My many nonsensical ramblings.

Internet Footprinting (aka OSINT – Open Source Intelligence)

Internet Footprinting (aka OSINT – Open Source Intelligence)

What is OSINT? Well, according to Wikipedia it is:

“Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.”

In general, OSINT is simply the identifying, collecting, and analysis of publicly available data about a person, place, or thing.

OSINT is NOT merely used for cyber stalking or DOXing. (DOXing is the act of gathering personal information about people on the Internet, often including real name, known aliases, address, phone number, SSN, credit card number, etc. typically for the sole purpose of causing embarrassment, mischief, and/or harm to the targeted person.)

OSINT has many valid/beneficial uses. These include (but are not limited to):

  • identifying information about yourself (or your own company) that may be available on the internet
  • part of a network penetration (or social engineering) exercise
  • perform additional/extended background check on potential corporate partners or employees
  • identifying possible information leakage from your company

There a few typical types of OSINT, each with their own PROs/CONs:

  • Purely Passive
    • PRO - no traffic directed toward the target (i.e. no evidence in server logs)
    • CON - only relying on second hand data at best
    • Examples
      • search engine cached pages
      • archive.org saved pages
      • searching across pastebin (and similar sites)
      • searching social media sites
      • browsing Shodan for ports, systems, and service banners
  • Typical Internet Traffic
    • PRO – gaining data directly from target’s websites and systems
    • CON - traffic is being sent directly toward the target thus showing up in server/system logs
    • Examples
      • DNS queries
      • Visiting web pages owned by the target
      • downloading documents from websites
  • Checking Locks and Doors
    • PRO - possibly gaining amazing amounts of data about types of system, websites on odd ports, and other services such as ftp, vnc, etc…
    • CON - lots of traffic sent to target and chance of eing detected is considerably higher
    • Examples
      • perform DNS brute forcing
      • perform ip scans across the target’s ip space to identify active systems
      • perform port scanning to identify open ports and gather banners

There are numerous commercial/free tools/websites that can be used to perform or assist in OSINT gathering. In future posts, I will be covering many of these tools and websites and discussing how they can be used to perform OSINT.

What are a few sources of data of OSINT: (more will be discussed in future posts)

  • Pastebin (an similar sites)
  • DNS (zone transfers, txt, hinfo, etc… records)
  • Websites (email addresses, org charts, documents, addresses, phone numbers, etc…)
  • Search engines (google, bing, etc…)
  • Social networks (linkedin, twitter, facebook, etc…)

All security tools need a “–demo” option

All security tools need a “–demo” option

Over the past few years I have seen movies actually trying to include actual computer hacking, granted most of it is just showing some output from NMap.

That got me thinking.  Would Hollywood be more likely to include more (and different) “hacking” tools in their movies if they all had a “–demo” flag/option?

The concept is that if you run the tool and provide the “–demo” flag, it will start generating either canned output or start randomly generating output which looks like real output without actually doing anything.  This way, the actors/writers/etc… do not actually have to know what they are doing or even learn how to use the tools.  All the have to do is run the tool and give the “–demo” flag and they ave “real” hacker-stuff showing up on their screen.  :)

What do you think?  Good idea or crap?

Upcomming Conference Plans

Upcomming Conference Plans

For the remainder of this year (2013) and the beginning of the next (2014), here is a short list of the conferences I plan on attending (and possibly presenting at).

2013:

  • (* maybe *) HackerHalted (Sept 19-21) (Atlanta, GA)
  • DerbyCon (Sept 27-29) (Louisville, KY)
  • BsidesATL (Oct ???) (Atlanta, GA)
  • (* maybe *) East Tennessee Cyber Security Summit (Oct 23-24) (Knoxville, TN)
  • SkyDogCon (Oct 26-28) (Nashville, TN)

2014:

  • ShmooCon (Feb 15-17) (Washington D.C.)

Any suggestions for additional (cheap/free) local (driving distance from Knoxville, TN) conferences which I should attend?

Building a New Pentest Lab

Building a New Pentest Lab

A while back I decided that I was going to start a personal infosec “re-education” process during which I hope to learn new tools/techniques, polish up on the abilities I already have, and enhance any areas where I may be lacking.  In order to facilitate this, I needed a work area.  As with any project (woodworking, automotive, or information security), having the proper work area can make a huge difference in one’s ability to succeed in their endeavors.

For my information security “re-education” project, one key part of my “work area” needed to be a wide variety or operating systems to target/test against.  There are a few different approaches I could have taken to achieve this:

1) Use what is available.

Look around your house/office.  You probably have a few older Windows/Unix systems which you do not use on a regular basis.  Odds are you also have a personal printer and/or other network attached devices.  All of those make excellent targets.

2) Use what you can borrow.

Much like the previous option, but in this one, you should ask around with friends/family/etc… to see if anyone has any old/unused hardware/system which they can loan/give you.  If lucky, you can obtain some good (possibly rare) equipment this way.

3) Use a simple virtualization approach.

Since you probably do not have access to lots of unused desktops/laptops/etc..  on which to install your desired target operating systems, you should look into virtualization.  There are several good virtualization solutions available to use (and in most cases, the software itself is free).

Any of these solutions can be easily setup/installed on a personal laptop/desktop.  Depending on the number of “guest” operating systems you wish to install and run at one time, you may encounter resource contention.

4) Build a full virtualization solution.

If the previous option does not provide you with the options/flexibility/resources that you need, you can always build a system solely dedicated to running your “guest” operating systems.  This option may require the expenditure of additional money in order to build your new virtualization host system.

Note: The above options/approaches are NOT mutually exclusive.  You can make use of any/all of them as needed/desired.

The approach I decided to take was a combination of #1 and #4.  I first took inventory of all the systems I had connected to my home network (laptops, desktops, printers, etc…) and then to house/host all of the other “test/target” systems I thought I would/may need, I decided to build a dedicated virtualization host.  For this I decided to go with VMWare’s ESXi server.  The reason I chose ESXi, is that I have had some experience with it in the past, I can easily get the parts to quickly build a decent system, and it is free.

Below is my shopping list of parts I bought to build my system:

($189.99) Seagate Desktop HDD 4 TB SATA 6Gb/s NCQ 64MB Cache 3.5-Inch Internal Bare Drive ST4000DM000
($78.99) Silverstone Tek Micro-ATX Mini-DTX, Mini-ITX Mini Tower Plastic with Aluminum Accent Computer Cases PS07B (Black)
($17.99) Lite-On Super AllWrite 24X SATA DVD+/-RW Dual Layer Drive - Bulk - IHAS124-04 (Black)
($168.99) SUPERMICRO MBD-X9SCM-F-O LGA 1155 Intel C204 Micro ATX Intel Xeon E3 Server Motherboard
($279.99) Kingston Technology ValueRAM 32GB Kit (4 x 8GB) 1600MHz DDR3 ECC CL11 DIMM with TS Intel Desktop Memory KVR16E11K4/32I
($233.99) Intel Xeon Qc E3-1230 Processor
($59.99) Corsair Builder Series CX 600 Watt ATX/EPS 80 PLUS (CX600)
-----------------
TOTAL COST = $1029.93

All of the parts were purchased from Amazon.com (mostly because I have an Amazon Prime account and thus did not have to pay for shipping).

As can be seen, the total cost of the system was just over $1000.  I may have been able to shave some $$$ off of the cost by reusing some of my old/surplus hardware, but I opted to go with all new equipment.

Now that I had my ESXi server built, I need to populate it with various “guest” operating systems.  First, I started by installing a couple old Windows XP and Vista licenses I had, but I needed more operating systems than that.  Luckily for me, there are lots of free VMs and operating systems available: Debian, Ubuntu, Fedora, Mint, etc…  In addition, there are great “target” operating systems available as well:

If I needed additional Windows guests, I could:

  • Download any available “trials” from the Microsoft website.
  • Purchase a MSDN Operating System subscription.

I also need “Hacker” boxes to perform all of my scans from.  For this I could either build my own system, follow one of the many guide on the internet to build a pentest windows/linux machine, or simply download one of the prebuilt systems.  Here again, there are LOTS of options to choose from.  Personally, I like Kali (the new version of BackTrack).

Well, that is a quick overview of my pentest lab.  If you have any comments/questions/suggestions, please feel free to contact and/or leave a comment below.

So Many Toys, So Little Time…

So Many Toys, So Little Time…

While cleaning up my office, I found a few toys gathering dust.  I guess it is time to dust them off and see what fun I can have with them.

Tech toys I still want to buy:  (any recommendations would be appreciated)

  • cell phone jammer
  • handheld police scanner
  • lock picks / bump keys
  • an arduino (for a TBD project)

Between working a full-time job, doing after hours consulting, working on various research projects, taking care of my house/yard/property, and spending time with my wife and son, I do not have much free time. Even so, I think it is time to start (possibly slowly) looking into some of the other projects I started but got shelved for one reason or another.

DC865 OSINT Presentation Slides

DC865 OSINT Presentation Slides

Here are the slides from my recent OSINT overview presentation at the local DC865 meeting.

Phishing with www.SafeLogin.co

Phishing with www.SafeLogin.co

As a security consultant and penetration tester, one of my various activities I would have to perform was a phishing exercise.

“Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites. Up to 5% of users seem to be lured into these attacks, so it can be quite profitable for scammers . many of whom send millions of scam e-mails a day.” — as quoted from OWASP

A few days ago, a colleague pointed me to www.webscript.io and to a simple phishing site he created on it. I took a look and was very impressed by the simplicity of it and how easy it was to set up the phishing site. For a complete writeup on his “Phishing with WebScript.io” experience, check out his site: http://averagesecurityguy.info

This got me thinking, while webscript.io is an amazing site, it is overkill for a simple phishing site. I thought I could create a simple site (just a few back-end scripts, apache, etc…) that could act as a “Proof of Concept” phishing site generator.

…and thus was born: http://www.safelogin.co

www.SafeLogin.co is a bare bones web site which allows a visitor to set up a phisihng site of their very own (only for sites they are legally allowed to, as per the Terms of Use). All they need to provide is a target URL (the site to be cloned) and a unique phishing site name (.safelogin.co). All sites are kept alive for 7 days, at which time all data is erased. www.SafeLogin.co does not (at this time) provide capabilities for sending the phishing emails, that must be handled by the user.

Please take a look and if you experience any issues or have any suggestions, please feel free to let me know.

 

Bsides Atlanta 2012 Presentation Slides

Bsides Atlanta 2012 Presentation Slides

I recently had the pleasure of presenting at BSides Atlanta. If you are interested in the slides, they can be seen below.

I have forgotten more than I now know…

I have forgotten more than I now know…

After nearly a decade and a half I have decided to trade my Consultant (Pentester) hat for a programmer and researcher hat. Why would I walk away from the exciting life of pentesting? Honestly there are a few key reasons:

  • I found myself getting bored performing the same exercises for the same customers and finding the same issues.
  • I felt my skills were not as sharp as they once were.
  • I started becoming the “grumpy” person in the office.
  • With a little one (my 2-year-old son) at the house, I found it hard to be away from my house for weeks at a time.
  • For those reasons (and possibly others) I decided it was time for me to take a step away for a while to pursue some of my other interests; programming and security research.

I have also decided to, on my own time, go back and re-learn those skills that I may have forgotten as well as learning/improving those new skills and techniques that have come about in the last few years.

Please stay tuned to keep tabs on my re-education process. ;)

“But I don’t want to go among mad people," Alice remarked.
"Oh, you can’t help that," said the Cat: "we’re all mad here. I’m mad. You’re mad."
"How do you know I’m mad?" said Alice.
"You must be," said the Cat, or you wouldn’t have come here.”