digital intelligence gathering
play

Digital Intelligence Gathering Using The Powers Of OSINT For Both - PowerPoint PPT Presentation

Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF February 2016 1 / 71 Ethan Dodge DFIR @ Nuna Health. DFIR professional and perpetual learner. @__eth0 dodgesec.com 2 / 71 Nuna Health


  1. Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF February 2016 1 / 71

  2. Ethan Dodge  DFIR @ Nuna Health.  DFIR professional and perpetual learner.  @__eth0  dodgesec.com 2 / 71

  3. Nuna Health  We work with the government and self-insured employers to understand and improve how people use healthcare. 3 / 71

  4. Nuna Health  We work with the government and self-insured employers to understand and improve how people use healthcare.  Security is the foundation of our culture and products. 4 / 71

  5. Nuna Health  We work with the government and self-insured employers to understand and improve how people use healthcare.  Security is the foundation of our culture and products.  We're accepting resumes! 5 / 71

  6.  OSINT 6 / 71

  7. What is OSINT? Using information available to everyone to gather intelligence 7 / 71

  8. What is OSINT? Using information available to everyone to gather intelligence  Social Networks 8 / 71

  9. What is OSINT? Using information available to everyone to gather intelligence  Social Networks  Public Data Records 9 / 71

  10. What is OSINT? Using information available to everyone to gather intelligence  Social Networks  Public Data Records  Leaked Customer Data 10 / 71

  11. 11 / 71

  12. 12 / 71

  13. Why OSINT?  Private Investigators/Detectives  Investigative Journalism  Criminal Activity/Law Enforcement  Threat Intelligence 13 / 71

  14. 14 / 71

  15. 15 / 71

  16. DISCLAIMER 16 / 71

  17. Basic Work � ow Identify Source  Identify possible sources of intel  Validate  Automate 17 / 71

  18. Basic Work � ow Identify Source  Does it apply to our target? Analyze  Determine probability  Apply con � dence  Generate new potential sources 18 / 71

  19. Basic Work � ow Identify Source  Add context to target Analyze Enrich  Add probability, con � dence level to details  Develop narrative 19 / 71

  20.  Maltego 20 / 71

  21. Mal...what? Link Analysis Visualization Tool  Enrich entity with other sources of information automatically  Identify relationships between entities  Visualize relationships 21 / 71

  22. Common Terms  Entities 22 / 71

  23. Common Terms  Entities  Transforms 23 / 71

  24. Common Terms  Entities  Transforms  Machine 24 / 71

  25. Transform Example 25 / 71

  26. Transform Development Primer from MaltegoTransform import * 26 / 71

  27. Transform Development Primer me = MaltegoTransform() me.parseArguments(sys.argv) location = sys.argv[1] 27 / 71

  28. Transform Development Primer ent = me.addEntity("maltego.Location","DNA Lounge") me.returnOutput() 28 / 71

  29.  Gavel  Custom maltego transform we developed. 29 / 71

  30.  Gavel  Custom maltego transform we developed.  Digs up court case records from individual states. 30 / 71

  31.  Gavel  Custom maltego transform we developed.  Digs up court case records from individual states.  Tons of sensitive information. 31 / 71

  32.  Gavel  Custom maltego transform we developed.  Digs up court case records from individual states.  Tons of sensitive information.  https://github.com/brianwarehime/gavel 32 / 71

  33. Gavel Example 33 / 71

  34.  Story Time 34 / 71

  35. Ever seen this? 35 / 71

  36. Or this? 36 / 71

  37. 37 / 71

  38. Twitter Data  Start with best source of data - Twitter 38 / 71

  39. Twitter Data  Start with best source of data - Twitter  We needed a way to parse through all the data 39 / 71

  40. Twitter Data  Start with best source of data - Twitter  We needed a way to parse through all the data  We identi � ed it, validated it, now we analyze... 40 / 71

  41. Get the tweets def download_tweets (screen_name,number_of_tweets,max_id=None): api_url = "%s/statuses/user_timeline.json?" % base_twitter_url api_url += "screen_name=%s&" % screen_name api_url += "count=%d" % number_of_tweets if max_id is not None : api_url += "&max_id=%d" % max_id # send request to Twitter response = requests.get(api_url,auth=oauth) if response.status_code == 200: tweets = json.loads(response.content) return tweets 41 / 71

  42. All the tweets! def download_all_tweets (username): full_tweet_list = [] max_id = 0 tweet_list = download_tweets(username,200) oldest_tweet = tweet_list[::-1][0] while max_id != oldest_tweet['id']: full_tweet_list.extend(tweet_list) max_id = oldest_tweet['id'] time.sleep(3) tweet_list = download_tweets(username,200,max_id-1) if len(tweet_list): oldest_tweet = tweet_list[-1] full_tweet_list.extend(tweet_list) return full_tweet_list 42 / 71

  43. 43 / 71

  44. Where the tweets at? for tweet in tweets: templist = [] if tweet.has_key("geo") and tweet['geo']: latitude,longitude = tweet['geo'].get("coordinates") r = requests.get("http://maps.googleapis.com/maps/api/geocode/json? latlng="+str(latitude)+","+str(longitude)+"&sensor=true") res = json.loads(r.text) try : for i in res['results'][0]['address_components']: if "neighborhood" in i['types'] or "administrative_area_level_2" in i['types'] or "postal_code_suffix" in i['types'] or "country" in i['types'] or "postal_code" in i['types']: pass else : templist.append(i['long_name']) except : pass 44 / 71

  45. Enriching Maltego last = Counter(newlist).most_common(5) x = 5 for address in last: ent = me.addEntity("maltego.Location",address[0]) ent.addAdditionalFields('link#maltego.link.thickness','','',x) x = x - 1 45 / 71

  46. Transform in Action 46 / 71

  47. Then we found this... 47 / 71

  48. 28702eb195e8b292ceb8c5eb4d8b94d05b6c2a62 SHA1 : 3nd3rwiggin 48 / 71

  49. 49 / 71

  50. Unique Username = Win 50 / 71

  51. 51 / 71

  52. 52 / 71

  53. What we found: Personal  Home address (Twitter & Etsy)  Class locations (Twitter)  Password (Have I Been Pwnd?)  Close Friends (Twitter & Instagram)  Job History (LinkedIn & Facebook)  Home IP Address (Reddit Login History)  Birthdate (Etsy)  Barber (Twitter) 53 / 71

  54. What we found: Personal  Addresses (Whitepages & Property Records) Family  Members (Google+)  Names (Maltego) 54 / 71

  55.  Use Cases Red Team 55 / 71

  56. 56 / 71

  57. 57 / 71

  58.  Use Cases Blue Team 58 / 71

  59. WALK THE LINE 59 / 71

  60. Blue Team Twitter  See if public activity is malicious  Following with competitors?  Talking with competitors?  Talking about your brand? 60 / 71

  61. Blue Team Twitter  Work badges Instagram  Passwords  Network Diagrams 61 / 71

  62. Blue Team Twitter  Committed sensitive � les Instagram  Committed proprietary code Github  Committed company info 62 / 71

  63. Blue Team Twitter  See if public activity is malicious Instagram  Friends with competitors? Github  Talking about your brand? Facebook 63 / 71

  64. Blue Team Twitter  Scumblr by Net � ix Instagram  Monitor Forum Chatter Github  Monitor Your Name Facebook Brand Monitoring 64 / 71

  65. Blue Team Twitter  Most is going to be accidental Instagram  Who's your most active employee? Github  Monitor them closer Facebook Brand Monitoring Rate Employees 65 / 71

  66. Blue Team Twitter  Alert Instagram  Correlate Github Facebook Brand Monitoring Rate Employees SEIM 66 / 71

  67. Interrogator  Web Application  Continuous OSINT Monitoring of Workforce  Visualize relationships with a Graph Database  Coming mid 2016! 67 / 71

  68. 68 / 71

  69. Reccomendations  Justin Seitz - @jms_dot_py  The Grugq - @thegrugq  automatingosint.com  bellingcat.com 69 / 71

  70.  Q&A 70 / 71

  71. Ethan Dodge  @__eth0  ethan@nuna.com  dodgesec.com 71 / 71

Recommend


More recommend