoo.com.
Proximity to the search term.
Слайд 18

Transforms : using Google So, for each “fuzzy” search (where relationships

Transforms : using Google

So, for each “fuzzy” search (where relationships are

not 1:1) I can create an confidence index.
Using Google and only looking at snippets I get:
Speedy results
Control over amount of results returned
Country specific results
Significance of site -> Page Rank
Proximity -> Anything in the snippet is already in close proximity to the search term
Confidence index=
(Query confidence * Frequency across all pages * correlation to search term) + (sum of page ranks)
Google helps even more
Numrange – for finding telephone numbers in a certain area.
Слайд 19

Dragos & Ursu ;) cansecwest->pacsec/eusec->dursec->kyx.net->dragos.com (http://guestbook.husi.ro/index.php?page=18) -> Ursu Dragos (ursulet@dragos.com) ...With all the gritty details inbetween

Dragos & Ursu ;)
cansecwest->pacsec/eusec->dursec->kyx.net->dragos.com
(http://guestbook.husi.ro/index.php?page=18) ->
Ursu Dragos (ursulet@dragos.com) ...With all

the gritty details inbetween
Слайд 20

Applications a.k.a So what?? For conventional security: Stock standard footprinting (DNS,

Applications a.k.a So what??

For conventional security:
Stock standard footprinting (DNS, IPs, domains

etc)
Nice for finding war dialing (?!) ranges
Targets for social engineering and client side attacks
Alternative email addresses for content attacks
“if the attacker can get the victim to visit...etc..”
Finding alliances with weaker security postures
Understanding business drivers and sensitivities
Слайд 21

Applications a.k.a So what?? Is abc.com a phishing site? Domain ->

Applications a.k.a So what??

Is abc.com a phishing site?
Domain -> email addresses

at domain
-> telephone numbers 'connected'
-> related DNS names -> IPs
-> Website
-> Whois -> email addresses
-> whois -> telephone numbers
Telephone numbers -> Geo location(s)
Telephone numbers -> Alternative emails
Telephone numbers -> Related tel. numbers
IPs -> Geo location(s)
IPs -> co-hosted websites on same IP
IPs -> whois -> owners / tel / email
Website -> First seen date
Website -> Phrases
Слайд 22

Applications : more interesting stuff Who at the NSA uses Gmail?

Applications : more interesting stuff

Who at the NSA uses Gmail?
Domain ->

telephone numbers
Telephone number (area) -> Email addresses
Which NASA employees are using Myspace/LinkedIn?
Domain -> email addresses
Email addresses -> social network
Which people in Kabul are using Skype?
Telephone number (area) -> email addresses
Email addresses -> Affiliation
Слайд 23

Even more applications In which countries do the USMC have bases

Even more applications

In which countries do the USMC have bases in?
Domain

-> Sub domains
Sub domains -> DNS names
DNS names -> IP addresses
IP addresses -> Geo location
Other uses even...
What are the names and email addresses of single, young woman in my neighbourhood who are straight (or not)?
phone area -> email
email -> social myspace
[filter]
Слайд 24

OK..so he's 49 and into pot

OK..so he's 49 and into pot

Слайд 25

Demo http://www.paterva.com

Demo http://www.paterva.com

Слайд 26

Hold your horses ...a.k.a 'but this is BS' “...my mother/grandma can't

Hold your horses ...a.k.a 'but this is BS'

“...my mother/grandma can't even operate

a mouse...”
Not everyone on the net gives out their info
Not all systems readily give info to computers
The info is kept closer...but also wider..
Whois info details on new domains are now removed
But look at Myspace / LinkedIn
Web 2.0 ... new generation of 'WHAT privacy??'
“Nowadays the kids have their photos on flickr, their profiles and friends on Facebook or Myspace, and their personal thoughts on LiveJournal/Blogger/Twitter, and future-cringeworthy-moments be damned. Concern about privacy is so last century. :o)”
What this “Deep Web” thing anyhow?
Слайд 27

Interlude You are : the information you publish the information others

Interlude

You are :
the information you publish
the information others publish about you
your

associations, and
the information you search for.
The holy grail of information collection – your search terms
How can we know what other people are searching for?
Слайд 28

Collecting your search terms Recently AOL 'lost' a couple of search

Collecting your search terms

Recently AOL 'lost' a couple of search terms

(well OK 20 million of them)
You can search search terms at data.aolsearchlogs.com.
Searches are connected by userID. People are really weird - hours of fun...
User #13324924 searched on 'help navada a resident of yours is harrassing me and threating to have me killed by a guy named ronnie and she will not give me my belongings she tookk them and refuses to return my nesseceties' at 2006-04-29 20:11:47
User #13324924 searched on 'cheap flights' at 2006-05-16 05:43:55
Слайд 29

Collecting your search terms If we control the infrastructure of a

Collecting your search terms

If we control the infrastructure of a network

we can
Redirect outgoing traffic to port 80 into a Squid proxy
Change two settings in the default Squid config to log MIME headers (cookie) and show parameters (search terms)
Copy logs into a database
Extract search terms per Google cookie (which expires in 2038)
...and have exactly the same...(plus we get all the sites the user went to as a bonus)
What prevents your company/government to do the same?
Or ... publish your proxy in open proxy list / become a TOR node
Слайд 30

Collecting your search terms I run a super secret project called

Collecting your search terms

I run a super secret project called Sookah.
I

don't ever want people to know about it.
When someone search for the word Sookah I want to know it leaked to someone
I don't want them to find out that I know
I register an Adword...isn't Google wonderful?
Слайд 31

Collecting your search terms

Collecting your search terms

Слайд 32

A different thought Your life story in no more than 5

A different thought

Your life story in no more than 5 pages
...A.k.a

your resume'
Once you get someone's resume' you know all about the person
You can search for it ...or...
You can get people to send it to you
Recruitment is easy:
Post a job ad and wait for people to send their life story
You can even specify which types of people...:)
“Looking for nuclear scientist/engineer with experience in Uranium enrichment and military background. Earn top dollar, 401K plan, dental coverage, 25days leave. Flexi time.
Apply within...”
Слайд 33

Part II : Using the information Hackers are not good at

Part II : Using the information

Hackers are not good at applying

information.
They are devious – but not outright criminal.
I'll give it a shot though...
Слайд 34

Using the information Hit & run Spoof email from the FD

Using the information Hit & run

Spoof email from the FD to employees

(& Bloomberg) stating the CEO has resigned / company is insolvent / sell your shares / etc.
Register a site in the name of the holding company's director. Mirror a porn site. Populate. Spoof mail from a techie at the sister company to everyone about the “discovery”. Make it look like a CC that went wrong.
Spoof SMS from the FD's mobile phone to a high profile investor about corruption in the company. Watch the share price drop, buy low, sell high.
But this is kid's stuff and is easy to spot. Timing however is everything...
Слайд 35

Using the information Back to company X Let's assume we create

Using the information

Back to company X
Let's assume we create a 'information

footprint' of X using the framework.
After a couple of hours we know who are directors at company X and
Their email addresses – their private ones too
Their hobbies
Their social network – clubs they belong to, their friends
The location of their blogs
We also have a list of email addresses of their employees
So...
Слайд 36

Using the information Personal online identity theft If these people don't

Using the information Personal online identity theft

If these people don't have a

strong online presence we will help them out:
Create a Gmail (or pick any other widely used free email) address in their name
Register them (and their friends) on LinkedIn
Register them on MSN/Skype/Google Talk
Register them on MySpace (or pick appropriate social network)
Create a blog for them on Blogspot/WordPress
Subscribe them to a couple of mailing lists
Oh...and you might register a similar domain for them (like...phishing you know)
Can you automated this ? (even with CAPTCHAs?)
We've collected all the info to re-create them very life like
Слайд 37

Using the information: identities are grown, not born People don't appear

Using the information: identities are grown, not born

People don't appear from nowhere
We

need to give their new identities credibility
If you Google someone...they magically exists
Blogs and posts are time stamped
Unless we control the underlying infrastructure (although its more effort and a single point of failure)
Thus – we need to grow these identities because we can't manipulate the time line
Arb postings to mailing lists/blogs
Sign a “guestbook” (remember those?)
Basically get the identity out there on anything that's indexed – and will thus show up later.
It can take months...perhaps years..if you do it right
If we investigate it – it must look real.
Слайд 38

Using the data Starting a campaign Now that I am you

Using the data Starting a campaign

Now that I am you and your

board I need a mission
It actually boils down to plain old marketing
People are flock animals
So first create a virtual flock of people.
Grow many more identities (we know the players)
Manipulate counters (its SO 90s)
Manipulate Votes / polls
Generate automated comments / forum
...and others will follow
Seems like a lot of hard work, but
...watch this space...
Слайд 39

Coming soon to blog near you: automated comments /code/autosent roeloftemmingh$ perl

Coming soon to blog near you: automated comments

/code/autosent roeloftemmingh$ perl generate.pl data-disagree/
I

don't understand this. The ideas you spoke about are honestly bullshit. I have never seen such a load of bullshit.
Our company basically do not figure your statement. The fundamentals here are wrong! I have not experienced this type of situation! Do you believe this nonsense? This is totally fabricated.
I have surely never seen this type of situation. Get a life. You honestly believe in this nonsense? This is FUCKING appalling.
We do not get this thinking.
This idea is unbelievably bad! You consider this waste? This is nonsense!
FUCK THAT!
This posting is bad! The thinking here is full of shit.
I have never ever seen any of the things listed here. Dude, you should be spending time on other stuff!
This is fucking ridiculous. Do you consider this bull? C'mon - think about it.
Your company ought to be researching more interesting things.
We utterly do not figure this article. This argument is rubbish.
CAPTCHAS??
Слайд 40

Go watch “Wag the dog” again... ...but think of the Internet of today.

Go watch “Wag the dog” again...

...but think of the Internet of

today.
- Предыдущая
Обмен нуклеотидов
Следующая -
Метаболизм липидов. Метаболизм триацилглицеридов. (Лекция 9)

Похожие презентации

Основы JS. Особенности работы с объектами
Технические требования к рекламным роликам для медиа фасада
Impeller. Database programming language
Презентация "Microsoft SQL Server 2008 R2" - скачать презентации по Информатике
Создание рисунков. Пиксель. Сохранение рисунков и открытие созданных ранее
Урок безопасности в Интернете 2022
Програмування мовами низького рівня та системне програмування
Средства информационных и коммуникационных технологий. Архитектура компьютеров. Виды программного обеспечения компьютеров
Разработка проекта администрируемой сети на базе сервера
MS Excel бағдарламасының логикалық функциялары
Создание простейших анимаций в среде Macromedia Flash 7.0 Прикладной проект по информатике и ИКТ
Презентация "Логические основы ЭВМ" - скачать презентации по Информатике
Презентация по информатике Передача информации в компьютерных сетях Устройство компьютерной сети Электронная почта и другие ус
Системы счисления
Microsoft Office
Let’s go. Игровое сообщество. Правила
Портфолио специалиста
Числа в памяти компьютера
Коллекции. Часть 2.Лекция 9
Объекты и их имена
Системы счисления. Математические основы информатики
Презентация "Электронная таблица" - скачать презентации по Информатике
Виды моделей. Формализация и визуализация моделей
МИКРОПРОЦЕССОР INTEL 8086 1) ОБЩИЕ СВЕДЕНИЯ О МИКРОРОЦЕССОРАХ 2) АРХИТЕКТУРА ПРОЦЕССОРА INTEL 8086 3) ПРОГРАММНАЯ МОДЕЛЬ ПРОЦЕССОРА 8086 4) Ф
Основные понятия о программе Mikrosoft Рower Рoint
Презентация "КОМПЬЮТЕРНЫЕ ОЧКИ И СТРАШНЫЕ СКАЗКИ ПРО МОНИТОРЫ" - скачать презентации по Информатике
Базові пошукові алгоритми на графах. (Лекція 2)
Распределенные базы данных
Вы можете прислать нам Вашу презентацию и мы опубликуем ее на сайте.
Обратная связь
Для правообладателей
Email: Нажмите что бы посмотреть