Escolar Documentos
Profissional Documentos
Cultura Documentos
Keith Lee
Jonathan Werrett
Thursday, 17 October 13
INTRODUCTION
Keith Lee
Security Analyst, SpiderLabs, Singapore
klee@trustwave.com
http://github.com/milo2012/osintstalker
@keith55
Jonathan Werrett
Managing Consultant, SpiderLabs, Hong Kong
jwerrett@trustwave.com
@werrett
Thursday, 17 October 13
AGENDA
Background / Motivation
Introduction to GeoStalker and FBStalker tools
Problem they solves
GeoStalker in-depth
FBStalker in-depth
What you can do to protect yourself
Thursday, 17 October 13
MOTIVATION
Spend our days on Penetration tests
Day-in day-out
Thursday, 17 October 13
MOTIVATION
Spend our days on Penetration tests
Day-in day-out
Thursday, 17 October 13
BUT WAIT
Some times we get a real pentest
...
Thursday, 17 October 13
BUT WAIT
Some times we get a real pentest
...
Thursday, 17 October 13
OSINT Network
Names
Wigle.net
Wireless DB
Premise Geocoded
Google Lat / Lon
Details
Maps MAC
Addresses
Photos
Physical
Address Twitter
Places
Visited
Instagram
Whois /
IP Allocations Company Company
Domains Name
No. checkins
together
Checkins
Photos
LinkedIn No.
Facebook Target Friends comments
Profiles
Education
Background Age of
Likes friendship
Tagged No. tags
w/ ppl
Previous
Visited
Jobs
Thursday, 17 October 13
GEOSTALKER FBSTALKER
Takes Takes
Location (address or coordinates) Facebook profile user
Provides Provides
Wireless access points near-by Social engineering targets
Photos taken at that location Associates of those targets
Social media accounts of people whove Times online
visited Interests, commonly visited places
Thursday, 17 October 13
EXAMPLE OBJECTIVES
Entry Points
Google
Maps Photos
Facilities
Premise Twitter,
Geocode Instagram,
Recon? Lat / Lon 4sq, Flickr
Google Staff
Search
LinkedIn, Interests
Facebook
Phishing Staff
Targets?
Twitter,
Physical Geocode Instagram, Associates
Address Lat / Lon 4sq, Flickr
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps
Indicate phishing target uses mac
Ditch our Windows based payloads for OSX
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps
Indicate phishing target uses mac
Ditch our Windows based payloads for OSX
FB Friends
Identify targets wife
Wife runs Pilates studio
Spear phish wife based on Pilates
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps
Indicate phishing target uses mac
Ditch our Windows based payloads for OSX
FB Friends
Identify targets wife
Wife runs Pilates studio
Spear phish wife based on Pilates
Instagram Photos
Client was a power utility
Staff target found via on photos from facilities
Thursday, 17 October 13
GEOSTALKER - INTRO
Requires
Address
Latitude / Longitude Coordinates
10
Thursday, 17 October 13
GEOSTALKER - APPLICATION FLOW
UserID
Geolocation
Data Source
geoStalker
11
Thursday, 17 October 13
DEMO
GEOSTALKER
12
Thursday, 17 October 13
GEOSTALKER - INPUT
13
Thursday, 17 October 13
GEOSTALKER - RUNNING
14
Thursday, 17 October 13
GEOSTALKER - RUNNING
15
Thursday, 17 October 13
GEOSTALKER - RUNNING
16
Thursday, 17 October 13
GEOSTALKER - RUNNING
17
Thursday, 17 October 13
GEOSTALKER - FOURSQUARE
18
Thursday, 17 October 13
GEOSTALKER - INSTAGRAM
19
Thursday, 17 October 13
GEOSTALKER - FLICKR
20
Thursday, 17 October 13
GEOSTALKER - HTML OUTPUT
21
Thursday, 17 October 13
GEOSTALKER - MALTEGO EXPORT
22
Thursday, 17 October 13
GEOSTALKER - LIMITATIONS
Single threaded
23
Thursday, 17 October 13
GEOSTALKER - FUTURE VERSIONS
24
Thursday, 17 October 13
FBSTAKLER - INTRO
Requires
Profile Name
25
Thursday, 17 October 13
FBSTALKER - LOCKDOWN VS NON-LOCKDOWN
Lockdown Profile
Unable to see the list of friends
Reverse engineer the list of friends from likes and tags
Open Profile
Analyze all friends of target and determine how two individuals are
connected or know each other.
Work place
School
Common interests
Common friends
Places that two individuals like
26
Thursday, 17 October 13
FACEBOOK GRAPH KEYWORDS
UNDERSTAND HOW 2 INDIVIDUALS ARE CONNECTED / RELATED
Pages that Friend Photos that Friend
X and Y likes X and Y likes
1
27
Thursday, 17 October 13
FBSTALKER - GRAPH SEARCH EXAMPLE
28
Thursday, 17 October 13
FBSTALKER - GRAPH SEARCH EXAMPLE
29
Thursday, 17 October 13
DEMO
FBSTALKER
30
Thursday, 17 October 13
FBSTALKER - INPUT
31
Thursday, 17 October 13
FBSTALKER - RUNNING
32
Thursday, 17 October 13
FBSTALKER - MALTEGO EXPORT
33
Thursday, 17 October 13
FBSTALKER - PROBLEMS
Single threaded
34
Thursday, 17 October 13
FBSTALKER - FUTURE WORK
Runs 100% headless
Monitor changes / activities of users FB profile.
Allow name as input instead of userid
Point system for Association strength
Photo Tags
Check-ins
Comments
Post / Photo Likes
35
Thursday, 17 October 13
HOW TO PROTECT YOURSELF
Turn off location setting in social networking apps
36
Thursday, 17 October 13
http://github.com/milo2012/osintstalker
klee@trustwave.com jwerrett@trustwave.com
@keith55 @werrett
Thursday, 17 October 13