| Name | Title of the Talk | Time (PDT) |
| Micah Hoffman | The Future of Collecting Data from the Past: OSINT Now and Beyond | 1000 – 1050 |
| wbbigdave | Information Confrontation 2022 – A loud war and a quiet enemy | 1050 – 1135 |
| Eugene Lim | (Not-So-Secret) Tunnel: Digging into Exposed ngrok Endpoints | 1135 – 1200 |
| Tracy Z. Maleeff | Not All Who Wander Are Lost: Using OSINT for a Fulfilling Travel Experience | 1200 – 1245 |
| MasterChen | Stalking Back | 1245 – 1330 |
| Break | Break | 1330 – 1500 |
| JHaddix | The Bug Hunters Methodology – Application Analysis Edition v1.5 | 1500 – 1550 |
| Nick Ascoli | The Richest Phisherman in Colombia | 1550 – 1625 |
| Rojan Rijal | Scanning your way into internal systems via URLScan | 1625 – 1710 |
| Name | Title of the Talk | Time (PDT) |
| Ben Sadeghipour + 4 | Attack Surface Management Panel | 1000 – 1050 |
| Shea Nangle | FOX STEED: Analysis of a Social Media Identity Laundering Campaign | 1050 – 1135 |
| Martin Vigo | Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs | 1135 – 1210 |
| Tillson Galloway | New Frontiers in GitHub Secret Snatching | 1210 – 1255 |
| Berk Can Geyikçi | Finding Hidden Gems In Temporary Mail Services | 1255 – 1330 |
| Break | Break | 1330 – 1500 |
| Jasper Insinger | Sonic scanning: when fast is not fast enough | 1500 – 1550 |
| Jessica Smith | A Light in Darkness: Child Predator Hunting through OSINT, Dark Web Sleuthing & Linguistic Analysis | 1550 – 1615 |
| Justin Rhinehart | NPM, “Private” Repos, and You | 1615 – 1700 |
Name: Micah Hoffman
Date: 12th August
Time: 10:00 - 10:50 AM
Abstract:
The OSINT field is evolving at an incredible rate! Each day investigators and hobbyists access the latest images from military conflicts around the world. OSINT analysts use automated processes to generate false personas and to collect data from an ever-increasing number of social media platforms. Private digital records are released to the public internet and we use this data to help solve the questions posed to us, the OSINT researchers of today.
This is now. A time when OSINT communities are connecting and supporting their members. A time when we have thousands and thousands of hours of podcasts and online videos, blog posts and start.me pages that teach us skills and point us to resources.
So, what does the future look like for the OSINT field? What are the new areas of "hotness"? How do we help to move the field forward? Come join Micah Hoffman as he discusses where the OSINT field is and what the future of OSINT could look like.
Name: wbbigdave
Date: 12th August
Time: 10:50 - 11:35 AM
Abstract:
In 2022 Russia invaded Ukraine. The manner in which this happened and the tactics used on all sides to frame this invasion cut deep to how we perceive media and information across the worldwide. This information confrontation is something the west is ill prepared to combat whereas this has been the operation for Russia for a long time. This however is also a background for the confrontation taking place in the networks across Europe and likely the East of the world. We are seeing joined up operations of Kinetic, Information, and Cyber warfare being conducted from all levels of the military. No longer can we ignore the power of joint operations and multi domain warfare. The focus of this talk will be information gathering and extrapolation
Name: Tracy Z. Maleeff
Date: 12th August
Time:12:00 - 12:45 PM
Abstract:
Whether you like to stay at home and virtually travel by way of computer or you like to get out and experience things first-hand, this talk will highlight how using OSINT resources and techniques can optimize your trip enjoyment. The presenter’s first career was as a travel agent in addition to having a lifelong case of wanderlust. Through the utilization of anecdotes and research skills, this presentation will provide you with resources and tips for the planning, booking, and enjoying a trip – with special attention paid to the privacy and security aspects of travel. No passport required, just your interest in learning!
Name: MasterChen
Date: 12th August
Time: 12:45 - 01:30 PM
Abstract:
You are being stalked. What can be done? Can you stalk back, and should you? What exactly does it mean to "stalk back"? These issues and questions are addressed through a detailed case study in this presentation. OSINT and disinformation are tools discussed in leveling the playing field in an otherwise disadvantaged scenario.
Name: Rojan Rijal
Date: 12th August
Time: 04:25 - 05:10 PM
Abstract:
URLScan has been frequently used by anti-phishing techniques to identify potentially malicious websites. However, a misconfigured scan could sometimes expose internal assets, domains, and sensitive information to the public. GitHub had a similar event in 2021 where internal repository names got exposed due to a misconfigured scan set.
The talk will cover various technologies and their internal usage at sample companies. Once the technologies are covered the talk will explore how these technologies can be queried in URLScan to identify sensitive information disclosed by companies.
The talk will start by explaining and highlighting SaaS technologies that oftentime leak sensitive information of a company. In addition to the technologies, the talk will proceed to explain how to use extracted information for privilege escalation or access to internal resources. The technologies covered will include at minimum: Microsoft Office 365, GSuite, Salesforce, GitHub and SAML providers.
Once the technologies are covered, the talk will cover how URLScan can help identify these resources en masse. This specific section of the talk will go over various search queries and regex searches that can be used to reliably retrieve information from these technologies. Once the basic queries are covered, the talk will then explore specific queries that can be combined to reliably pull information for a given company.
The end of the talk will also show sample examples with real companies who I have found to have disclosed sensitive information.
At the end of the talk, attendees will be able to walk out with exact queries they can run to find if their company or their target is disclosing sensitive information. In addition, they will also be able to use some disclosed information to further escalate their access internally.
Name: Shea Nangle
Date: 13th August
Time:10:50 - 11:35 AM
Abstract:
In February of 2022, I received a LinkedIn connection request from an unknown account that appeared to be illegitimate. Investigation of the account confirmed that it was a fraudulent account, and led to my discovery of several dozen other clearly illegitimate accounts using the same “account laundering” methodology. Following this initial exploration, I conducted an in-depth analysis on the group of accounts to determine commonalities of behavior and potential links among the accounts.
This presentation will explore the results of the analysis of these accounts, information leading to potential initial attribution for the creator(s) of the accounts, as well as potential analysis of other groups of accounts using similar methodologies. In this session, participants will learn how this group of accounts works, as well as learning the mistakes in tradecraft that led to the identification of this group of accounts as illegitimate. This knowledge will be useful in detection of fraudulent accounts (including some methods that can be used by less technical audiences), as well as for creation of more plausible sockpuppet accounts for OSINT purposes.
Name: Tillson Galloway
Date: 13th August
Time: 12:10 - 12:55 PM
Abstract:
Even after years of scolding from security teams around the world, GitHub remains a developer's favorite place to post passwords, API tokens, and proprietary information. While these leaks have been well-studied for more than three years, gaps still remain in the process of uncovering these leaks. Many techniques for secret searching only consider entities with strong connections companies––users who belong to the company's org and repositories that are posted by the org itself. Most secrets have loose connections with the organization––users that post their dotfiles and configs, for example. By combining a breadth-first approach to GitHub searching along with heuristics for eliminating false positives, we are able to more effectively find secrets. We highlight recent work in the area of secret sprawl and present a new technique to find secrets across GitHub.
This talk is the first to provide the following:
- A new, breadth-first technique to find secrets across GitHub
- Strategies for false-positive reduction that can be applied to both source code + other OSINT tools
- Insight into the root causes of leaks– what types of repos are more likely to be posted?
Name: Jasper Insinger
Date: 13th August
Time: 03:00 - 03:50 PM
Abstract:
Scanning various parts of the internet is one of the fundamental techniques that security researchers or white-hat hackers use to keep the internet safe. To keep up with the increasing number of bug bounty programs and assets in general we need to level up our scanning software as well.
This talk explores the design of a high-performance DNS bruteforcer. Fundamental bottlenecks that limit current scanning software to only a fraction of line-rate scan capacity will be discussed, for example: what prevents a common DNS bruteforce tool like MassDNS from exceeding 350.000 requests per second?
Our tooling is currently capable of scanning DNS with up to 40M requests per second, which is over 100x faster than MassDNS at peak performance. The scan capacity can reach 40GbE line-level rate. All building blocks for this scanner will be discussed in the talk, such as the concurrency model and the way incoming and outgoing packets are routed in the scanner.
Name: Jasper Insinger
Date: 13th August
Time: 04:15 - 05:00 PM
Abstract:
Supply chain research is so hot right now! In this talk I plan on talking about how to clone the NPM metadata database, and all of the interesting repercussions of this design decision. Between exposing code from private Github repos, being able to search through all contributors email addresses, cybersquatting maintainers expired domains for account takeovers, and the interactions between .gitignore and .npmignore, there's plenty of interesting things to be covered.
Name: Eugene Lim
Date: 12th August
Time: 11:35 - 12:00 AM
Abstract:
ngrok is a popular developer tool to expose local ports to the internet, which can be helpful when testing applications or private network devices. Despite the large reconnaissance surface for development environments exposed by ngrok, most security research has focused on offensive applications for ngrok, such as (https://www.huntress.com/blog/abusing-ngrok-hackers-at-the-end-of-the-tunnel). Instead, I will focus on two new reconnaissance vectors: 1. ngrok domain squatting; and 2. ngrok tunnel enumeration.
By default, ngrok HTTP tunnels exposes HTTP traffic via randomly-generated *.ngrok.io endpoints such as https://5e9c5373ffed.ngrok.io. These subdomains can be harvested from a variety of OSINT sources, such as GitHub repositories, documentation, StackOverflow answers, and “how-to” blogposts. Unfortunately, paid ngrok users can select any *.ngrok.io subdomain for their tunnels, allowing them to squat on these subdomains in wait for unsuspecting users copy-pasting commands that use these hard-coded “random” endpoints. I will show examples of squatting that yielded interesting webhook callbacks and leaked information.
ngrok also allows users to create TCP tunnels which are exposed via ports 10000-20000 on *.tcp.ngrok.io. Due to the ease of enumerating these values as compared to HTTP tunnels, users can easily map out the entire ngrok TCP tunnel space. This unveiled a house of horrors, from Jenkins dashboards to even VNC and MySQL servers that allowed anonymous access! I will share a statistical breakdown of one such mapping that clearly shows that ngrok users may have been far too reliant on security by obscurity.
I will conclude by sharing some tips on using ngrok safely through built-in authentication options and domain reservation. I will also share real-life examples of ngrok endpoints popping up in production code, further highlighting the potential of ngrok as a reconnaissance source.
Name: Jessica Smith
Date: 13th August
Time: 03:50 - 04:15 PM
Abstract:
Growing up, most of our parents told us, “There are no such thing as monsters.” The problem is, our parents likely knew nothing of the dark web, where the beings of nightmares live, breathe, and lurk. While we can’t be Van Helsing, slaying creatures of the shadows, we can target, hunt, and learn from them, digitally. This OSINT for good talk will examine child predator tracking and identification through open, deep, and dark web channels, as well as, leveraging linguistics analysis and chat forum engagement to locate vulnerabilities in OPSEC measures. Not even the stealthiest of targets can hide in the darkness for long, when their pursuers are armed with predator-specific investigative skills, a roadmap of their weaknesses and, of course, a white hat.
Name: Nick Ascoli
Date:12th August
Time: 15:50 - 16:25
Abstract:
Adversaries have increasingly been leveraging completely legitimate 3rd party web hosting products to circumvent traditional domain reputation analysis engines, and successfully get their phishing pages in front of their victims. Using these third party services also offers them a great opportunity to limit the exposure of their own infrastructure, offering a great OPSEC advantage. However, in one investigation, a few breadcrumbs left in the adversaries code led us down a rabbit hole to slowly uncovering the person behind what is perhaps the largest Facebook credential harvesting campaign ever investigated, reported by cybersecurity blogs and news media worldwide in mid June of 2022.
In this talk, we will follow the breadcrumb trail left by a threat actor, demonstrating how we pieced together the shocking scale of their credential harvesting and malversating operation. From comments in their code, to their various online identities, to accessing their infrastructure - we will walk through our investigation into a wanted Colombian Cyber Criminal, and demonstrate how recon can be used against adversaries
Name: Martin Vigo
Date: 13th August
Time: 1135 - 1210
Abstract:
Couple years ago at DEF CON‘s Recon Village, I introduced a new OSINT technique to obtain a target’s phone number by just knowing the email address and published the tool "email2phonenumber" which automates the entire process. email2phonenumber, among other things, generates possible phone numbers for the target based on the Phone Numbering Plan of the target's country.
This year, I am introducing "Phonerator", a web-based tool to search, filter and generate *valid* phone number lists. Taking the phone number generation process of email2phonenumber to the next level, Phonerator allows you to provide only a few known digits of your target's phone number and start creating lists of possible (and valid) numbers. You don't have any intel on your target's phone number but know which carrier he uses, area he lives in, date when he started using the number? Phonerator can take in all those pieces of information and help you narrow down possible phone numbers.
Phonerator is also a great tool for discovery and research. Want to find obscure and unknown carriers together with the phone numbers assigned to them for your wardialing needs? Phonerator can help. Want to abuse "Contact Discovery" to find in which websites your target is registered? Phonerator can export your curated list of numbers in vCard format to easily import to your test devices. Join this talk if you are an OSINT lover, SE professional, phreaker or just curious about how phone numbers get assigned and how you can profit from it.
Name: Berk Can Geyikçi
Date: 13th August
Time: 12:55 - 13:30
Abstract:
In today's world, where temporary mail services are used a lot, our project is to monitor these temporary mail services according to the given configuration and to find useful gems.
We wrote a command and control python tool for this research. This Tool is hosted on our private server on amazon. So what does this tool do? This tool constantly scans the most used temporary mail services (yopmail, tempr.email, dispostable, guerrila, maildrop) today and indexes the mails falling there according to the words we specify, and keeps us informed via telegram with the telegram API integrated into the tool. This tool has been running on our server for about 1 year and has stored and continues to store more than 1 million mails. In our research, we observed these e-mails, what kind of e-mails are sent in these services and what use these e-mails can be for a hacker. In our research, we were able to take over the accounts containing money from these mail services. In our ongoing research, we have identified information such as confidential personal information, account reset emails, hundreds of game accounts, bitcoin wallet information. We will show them in our presentation, some of which will be censored.
In addition, we will release the tool on github after the presentation. this tool
contains a config. It constantly crawls and monitors the mails in the URLs given in this config file and can save it if you want. It makes the e-mails it will record according to the keywords in the config file that you can configure. Therefore, I can say that this tool is very effective.
For example, I installed this tool and entered words such as ebay, password reset, bitcoin, OTP into the related words. This tool saves or tells you when e-mails containing these words come to the relevant e-mail services instantly. In addition, this tool has telegram API integration. In this way, when the relevant e-mails are received instantly, you can receive information via telegram.
We have included all of these in our research. In addition, while presenting our project, we will perform a live proof of concept and see what valuable things we can gain during the presentation.
In the bonus part, we will show the redteam activities that we noticed while examining these mail services. This place can be very interesting 🙂
