[DEF_CON_27]
talks_2019
Las Vegas, Las Vegas, USA · 9th, 10th and 11th August 2019
> speakers_2019
With remote offices becoming a new normal, having a conference line is now essential for every company to allow for effective communication between the sites. Conference calls are equally used both for small daily stand-ups, as well as for Enterprise-wide all-hands meetings, with a number of participants ranging from two to infinity. That said, the sensitivity of the matters that are discussed in such calls also varies, but it is unlikely that security measures taken to protect any specific call are always sufficient. In fact, the larger the audience, the fewer controls there are in place to filter those that call-in, yet this does not always mean that the meeting will have no confidential, or at least classified information exposed. Given the popularity of conference calls, this is believed to be a new reconnaissance attack vector. In fact, there have been a few articles published about insecurity of some conferencing services, that cover various vulnerabilities allowing an attacker to guess an access code or join a conference without one. In this talk, however, we would like to discuss getting such attacks couple steps further. We will start the talk by covering key ways to find a company’s conference line provider and numbers. Next, we will talk about getting further work automated using a popular cloud services provider. We will demonstrate (live demo, yay!) how easy and cheap it is to build an interconnected system for making calls to a target’s number, entering conference id, performing audio recording of the meeting if such is taking place, and finally getting the recording transcribed - all using a free tier and a little time. We will discuss the challenges and limitations of the solution, as well as opportunities for its further development. Finally, we will end the talk by discussing a few lessons learnt, and the ways that may help companies build a remote meetings security etiquette.
URL Shorteners are a great convenience for information sharing where the link needs to be memorizable or fit in a small text limit. Ever wonder where all of it leads? What if someone were to scrape all of the links shared on a particular URL Shortening service? What would we find? PII? Sensitive Map data? Corporate files? Let's find out!
Today, organizations deal with the challenge of running their infrastructure across many networks and namespaces due to the use of cloud and hosting services, legacy environments and acquisitions. This can make it difficult for an organization to maintain visibility of its Internet-facing assets and an ability to track down systems that pose a risk to its security posture. The OWASP Amass Project gives its users visibility into their target infrastructure through in-depth subdomain enumeration, using techniques such as scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names, and reverse DNS sweeping. Everything is stored in a graph database that can be queried to perform analytics during or after each enumeration. The OWASP Amass tool is simple to start using, yet has many options and ways to leverage the graph database. This talk will dive deeper into those more advanced features to help users take full advantage of Amass and paint the clearest picture possible of target organizations on the Internet.
Asset Discovery: Making Sense of the Ocean of OSINT When performing OSINT reconnaissance against a target, it’s often very difficult to accurately define the scope. There are so many sources of information and so many diverse types of data. It quickly becomes overwhelming. While there are many excellent OSINT tools already available to the discerning OSINTer, their focus is usually on breadth of collection. Our experience is that asset traceability and narrowly-focused discovery help us to discover the best results. To that end, we’ve developed a tool: the “Offensive Orca” [ https://github.com/digitalshadows/orca ]. This approach focuses on comprehensive asset discovery coupled with narrow scoping to avoid false positives. As a brief overview, Orca does the following: - Domain discovery with Google and Shodan - Sub Domain Enumeration Lookups - WHOIS Lookups - Export to Excel spreadsheet How Orca Works The end goal that we have in our targeting is to discover vulnerable or misconfigured systems. By vulnerable, we mean that a network service running on a machine is vulnerable to a (public) exploit. By misconfigured, we mean that a network service is revealing sensitive information or public (industry default settings) access. Setting the goal of our OSINT research explicitly upfront helps us to discard unnecessary data sources and ensures our collection is useful. Our rules of engagement are: 1. No exploitation 2. No authentication bypass 3. No Denial of Service (DoS) This keeps us on the right side of the law! In order to achieve our goal, we need to find the systems belonging to our target. Scoping is critical here. The consequences of misidentifying a system are severe. In order to have confidence in our targeting, we must be able to trace a discovered asset back to the initial piece of asset data. Any reconnaissance engagement starts with an initial pool of asset data. No engagement starts in a vacuum. Small pieces of information are typically provided to drive an engagement. Examples of these are company name, domain names and IP ranges. Depending on an engagement, you may receive more or less of these initial pieces of asset data and they will also be more or less reliable! For each piece of asset data, a lookup needs to be performed, e.g., from a company name to a set of domains, IP ranges/addresses, from a domain to list of subdomains and so on. When we look up a piece of asset data, whatever result that is generated is stored in the Orca’s database, it also stores the ID of the piece of data that was used to seed that lookup. To discover domains from a company name, we can automatically Google the company name and check which domains are returned in the results. We can also use SHODAN to perform an organizational search to discover domains from a company name. We immediately hit our first problem. How do we know that the domains returned are associated in any way to our target? The tragic answer is that we don’t, without manual checking. That’s why the Orca prompts the operator after each domain so that the necessary checks can be made. It is a time-consuming and frustrating task but doing that initial work up-front saves a world of pain later. There are a few tips’n’tricks for this, but it’s ultimately target-dependent and requires knowing some context about the target in terms of which sector, geography, etc. it operates in. The importance of this cannot be overstated. If the initial asset list is not appropriately curated, then it will be hard to have confidence in any future results. Hostnames can be discovered by a process of subdomain enumeration. There are excellent sources of data for which subdomains/hostnames exist for a particular domain. Our two preferred sources are : Rapid7’s Forward DNS data set ( https://opendata.rapid7.com/sonar.fdns_v2/ ) Certificate Transparency logs ( https://crt.sh/ ). Combining these two sources together is very powerful. The Orca can do this for you. Certificate Transparency is particularly interesting as it is a real-time stream so there are cases where you can catch a machine having a certificate issued but before a comprehensive managed security configuration is applied. The OWASP amass tool ( https://github.com/OWASP/Amass ) is our current go-to tool for performing this process when we are not using the Orca. The advantage of enumerating subdomains by using the main domain as an anchor is that if a hostname belongs to a domain, we can have high confidence that the two are related. This dramatically cuts down on false positives. IP ranges can be found via free text searches of WHOIS data, especially the organization name or net name. This is also an error prone process. As with the previous section, the operator must curate the results from this search. This WHOIS data can be collected manually from the Regional Internet Registries (RIRs) responsible providing a convincing use-case can be made, or access can be purchased from one of several WHOIS data providers. A note of caution around cloud providers: unless the operator is extremely sure about the provenance of the IP range, it is recommended to exclude cloud provider ranges from your asset discovery process. Once a curated set of hostnames and IP addresses has been discovered, it is then required to figure out what services are running on these hosts. If we are conducting a passive reconnaissance exercise, we need to use a third-party service such as SHODAN, if there is not this kind of requirement, we can use an active scanning tool such as masscan or nmap. In the case of SHODAN, it now returns CVE information which greatly assists the lookup process. Previously, an operator would have to take the CPE (Common Platform Enumeration) information, e.g., “cpe:/a:microsoft:internet_explorer:8.0.6001:beta”, and look it up in a CVE database such as those maintained by Mitre. When a list of CVEs has been created for our validated set of hosts, it is worth considering how we provide an assessment of this list. Not all CVEs are remotely exploitable and, in this case, we are performing OSINT against a remote target, so local-only vulnerabilities and exploits are not directly useful. We typically use third-party services such as ExploitDB or the Metasploit exploit collection to see which vulnerabilities we have discovered have public exploits available. Most don’t. By restricting ourselves to only remote services which are directly exploitable in practice, we can avoid the alert fatigue associated with a high number of theoretical vulnerabilities. Given the ubiquity of Excel, Orca can generate a spreadsheet which contains the findings, that is, hosts with exploitable remote vulnerabilities and the set of all discovered assets. Exporting to a spreadsheet means that it is straightforward to get an overview of the important findings whilst also making it straightforward to export a target list, for offensive operations, or a list for remediation, for defensive operations. In summary, our OSINT approach focuses on comprehensive asset discovery coupled with narrow scoping to avoid false positives. By setting an explicit and clear goal upfront about the results we want, namely exploitable or misconfigured systems, we can avoid a lot of the noise generated by a typical OSINT discovery process. We use a standard reporting approach, that is, an Excel spreadsheet (other formats such as raw JSON and CSV are forthcoming!), to enable consumers of our OSINT the maximum flexibility and integration with their existing workflows when it comes to processing the results of our work.
Abstract Building an OSINT and Recon Program to address Healthcare Information Security issues Healthcare has significant challenges with implementing effective information security programs. To start with, for as critical a resource as it is, it is continually underfunded or does not have the organizational reach that it needs to be effective. Combined with that is the uncertainty caused by the rapid introduction of new technologies into the environment, without consideration for the legacy technologies they replace, or in many cases the lack of education around said technologies. Many of them were brought in because some larger “model” health system successfully used them. Additionally, many large healthcare systems operate structurally very similar to large companies with multiple divisions. This means that effective communication is an aspirational goal. The Health Information Portability and Accountability Act, better known as HIPAA, has also caused significant fear with healthcare professionals. There have been a lot of charlatans in the industry who have recommended solutions for Healthcare Information Security and HIPAA compliance that are nothing more than security theater, providing in many cases worse solutions than having no security at all. Fear, Uncertainty, and Doubt as applied to the HIPAA Security Rule have done more to hurt the idea of healthcare information security than Ransomware. When it comes to assessing and addressing risk, numerous team members often refuse to give truthful answers due to fear for their jobs, and because many of them know that their concerns will not be addressed. This leads to an incomplete operating picture in many healthcare organizations that not even the senior executives completely understand or comprehend, which makes risk assessment, mitigation, and ongoing remediation a nearly impossible task. A major focus of what I have done over the past 11 years is to build Open Source Intelligence and Recon programs to understand the internal structures and makeups of healthcare organizations, and to be able to address risk and customer concerns through establishing relationships and building the real operational picture of the environment. Utilizing standard customer service skills, I have been able to build understandings of complex environments and their challenges and use that knowledge to develop risk management plans and large projects that address key issues. The structure of the talk, as I envision it, would be: I. Background on Healthcare Information Security - what makes it unique? II. How to catalog information about the environment and learn what unique devices and processes exist. III. How to work with customers to identify what they have and how its used - how to explain technology to those who do not understand. IV. Stopping Fear, Uncertainty, and Doubt with your fellow team members. V. Building continual communication and intelligence research into your daily work. VI. How to plan out who to speak with next as part of a plan. VII. How to deal with organizational politics and the reality of territorial managers. VIII. How to continually take information organized from sources and turn it into actionable intelligence. IX. Using actionable intelligence to reduce risk through minor changes in the environment. X. Continual Delivery and how that (or the lack thereof) impacts your credibility. XI. Serving the mission, allaying concerns, and being that ambassador of good practices based on OSINT and Recon.
Abstract When we think of the process for attacking an organization, OSINT comes to the front and center of our minds. This presentation takes a presenter with experience in applying OSINT to effective penetration testing and social engineering and reverse engineers the process to determine what steps can be taken to further complicate their efforts. This is a presentation that talks about online deception, decoy accounts, canary data, encryption, maintaining one’s social media in a secure manner, and protecting one’s identity as much as possible. While nothing is absolute, this is a presentation that will leave attendees more aware of techniques to make it harder for attackers to collect accurate OSINT, either by removal or deception. Detailed Description • Intro (1:00) • What is Open Source Intelligence (OSINT)? (6:00) o Outlets/Sources Starts by giving definition of OSINT and introduces Michael Bazzell. This moves on into places to gather and discusses software like Datasploit and Recon-ng (demonstrated later) as sources per se. o Methods This discusses things on the internet: job boards, forums, Google, Intel Techniques and OSINT Framework (demonstrated later) as well as other outlets. From here we discuss automation in terms of tools, prextexting, and search parameters. o Aims and goals Simply put, is to gather as much information about our target as we can. I talk about timing for the purpose of explanation. We look at some examples of easy wins and start the integration. • Collecting OSINT (10:00) o Company Data Here we enumerate locations, presence, affiliations, and people. o Social Media The obvious place to start. We start to target key employees such as C-Levels and those in sensitive roles. o Google We gather data and refine what we know and where to look next. o Tools We will discuss tools, but rely less on them and more on philosophy and technique. o Less Conventional Places I will provide examples of places I found to be “gold mines” in the DerbyCon SECTF. • Potential Threat Vectors/Scenarios (15:00) o Troll or Hater o Infatuated Stalker o Ex-Lover o Nation State o Cybercriminals o Abusive Partner o Estranged Family Members and Ogres • Social Media (22:00) o Best Practices and considerations What do you need to think about when establishing and using social media. What are the outcomes if you delete your social media? Do you have to have any accounts? • Decoy Accounts (26:00) o The type of information used to create and maintain such accounts If you decide to use decoy and canary accounts, what must you consider and do to ensure they are valuable and not a waste of your time. • Getting Data Removed (30:00) o The steps and difficulty in getting one’s data removed You have control over (some) sharing of your data. We discuss how to initiate the process of getting the data removed. • Encryption (36:00) o Cloud Storage o Email o Streisand Effect (Tool) o TOR o VPNs o Full Disk Encryption o Virtualization • Case Study (38:00) o An OSINT blunder that I personally observed unfold while I enjoyed my dinner. • Questions (42:00)
Traditional methods to defeat OS Fingerprinting in Linux were written as kernel modules, or at least, as patches to the Linux kernel, like Honeyd, IP Personality, the Stealth Patch, Fingerprint ****er, IPlog... The reason is that if the aim is to change Linux TCP/IP stack behavior, and if we want to achieve it, we need to do it in the kernel layer. Most of these tools are old, doesn't work with actual kernels of can affect tcp/ip stack performance. OSfooler-NG has been complete rewriten from the ground up, being highly portable, more efficient and combining all known techniques to detect and defeat at the same time: - Active remote OS fingerprinting: like Nmap or Xprobe - Passive remote OS fingeprinting: like p0f or pfsense - Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting Some features in this versions are: - No need for kernel modification or patches - Simple user interface and several logging features - Transparent for users, internal process and services - Detecting and defeating mode: active, passive & combined - Will emulate any OS - Capable of handling updated nmap and p0f fingerprint database - Undetectable for the attacker
Wicked Clown is not a coder but has released (never officially) three tools to help find the needle in tweet the key bit of information that could lead to the gem of information for the win. Using these tools will help you have find out who does your target interact with the most, remove all those annoying retweets that flood their time line to just show you their tweets and replies and search they tweets for specific key words. He will demonstrate these tools in live demo.
Email addresses are one of our most public piece of PII. We are confortable sharing it with strangers, publishing it on the internet and it is generally our public way of communicating. However, when it comes to phone numbers things change. We are more selective with who we share it with, mostly because receiving unsolicited phone calls is much more invasive. There are also security implications when making your phone number publicly available. SS7 attacks, SIM swapping, phishing and scam calls are just a few of the threats that originate from the target’s phone number. What if it were possible to obtain someone’s phone number by only knowing their email address? Beyond the criminal advantage, it could be very useful to investigators, red teams and OSINT lovers. In this talk, I will discuss techniques which when combined will let you discover someone’s phone number via their email address. I will also demo and release a tool that helps automate the process.
Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named ”mask attack” where the attacker needs to assume a password’s structure. Even if it narrows the combination pool significantly, it’s still too large to use for online attacks or offline attacks with low hardware resources. In the real world, a password’s structure is an unknown value, just like the password itself. Even if we specify a password structure with masks, we are still brute forcing characters in the mask. When we analyzed Ashley Madison and Myspace wordlists, we saw that they are mostly consists of sequential alpha characters. Which means that there is a high probability that they are meaningful words. The first step is understanding if a letter sequence is a meaningful word in the English language. We can state that a letter sequence is an English word if it’s listed in an English lexicon. Wordnet (a lexical database for English created by Princeton University) is used as the lexicon. Our research shows that 30% of the Ashley Madison wordlist and 36% of Myspace wordlist contains meaningful English words. If we use all words in the Oxford English Directory, the combination pool will be 171,476. But 171,476 is a still big number for online attacks. We can reduce this number if we can identify what kind of words are usually chosen by people. According to experiments conducted by Carnegie Mellon and Carleton universities, most people are choosing words for their passwords based on personal topics such as hobbies, work, religion, sports, video games, etc. So if we can identify the candidate words from interest areas of a person, we can reduce the combination pool significantly. On Twitter, people tend to share posts mostly related to their area of interest. Because of that, Twitter is a good candidate to identify a user’s personal topics and generate related words about it to reduce the combination pool for password guessing attacks. Our tool, Rhodiola is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist. Wordlist consists of most used nouns&proper nouns, paired nouns&proper nouns, cities and years related to detected proper nouns. Example usage: python rhodiola.py --username elonmusk Example output: ... tesla car boring spacex falcon flamethrower coloradosprings tesla1856 ...
Many pentesters are avoiding existing frameworks due to security improvements from Microsoft and smarter practices by network Admins. Red teams don’t have to throw away existing tools because their attacks are being thwarted and contrary to belief, Powershell is not dead. We updated existing tools and demonstrated that they can still be used to launch successful attacks. We would want to get back to the basics and demonstrate that successful attacks are still possible by modifying tools like Empire. Our pentest used open-source intelligence (OSINT) to learn a ridiculous amount about our targets to launch spearphishing attacks. We used a targeted macro enabled doc to launch our Powershell code, which we developed from a complex academic process (failures, more obfuscation, more failures, success, ????, and Profit). We will go over the methods employed by Microsoft Advanced Threat Protections (ATP) in both their antivirus and their sandbox environment, how we enumerated, and characterized their system to avoid detection. In addition, we avoided detection from Darktrace on a commercial network by masking our JA3 signature and weaponized Microsoft Azure for our covert C2 channel. In the end, we were able to launch a successful attack again a large company using Empire and our wits.
With OSINT techniques, doing cyber intelligence against a target, besides some technical terms like people, links, files, domains and ip addresses; hashes and URL's can also be searched. In this talk, with the advanced OSINT techniques and approach, terabytes will be used in open data (CommonCrawl), the websites which use the known malicious javascript filenames, codes and iframe resources will be explored and which techniques, methodology and data-set will be used. With the help of docker containers and Compute Instances on Google Cloud, files to be analyzed will be downloaded and I will try to catch websites containing malicious code inside their html content using YaraRules and some special patterns. In this way, by analyzing open data with OSINT techniques, I will reveal sites that contain malicious code seen in the past.
Prebellico is a powerful and undetectable network analysis tool designed to passively map and challenge assumptions about a target environment. Using 100% passive techniques, Prebellico has the ability to extract network intelligence either spilled on switches/firewalls/VLANS/etc., or captured through broadcast-based traffic. In the hands of a Blue Team operator it can allow detection of even the most evasive adversaries operating on the network as well as help understand what is interacting within a target environment one is trying to defend. In the hands of a Red Team operator or pentester it can provide powerful insight into the nature of the network and its configuration, disclosing secrets such as systems and services behind impenetrable firewalls, trust relationships, network host intent and even authentication information. While useful in and of itself for Red Team based operations, Prebellico required a host and the ability to manually retrieve the data it collects or obtain it through some form of network egress, all of which might lead to device detection or operation compromise. Furthermore, organizations as a whole have grown comfortable in limited spectrum analysis of known frequencies in hopes to capturing rouge devices. Unfortunately, this is far from the realities of modern-day attacks, leading to several incidents of organization compromise through the use of uncommon alternative wireless frequencies or technologies. To address these challenges and push the narrative forward, Prebellico has been extended with the PIE device - a hardware-based botnet built for Prebellico that no longer requires a network or a sneaker net to obtain intelligence acquired through Prebellico. The PIE device allows an attacker the ability to drop a device on environments as secure as air gapped networks and obtain intelligence about such configurations safely in remote locations without the risk or overhead of getting caught. True to the nature of Prebellico, after initial seeding a PIE device is nearly undetectable after a short period of time as it is designed to only broadcast newly acquired intelligence. PIE devices can also be extended in a way where if one device is in fact detected and removed from the infrastructure another device can simply continue to operate and exfilltrate passively acquired network intelligence. It's time the Blue Team steps up their assessment practices and starts to make full RF spectrum analysis part of their audit regimen and its up to the Red Team to raise that bar. PIE is the extension Prebellico was built for and intends to drive these narratives. There is no spoon. Your network controls mean nothing to me. Hardware botnets are the future and when combined with 100% passive network reconnaissance the attacker once again has the upper hand forcing defenders to think hard about network controls such as physical security, port security and port-based authentication. Disregard the basics and you run the risk of complete compromise through 100% passive reconnaissance.
Social Media: The New Court of Public Opinion The court of public opinion refers to using the news media to influence public support for one side or the other in a court case. The new court of public opinion is not just the news media, but all social media outlets (Facebook, Twitter, Reddit, etc). Even taking the last election into consideration, we can see how much the media can influence the public. Let’s explore how we get to select our Social Media community and curate our own news feeds, usually filled with those with similar outlooks. Does this just encourage and solidify our personal views? As open-source intelligence (OSINT) becomes a necessary input into our cyber operations, are we being responsible with our assumptions? During the talk, I will present various current events and images, explore the visceral reactions we have, and examine the judgements we make. Every day we see images in the media that provoke reactions, but do we know the full story before coming to those conclusions? It can easily be a case of he said/she said, but what is the truth and how do we know what to believe? How are our personal biases influencing our thoughts? Are we even aware that we have biases that we unconsciously impose on our decisions? This talk will provide the audience with the tools to develop the self-awareness and discernment we need to ensure we are not impress our own prejudices on, not only in the OSINT we research, but in our daily lives.
Abstract: Fellow Researcher Allie Page and I attempted the creation of effective Security Awareness Training with a measurable return on investment. We chose to perform a case study in creating training that might be effective against phishing, partly because an ROI formula was already in existence and partly because no one said we couldn’t ¯\_(ツ)_/¯ Our Blue Team had a well-tuned top of the line Email gateway with Post Delivery Protection, integrated threat feeds and when adjusting for the implementation of DMARC, DKIM and SPF it was 99.9986% effective at blocking phishing campaigns just shy of perfection from a mathematical standpoint. Out of a total 14 million received emails sent to the organization just over half were spam and phishing. The stack setup was working well with just under 1000 malicious emails managing to find their way past all defenses and into the user’s inboxes (better known as the Danger Zone!). Unfortunately, out of that 1000 malicious emails received we had an 85% click rate from our user base. A click occurring afterhours or in the heat of an ongoing campaign could lead to a compromise of systems estimated by insurers at up to 7 million dollars in damages. With background information and the basic numbers needed for the ROI formula we began a case study that started with OSINT and ended with a 62% reduction in users falling for malicious emails within 5 months’ time. OSINT was useful for providing information useful for rating the skill level required for an attack as it revealed the tools and user information available to an attacker. However internal data brought much more to the picture when it came to how to rate the likelihood and impact of a risk. A lot of internal data was essentially wasted due to the sheer volume of it. As we zeroed in on internal data we began to use the term OSINT+. The idea of OSINT+ is that it takes advantage of the data a defender has been given access to due to establishing the right to monitor information in the network and on devices that belong to the enterprise. We set out to build a framework for defense recon. The framework was utilized to tune threat matrices to reflect the organization, to make security awareness training more effective, and to aid in the demonstration of security is a service.
Understanding the companies you compete with, otherwise known as competitive analysis or competitive intelligence, is key to guiding your company strategy, product roadmap, and to make your sales and marketing more effective. (It's also really helpful when screening future employers before you sign the offer letter.) In this session, you'll learn how you to use OSINT to understand a company's financial situation, growth rate, product strengths and weaknesses, patents, internal structure, areas of investment, corporate strategy, technology stack, corporate culture, patents, and installed base.
Reconnaissance is an integral part of the testing process. Successfully scanning and footprinting the attack surface can assist Red Teamers in crafting precise attacks, but can also help defenders identify weak spots. AttackSurfaceMapper aims to automates and simplify the OSINT process. It does this by taking a target domain as input, then analysing it using passive OSINT techniques and (optional) active reconnaissance methods. It expands the attack surface automatically with the aim to provide actual useful intelligence for an engagement. This means that you can plug in a target domain, make a cup of tea and come back later to collect: * Email * Usernames * Breached Passwords * Phone Numbers * Linked IPs * Target subdomains * Website Maps * Social Media Presences * Open Ports This is a list of techniques that AttackSurfaceMapper uses: [+] Reconnaissance: * Find IPs from ASN * Find Subdomains * BruteForce Subdomains * Port Scanning * Hostname Discovery * Passive & Active DNS Record capturing * WHOIS records * Take screenshots of web portals and remote services [+] Intel Extraction: * Content Discovery (Phone Number, Addresses and Vacancy Postings) * Scrap LinkedIn Employee Names & Email addresses * Check Public Breaches * Find AWS buckets * Interesting Files (e.g PDF and XML) * Interesting Strings (sensitive data such us API keys, AWS secret keys and CreditCard numbers). [+] Plugins: * Support for Shodan API * Support for dnsdumpster [Generate a DNS map] The tools takes as input a list of IPv4 addresses or domain names. It then expands these into more targets through techniques such as ASN lookups and subdomain finding. It then attempts to map the subdomains and IPs to each other and run a variety of open source intelligence techniques to gather and compile useful data for an engagement. AttackSurfaceMapper supports "stealth" mode where it only runs all of the passive modules and the active reconnaissance components are optional. This is an ideal feature for Red Teaming, as it allows the user to minimises the noise usually generated from more active reconnaissance techniques. A database is created for each engagement and the results are stored in a MongoDB database using the target's IP address as the primary key. This can then be integrated into further automated workflows While the tool's modules are running the attack surface will further expand as it discovers hostnames and IP addresses. It performs a recursive analysis so that if new targets are found, it will feed them back and perform the full OSINT analysis cycle on them. It is important to note that most tools work by providing a domain name as initial input but there are not many solutions for performing recursive OSINT analysis given a set of IP addresses. Another distinct feature of AttackSurfaceMapper is the ability to add more modules in the future to support more functionality. Along with the flexibility of having output in CSV, text and NoSQL database format. AttackSurfaceMapper will be the first tool of choice for mapping a large corporate external network.
This workshop is primarily aimed at those new to Open-Source Intelligence but will also be useful for experienced practitioners interested in bolstering their skills and tools against human targets. Our goal will be to, in just two hours, give attendees a solid set of tools and a repeatable workflow. This workshop is not about automation or “tricks” to wow your friends. This is a roll up your sleeves and profile a human target in a very manual fashion approach. These are foundational skills and understandings that are dependable, repeatable, and articulable. We start with a target name, handle, or account and end with a verifiable report of findings that will stand on its own when received by a client, court, or colleague. Although we will look at some of the new and most useful resources available, this session is process focused as the specific tools change rapidly. Every step is demonstrated live on real world targets. Demonstrations include social media, phone number, moniker, and real-name based targets. Seasoned researchers will not see much new in the tools used, but they may benefit from a different perspective when it comes to investigative approach and workflow. The bulk of the session is live demonstration followed by a short Q&A opportunity. All attendees will be provided with information regarding further study as well as some targets as homework should want some practice reps.