Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Practical White Hat Hacker Training - Passive Information Gathering(OSINT)

1,058 views

Published on

This presentation part of Prisma CSI's Practical White Hat Hacker Training v1

PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com

This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

Published in: Education
  • Login to see the comments

Practical White Hat Hacker Training - Passive Information Gathering(OSINT)

  1. 1. www.prismacsi.com © All Rights Reserved. 1 Practical White Hat Hacker Training #2 Passive Information Gathering This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
  2. 2. www.prismacsi.com © All Rights Reserved. 2 OSINT • Open Source Intelligence (OSINT) • No communication with the target that may create an anomaly • Gathering information using internet services • Do searches on search engines • Analyze developer sites • Assemble all the information you obtained • Have an overview before active scanning to obtain the most accurate data
  3. 3. www.prismacsi.com © All Rights Reserved. 3 Sceriano • We are a group of Zambian hackers. • Capital: Lusaka • Language: English • Let’s suppose we are a hacker group for hire. • We need to collect information. • We need to look from every point of view.
  4. 4. www.prismacsi.com © All Rights Reserved. 4 OSINT • Let's start by identifying the basics. • Finding the main site by Google search • IP detection by Pinging • IP Range Detection • IANA • Arın , Ripe , Apnic , Japnic may be used • Researching the location with IP2Location
  5. 5. www.prismacsi.com © All Rights Reserved. 5 IP Range Detection - DEMO ripe.net
  6. 6. www.prismacsi.com © All Rights Reserved. 6 IP Range Detection - DEMO Netname üzerine kayıtlı tüm IP aralıkları iplocation.com
  7. 7. www.prismacsi.com © All Rights Reserved. 7 OSINT • What we can find through domain information? • Whois record analysis - Who.is • Discovering the other domains by using Reverse Whois • Whois history analysis • Discovering the attack area through subdomain detection • Detecting virtual hosts is important! • Detecting Email addresses • Detection of email structure • Important for creating missing mail addresses!
  8. 8. www.prismacsi.com © All Rights Reserved. 8 Whois Analysis - DEMO who.is
  9. 9. www.prismacsi.com © All Rights Reserved. 9 Reverse Whois Analysis - DEMO whoisology.com
  10. 10. www.prismacsi.com © All Rights Reserved. 10 Subdomain, Virtualhost and Email Discovery - DEMO theharvester
  11. 11. www.prismacsi.com © All Rights Reserved. 11 Subdomain, Virtualhost and Email Discovery theharvester
  12. 12. www.prismacsi.com © All Rights Reserved. 12 Aquatone - DEMO https://github.com/michenriksen/aquatone
  13. 13. www.prismacsi.com © All Rights Reserved. 13 Aquatone-Discover - DEMO aquatone-discover –d yandex.com
  14. 14. www.prismacsi.com © All Rights Reserved. 14 Sublist3r - DEMO https://github.com/aboul3la/Sublist3r
  15. 15. www.prismacsi.com © All Rights Reserved. 15 OSINT • What can we collect from DNS? • Analysis via Robtex.com • Analysis through Mxtoolbox.com • Analysis via Dnsstuff.com • Analysis with Dig
  16. 16. www.prismacsi.com © All Rights Reserved. 16 DNS Information - DEMO robtex.com
  17. 17. www.prismacsi.com © All Rights Reserved. 17 DNS Information dnsdumpster.com
  18. 18. www.prismacsi.com © All Rights Reserved. 18 DNS Information - DEMO mxtoolbox.com
  19. 19. www.prismacsi.com © All Rights Reserved. 19 DNS Information- DEMO dnsstuff.com
  20. 20. www.prismacsi.com © All Rights Reserved. 20 Subdomain, Virtualhost and Email Discovery- DEMO dig
  21. 21. www.prismacsi.com © All Rights Reserved. 21 Subdomain, Virtualhost and Email Discovery dig
  22. 22. www.prismacsi.com © All Rights Reserved. 22 OSINT • Discovery through the other useful resources has its benefits! • Analysis can be done via Yougetsignal. • Subdomain discovery • Analysis through Bing • Subdomain discovery • Analysis via Netcraft • Technology and service analysis • Analysis through Archive.org • Content analysis by time
  23. 23. www.prismacsi.com © All Rights Reserved. 23 Yougetsignal - DEMO yougetsignal.com
  24. 24. www.prismacsi.com © All Rights Reserved. 24 Bing - DEMO bing.com
  25. 25. www.prismacsi.com © All Rights Reserved. 25 Netcraft - DEMO netcraft.com
  26. 26. www.prismacsi.com © All Rights Reserved. 26 Wayback Machine - DEMO Archive.org
  27. 27. www.prismacsi.com © All Rights Reserved. 27 Wayback Machine - DEMO archive.org
  28. 28. www.prismacsi.com © All Rights Reserved. 28 OSINT • It is useful to take advantage of the internet's active analysis resources! • Analysis should be done via Shodan • Analysis should be done via Censys • Haveibeenpwned.com • Have email addresses detected previously been used at a given address and have these addresses been previously hacked? • Have they been shared in Paste sites? • Are the passwords of these e-mail addresses still in use?
  29. 29. www.prismacsi.com © All Rights Reserved. 29 Shodan - DEMO shodan.io
  30. 30. www.prismacsi.com © All Rights Reserved. 30 Censys - DEMO censys.io
  31. 31. www.prismacsi.com © All Rights Reserved. 31 Haveibeenpwned - DEMO haveibeenpwned.com
  32. 32. www.prismacsi.com © All Rights Reserved. 32 Serversniff - DEMO • Online Research Resources – Serversniff.net
  33. 33. www.prismacsi.com © All Rights Reserved. 33 Hackertarget - Demo • Online Research Resources – Hackertarget.com
  34. 34. www.prismacsi.com © All Rights Reserved. 34 OSINT • Developer sites are one of the most critical points! • Analysis must be done through Alexa • Pastebin sites must definitely be examined • Critical data can be captured by analysis via Stackoverflow • Analysis through Github can give access to source code and perhaps internal critical data.
  35. 35. www.prismacsi.com © All Rights Reserved. 35 Alexa - Demo alexa.com
  36. 36. www.prismacsi.com © All Rights Reserved. 36 Pastebin- Demo pastebin.com
  37. 37. www.prismacsi.com © All Rights Reserved. 37 Pastebin Search - Demo https://inteltechniques.com/OSINT/pastebins.html
  38. 38. www.prismacsi.com © All Rights Reserved. 38 Stackoverflow - Demo stackoverflow.com
  39. 39. www.prismacsi.com © All Rights Reserved. 39 Github - Demo github.com
  40. 40. www.prismacsi.com © All Rights Reserved. 40 Google Hacking DB • Google Hacking DB • Dork concept • Frequently used parameters • Site , -site, Inurl, intitle, intext • Filetype: , ext : , cache:
  41. 41. www.prismacsi.com © All Rights Reserved. 41 Google Hacking DB • Example Dorks • Intitle:index.of url:domain.com • Intitle:index.of inurl:domain.com filetype:sql • Site:domain.com –site:www.domain.com unique • Filetype:log intext:”putty” • Filetype:xls “username | password” • Ext:phps “mysql_connect” • inurl:/view/index/shtml
  42. 42. www.prismacsi.com © All Rights Reserved. 42 Google Hacking DB - Demo • https://www.exploit-db.com/google-hacking-database/
  43. 43. www.prismacsi.com © All Rights Reserved. 43 Google Hacking DB - Demo • Google Images
  44. 44. www.prismacsi.com © All Rights Reserved. 44 Tineye - Demo • https://www.tineye.com/
  45. 45. www.prismacsi.com © All Rights Reserved. 45 OSINT • Important data can be obtained from search engines and social media thereby expanding the attack surface. • User login screens must be discovered. (For social engineering attacks) • Job postings must be analyzed • Social media analysis must be done
  46. 46. www.prismacsi.com © All Rights Reserved. 46 OSINT • One can obtain data on people using search engines • Linkedin.com • Jigsaw.com • People123.com • Pipl.com • Peekyou.com
  47. 47. www.prismacsi.com © All Rights Reserved. 47 OSINT • Metadata analysis should be done, important data can also be obtained from this. • Office files can be examined • Pdf files can be inspected • Images – EXIF data can be analyzed. • Available tools • Exif-reader • Foca • Metagoofil
  48. 48. www.prismacsi.com © All Rights Reserved. 48 List of Additional Tools Processes handled manually with these tools can be automated for a wide-scale application. • theHarvester • Spiderfoot • Recon-ng • Foca • Metagoofil • Maltego • Searchsploit
  49. 49. www.prismacsi.com © All Rights Reserved. 49 In the end • Domains have been determined • IP ranges have been determined • Technologies used have been analyzed and preparations done • Used software have been analyzed and preparations done • Leak data have been analyzed and added to password lists • We are now ready for active scanning!
  50. 50. www.prismacsi.com © All Rights Reserved. 50 Demo Practice
  51. 51. www.prismacsi.com © All Rights Reserved. 51 Questions ?
  52. 52. www.prismacsi.com © All Rights Reserved. 52 www.prismacsi.com info@prismacsi.com 0 850 303 85 35 /prismacsi Contacts

×