Upload
chema-alonso
View
1.389
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Presentación de funciones de FOCA 3 a lo largo de la historia.
Citation preview
Chema Alonso
The Power of FOCA 3
20/03/2013 2Chema Alonso
At the begining was the metadata
20/03/2013 3Chema Alonso
Anonym0us case
20/03/2013 4Chema Alonso
Drug Dealer
20/03/2013 5Chema Alonso
The breasts of Hacker’s girlfriend
20/03/2013 6Chema Alonso
Social Engineering Attack
20/03/2013 7Chema Alonso
• Hidden Relations–Companies–People
• Software Piracy
• History of documents
• Tactical information–Targeted Attacks
–Internal knowledge
• Ploting events–Places–Time
Metadata Risks
20/03/2013 8Chema Alonso
Forensic FOCA
http://www.elladodelmal.com/2012/02/forensic-foca-beta-trial.html
20/03/2013 9Chema Alonso
Metadata, hidden info & lost data
Metadata
Lost DataHidden
Info
Bad Format conversionBad management
New appsNew versions
EmbeddedFilesSearchers
SpydersDoc DB
Embedded Files
Bad managementEmbedded objects
20/03/2013 10Chema Alonso
Show Me Your Metadata
20/03/2013 11Chema Alonso
Targeting Malware
20/03/2013 12Chema Alonso
Targeting Malware
20/03/2013 13Chema Alonso
Hidden Info: Printers
20/03/2013 14Chema Alonso
Electing the entry point
20/03/2013 15Chema Alonso
Internal Fingerprinting
with FOCA
Chema Alonso
Phase 1: Metadata
20/03/2013 17Chema Alonso
FOCA 2
20/03/2013 18Chema Alonso
Recursive Network
Discovery• Servers• Domains• HostNames
• IP Address
• Roles
20/03/2013 19Chema Alonso
Network Discovery:
WebSearcher
20/03/2013 20Chema Alonso
Network Discovery: DNSWell Known
RecordsZone
Transfer
Diccionary Search
SOA, MX, SPF, DKIM, LDAP, VoIP, Active Directory….
AXFR
Server1, Intranet, Private, DNS, etc….
20/03/2013 21Chema Alonso
DNS Search
20/03/2013 22Chema Alonso
Primary Master
20/03/2013 23Chema Alonso
Network Discovery: Bing IP
20/03/2013 24Chema Alonso
Network Discovery: PTR Scannig
20/03/2013 25Chema Alonso
Network Discovery: Robtex
20/03/2013 26Chema Alonso
Network Discovery: Shodan
20/03/2013 27Chema Alonso
Digital Certificates
20/03/2013 28Chema Alonso
Roles View
20/03/2013 29Chema Alonso
Google Slash Trick
20/03/2013 30Chema Alonso
http://apple1.sub.domain.com/~chema/dir/fil.doc
1) http -> Web server 2) GET Banner HTTP3) domain.com is a domain4) Search NS, MX, SPF records for domain.com5) sub.domain.com is a subdomain6) Search NS, MX, SPF records for sub.domain.com7) Try all the non verified servers on all new domains
1) server01.domain.com2) server01.sub.domain.com
8) Apple1.sub.domain.com is a hostname9) Try DNS Prediction (apple1) on all domains10) Try Google Sets(apple1) on all domains
Network Discovery Algorithm
20/03/2013 31Chema Alonso
http://apple1.sub.domain.com/~chema/dir/fil.doc
11) Resolve IP Address12) Get Certificate in https://IP13) Search for domain names in it14) Get HTTP Banner of http://IP15) Use Bing Ip:IP to find all domains sharing it16) Repeat for every new domain 17) Connect to the internal NS (1 or all)18) Perform a PTR Scan searching for internal servers19) For every new IP discovered try Bing IP recursively20) ~chema -> chema is probably a user
Network Discovery Algorithm
20/03/2013 32Chema Alonso
http://apple1.sub.domain.com/~chema/dir/fil.doc
21) / , /~chema/ and /~chema/dir/ are paths22) Try directory listing in all the paths23) Search for PUT, DELETE, TRACE etc.. methods in every path24) Fingerprint software from 404 error messages25) Fingerprint software from application error messages26) Try common names on all domains (dictionary)27) Try Zone Transfer on all NS28) Search for any URL indexed by web engines related to the hostname29) Download the file30) Extract the metadata, hidden info and lost data31) Sort all this information and present it nicely32) For every new IP/URL start over again
Network Discovery Algorithm
20/03/2013 33Chema Alonso
Click & Go
20/03/2013 34Chema Alonso
How Foca found a data
20/03/2013 35Chema Alonso
Multiple Search Engines
20/03/2013 36Chema Alonso
Huge domain case
20/03/2013 37Chema Alonso
• 404 messages• Apps Error Messages• HTTP Banner
– Hostname– IP Addres
• SMTP Banner• Digital Certificates• Shodan• Version.bind
Fingerprinting Options
Chema Alonso
Phase 2: Network
Discovery
20/03/2013 39Chema Alonso
An0nymous #OpGreece
Chema Alonso
Phase 3: Vulnerabilities
20/03/2013 41Chema Alonso
Vulnerabilities
20/03/2013 42Chema Alonso
Backups
20/03/2013 43Chema Alonso
Directory Listing
20/03/2013 44Chema Alonso
DNS Cache Snooping
20/03/2013 45Chema Alonso
DNS Cache Snooping
20/03/2013 46Chema Alonso
• Internal Software– Windows Update– Gtalk
• Evilgrade– Detecting vulnerable software to
Evilgrade attacks
• AV evassion– Detecting internal AV systems
• Malware driven by URL– Hacking a web site ussually visited by
internal users
DNS Cache Snooping
20/03/2013 47Chema Alonso
.DS_Store
20/03/2013 48Chema Alonso
PHP CGI CODE EXECUTION BUG
20/03/2013 49Chema Alonso
Insecure Http Methods
20/03/2013 50Chema Alonso
Search & Upload
20/03/2013 51Chema Alonso
Juicy filesWhite/black list of matches for
keywords and extensions
20/03/2013 52Chema Alonso
Juicy files
20/03/2013 53Chema Alonso
.listing
20/03/2013 54Chema Alonso
Multiple Choices
20/03/2013 55Chema Alonso
.svn/entriesA .svn/entries file looks like:
20/03/2013 56Chema Alonso
.svn/entriesThere is a plugin that parse the file
20/03/2013 57Chema Alonso
IIS Short Name bug
20/03/2013 58Chema Alonso
• Mod_proxy
• Ad-hoc–Normal
–Transparent
Proxy Server detection
20/03/2013 59Chema Alonso
Proxy Server Detection
20/03/2013 60Chema Alonso
Leaks:modsecurity_crs_50_outb
ound.conf
20/03/2013 61Chema Alonso
Error Enforcement
20/03/2013 62Chema Alonso
Leaks
20/03/2013 63Chema Alonso
User directories
Search for ~USER in Apache webservers
20/03/2013 64Chema Alonso
• Network Discovery
• Document Search
• File parsing– Directory
Listing– Robots.txt– .Listing– .DS_Store (not
yet)
All your Foca needs is URLs• Domain
Crawling– Bing– Google
• Technology Recognition
• Custom Search
• Manual load
20/03/2013 65Chema Alonso
Domain Crawling
20/03/2013 66Chema Alonso
Custom Search
20/03/2013 67Chema Alonso
FOCA + Spidering
20/03/2013 68Chema Alonso
FOCA + Spidering
Chema Alonso
Phase 4: Plugins
20/03/2013 70Chema Alonso
Plugins: FOCA API 0.1From FOCA to plugins
(Events)- OnNewDomain - OnNewNetrange- OnNewURL - OnNewRelation- OnNewIP - OnNewProject
From Plugins to FOCA (Calls)- AddDomain - AddSQLi- AddProxy - AddIp …. And much more….
20/03/2013 71Chema Alonso
Plugins: .svn/Entries
parser
20/03/2013 72Chema Alonso
Plugins: .svn/Entries
parser
20/03/2013 73Chema Alonso
Plugins: WebFuzzer
20/03/2013 74Chema Alonso
Plugins: Auto SQLi searcher
20/03/2013 75Chema Alonso
IIS Short Name Fuzzer
Chema Alonso
Making an esay Plugin
20/03/2013 77Chema Alonso
FOCA Reporting Module
20/03/2013 78Chema Alonso
20/03/2013 79Chema Alonso
Threat Analisys & Modeling
20/03/2013 80Chema Alonso
Reporting OSSTMM 3.0:
STAR
20/03/2013 81Chema Alonso
OWASP Report Generator
20/03/2013 82Chema Alonso
“i64” Web Audit Report
20/03/2013 83Chema Alonso
Fear The FOCA
20/03/2013 84Chema Alonso
FOCA Online
20/03/2013 85Chema Alonso
Cleaning ODF: OOMetaExtractor
http://www.codeplex.org/oometaextractor
20/03/2013 86Chema Alonso
IIS MetaShield Protector
http://www.metashieldprotector.com
20/03/2013 87Chema Alonso
Evil FOCA
20/03/2013 88Chema Alonso
Thanks to Apple
20/03/2013 89Chema Alonso
Thanks to Apple (2)
20/03/2013 90Chema Alonso
Chema Alonso
• @chemaalonso• http://elladodel
mal.com• http://www.info
rmatica64.com