OSInt, Cyberstalking, Footprinting and Recon: Getting to know you

irongeek.com | May 21st 2011
The following are videos from the Footprinting/OSInt/Recon/Cyberstalking class I did up in Fort Wayne Indiana for the . I've split the class into three videos by subtopic, and included the text from the presentation for quick linking.

See Video:

About Adrian * I run Irongeek.com * I have an interest in InfoSec education * I don't know everything - I'm just a geek with time on my hands * (ir)Regular on the ISDPodcast http://www.isd-podcast.com/ Class Structure * Mile wide, 2.5 feet deep * Feel free to ask questions at any time * There will (hopefully) be many long breaks to play with the tools mentioned * I'll try not to drop anyone's docs but my own, but volunteers for "victims" will help So, what info is out there? Other names and related concepts: * OSInt (Open Source Intelligence) * Scoping * Footprinting * Discovery * Recon * Cyberstalking Subtopics * DNS, Whois and Domain Tools * Finding general Information about an organization via the web * Anti-social networks * Google Hacking * Metadata * Other odds and ends Why? For Pen-testers and attackers: * Precursor to attack * Social Engineering * Disgruntled Employees * User names and passwords * Web vulnerabilities * Internal IT structure (software, servers, IP layout) * Spearphishing For everyone else: * You want to keep attackers from finding this info and using this against you. :) Dropping Docs * All these techniques are legal as far as I know, but IANAL * Sorry if I "drop someone's docs" other than my own * Please don't misuse this information Backtrack 5 * Tons of fun tools to play with http://www.backtrack-linux.org/ * Username: root Password: toor * Many of the DNS tools are in /pentest/enumeration/dns/ DNS, Whois and Domain Tools Who-do the voodoo that you do so well DNS * Glue of the Internet * Think of it as a phone book of sorts * Maps names to IPs, and IPs to names (and other odds and ends) * Organization information is also kept Simple DNS Lookups * Host name to IP lookup: nslookup www.irongeek.com * Reverse lookup: nslookup 208.97.169.250 DNS Record Types Just a few record types cribbed from: http://en.wikipedia.org/wiki/List_of_DNS_record_types Getting a list of host names * Zonetransfers * Bruteforcing from a dictionary * Nmap -sL

DIGing for data dig irongeek.com any dig @ns1.dreamhost.com irongeek.com any Zone Transfer:Give me all your records! Zone Transfer: NSLOOKUP (Windows version) C:\Documents and Settings\Adrian>nslookup Default Server: resolver1.opendns.com Address: 208.67.222.222 > set type=ns > irongeek.com Server: resolver1.opendns.com Address: 208.67.222.222 Non-authoritative answer: irongeek.com nameserver = ns1.dreamhost.com irongeek.com nameserver = ns2.dreamhost.com irongeek.com nameserver = ns3.dreamhost.com > server ns1.dreamhost.com Default Server: ns1.dreamhost.com Address: 66.33.206.206 > ls irongeek.com [ns1.dreamhost.com] *** Can't list domain irongeek.com: Query refused > exit Zone Transfer: Can you DIG it? * Domain Internet Groper dig ugent.be ns dig @ugdns1.ugent.be ugent.be axfr Zone Transfer: Others * Other tools in BackTrack ./dnsrecon.py -d ugent.be -x ./dnsenum.pl ugent.be * ServerSniff: http://serversniff.net/nsreport.php http://serversniff.net/content.php?do=subdomains * GUI Dig for Windows http://nscan.org/dig.html Bruteforcing * Fierce http://ha.ckers.org/fierce/ ./fierce.pl -threads 100 -dns irongeek.com ./fierce.pl -dns irongeek.com -wordlist dictionary.txt Nmap Demo Whois: Whooo, are you* Who-who-who-who. * Great for troubleshooting, bad for privacy * Who owns a domain name or IP * E-mail contacts * Physical addresses * Name server * IP ranges * Who is by proxy? Whois Demo apt-get install whois whois example.com whois 208.97.169.250 Whois Tools *nix Command line Nirsoft's http://www.nirsoft.net/utils/whois_this_domain.html http://www.nirsoft.net/utils/ipnetinfo.html Pretty much any network tools collection Whois and domain tools sites * RobTex http://www.robtex.com * ServerSniff http://www.serversniff.net Traceroute (ok, not really a DNS tool, but I was too lazy to make another section) * Windows (ICMP): tracert irongeek.com * *nix (UDP by default, change with -I or -T): traceroute irongeek.com * Just for fun: http://www.nabber.org/projects/geotrace/ Finding general Information about an organization via the web So, you have a job posting for an Ethical Hacker huh? Sites about the organization * The organization's website (duh!) * Corp Info http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#Corporate * Wayback Machine http://www.archive.org * Monster (and other job sites) http://www.monster.com/ * Zoominfo http://www.zoominfo.com/ * Google Groups (News groups, Google Groups and forums) http://groups.google.com/ * Boards http://boardreader.com http://omgili.com http://groups.google.com * LinkedIn http://www.linkedin.com/

Part 2:
Anti-social networks
Google Hacking

Ok, I had some epic fail here using some of the "people searches". I should have tested better with the names I planed to use. I think I somewhat made up for it while "Google Hacking" people later in the class. Goes to show results vary from search provider to search provider, and who you are looking up.

See Video:

Download Part 2

Part 3:
Metadata
Other odds and ends

I think the class had a lot of fun with FOCA. Good stuff.

See Video:

Download Part 3

Metadata Data about data Pwned by Metadata Examples of file types that contain metadata * JPG EXIF (Exchangeable image file format) IPTC (International Press Telecommunications Council) * PDF * DOC * DOCX * EXE * XLS * XLSX * PNG * Too many to name them all. Metadata Tools * Strings * FOCA (use compatibility mode if needed) http://www.informatica64.com/DownloadFOCA/ * Metagoofil http://www.edge-security.com/metagoofil.php * EXIF Tool http://www.sno.phy.queensu.ca/~phil/exiftool/ * EXIF Viewer Plugin https://addons.mozilla.org/en-US/firefox/addon/3905 * Jeffrey's Exif Viewer http://regex.info/exif.cgi Metadata Tools * EXIF Reader http://www.takenet.or.jp/~ryuuji/minisoft/exifread/english/ * Flickramio http://userscripts.org/scripts/show/27101 * Cree.py http://ilektrojohn.github.com/creepy/ * Pauldotcom http://www.google.com/search?hl=en&q=metadata+site%3Apauldotcom.com&btnG=Search

Other odds and ends Stuff that does not quite fit anywhere else Off with their Headers Robots.txt User-agent: * Disallow: /private Disallow: /secret IGiGLE and WiGLE Android Location? * http://samy.pl/androidmap More Links * Links for Doxing, Personal OSInt, Profiling, Footprinting, Cyberstalking http://www.irongeek.com/i.php?page=security/doxing-footprinting-cyberstalking * PTES Technical Guidelines http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines * VulnerabilityAssessment.co.uk - An information portal for Vulnerability Analysts and Penetration Testers http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html Videos/Talks/Presentations * Social Zombies - Kevin Johnson and Tom Eston * Satan is on my Friends List - Shawn Moyer and Nathan Hamiel * Using Social Networks To Profile, Find and 0wn Your Victims - Dave Marcus http://www.irongeek.com/i.php?page=videos/dojocon-2010-videos#Using%20Social%20Networks%20To%20Profile,%20Find%20and%200wn%20Your%20Victims Events * DerbyCon 2011, Louisville Ky Sept 30 - Oct 2 http://derbycon.com/ * Louisville Infosec http://www.louisvilleinfosec.com/ * Other Cons: http://www.skydogcon.com/ http://www.dojocon.org/ http://www.hack3rcon.org/ http://phreaknic.info http://notacon.org/ http://www.outerz0ne.org/ Questions? 42

Original Page: http://www.irongeek.com/i.php?page=videos/osint-cyberstalking-footprinting-recon&mode=print

Shared from Read It Later

Elyssa Durant, Ed.M. αδψ

Intelligence Analyst

Black CoOperations

Black & Berg CyberSecurity, LLC

SHIELD • STRIKE  • ReMOVE

HATE Highest Anti Terror Effort

Forgive typos! iBLAME iPhone

Posted via email from Whistleblower