OSINT
OSINT
Content
- Content
- Metadata concept
- Tools
- Other approaches
- Resources
- OSINT
- open-source intelligence (OSINT - wikipedia)
The Pyramid of Pain
Knowlesys - OSINT realization - looks like resource which describes osint in general
Internet is based on:
- Hierarchy of DNS names (tree hierarchy)
- RIPE databases - exists 5 regions (Europe, Central Asis; North America; Asia, Pacific; Latin America, Caribbean; Africa) each region has its own ip-address pools and each region gives sub-pools to other instances (company or provider or country or …)
- Set of autonomous systems - AS. (these has no hierarchy)
- SSL certificate chains
Metadata concept
- by what? the file was created/changed - software type (e.g. MSWord, ImageMagick, …)
- by whom? the file was created/changed - username, impersonalization
- computer name, where file was created/changed
- when? the file was created/changed - date/time
- where? the file was located - path disclosure
- e-mail addresses
- ip-addresses
- dns-names and subdomains
Most popular assests searched for compromisation:
- an unpatched server connected to the Internet
- an individual
Tools
Awesomeness
- OSINT Framework - awesome collection of various tools for OSINT (Open Source Intelligence)
- recon my way - great article about recon
recon-my-way - some tools to automate recon - nikallass/subdomain.rb - subdomain OSINT script to run several best tools
- 003random/003Recon - some tools to automate recon
- recon.sh - this tool is a framework for storing reconnaissance information.
- www.robtex.com - very-fast recon / beautiful
- www.threatcrowd.org
- www.visualsitemapper.com - a free service that can quickly show an interactive visual map of your site
popular online resources
shodan.io (shodan REST api documentation (shodan python documentation (release 1, 08 Dec 2017).pdf) shodan developer (official Python library for Shodan (github)))
- censys.io - search engine enables researchers to ask questions about the hosts and networks that compose the Internet
(scans.io - internet-wide scan data repository - the censys project publishes daily snapshots of data found by these guys) - ipinfo.io - get geolocation, ASN, and hostname information for an IP address, company name and domain for the company that’s actually using the IP address, … (free for the first 1,000 requests per day)
- publicwww - find any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code
- nerdydata.com - quality leads from all over the web
OSINT multifunctional tools / frameworks
only subdomain enum:
- Sublist3r - fast subdomains enumeration tool for penetration testers - aggregates output from lots of sources (google, crt.sh, bing, virustotal, …)
python sublist3r.py -d example.com
- passivepython sublist3r.py -b -v -d example.com
- active - subfinder (passive) - a subdomain discovery tool that discovers valid subdomains for websites
better use docker - censys-subdomain-finder (passive) - enumeration using the crt logs (crt.sh)
python censys_subdomain_finder.py --censys-api-id [API_ID] --censys-api-secret [API_SECRET] example.com
censys-enumeration (passive) - a script to extract subdomains/emails for a given domain using SSL/TLS certificates dataset on Censys (json output)python censys_enumiration.py --verbose --subdomains --emails domains.txt
- amass (passive with dns or active) - in-depth subdomain enumeration
purely passive:... -nodns ...
passive:amass -v -ip -min-for-recursive 3 -log ~/amass.log -d example.com
,
has active methods:-active -brute
- knockpy (active) - subdomain scan
knockpy example.com
- enumall.py (passive + bruteforce) - automation of recon-ng subdomain discovery
./enumall.py example.com
./enumall.py -a example.com
Not all available technics are used by these tools, e.g. you can check specific technics from subdomain enumerate category (e.g. CSP analysis for subdomain search)
- Sublist3r - fast subdomains enumeration tool for penetration testers - aggregates output from lots of sources (google, crt.sh, bing, virustotal, …)
full-featured tools:
- aquatone - a tool for domain flyovers
Add keys:aquatone-discover --set-key [censys_id, censys_secret, shodan, passivetotal_key, passivetotal_secret, virustotal, riddler_username, riddler_password] [VALUE]
aquatone-discover --domain example.com --threads 25
- subdomain enumerationaquatone-scan --domain example.com --ports large
- enumeration common ports, used for web-servicesaquatone-gather --domain example.com
- retrieve and save HTTP response headers and make screenshotsaquatone-takeover --domain example.com
- check subdomain-takeover situations datasploit (passive + active) - osint + active scans = HTML report
datasploit -d example.com
fast analysis
- domain_analyzer - search all info about domain
- domain-profiler - a tool that uses information from whois, DNS, SSL, ASN, …
- lazyrecon (active) - sublist3r and certspotter + screenshots + grab response header + nmap + dirsearch = generate HTML report
- aquatone - a tool for domain flyovers
- theHarvester (passive + active) - e-mail, subdomain and people names harvester
python theHarvester.py -b all -d example.com
- DMitry (active + port scan) - gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, …
dmitry -i -w -n -s -e example.com
with port scan:dmitry -i -w -n -s -e -p -b -t 2 example.com
web-spidering:
- BlackWidow - web-spider
/usr/share/BlackWidow/blackwidow -d example.com -l 5
- Photon - light web-spider
photon.py -u http://example.com -l 5 -d 0 -t 10
- blacksheepwall (based on CommonCrawl - grep the internet)
blacksheepwall -cmn-crawl CC-MAIN-2018-13-index -domain sberbank.ru
- BlackWidow - web-spider
making screenshots:
online services:
IP, reverse IP, whois, NS, MX, PRT - history analysis, …
- viewdns.info - reverse IP lookup, whois, ip history, smap lookup, …
- community.riskiq.com ((alias: passivetotal.com)) - with registration and limited amount of queries (10 requests everyday for free), however VERY GOOD resource
- reverse.domainlex.com - reverse IP, NS, MX, whois
- http://ptrarchive.com/ - PTR - over 166 billion reverse DNS entries from 2008 to the present
search whois history, etc.:
- www.recipdonor.com (can search websites on single ip address, can search through history of whois)
RDS history, several sites on single IP, RDS subdomain - domaintools
- www.recipdonor.com (can search websites on single ip address, can search through history of whois)
active actions (port scan, …) on behalf of other’s services:
- mxtoolbox.com
- ipvoid.com - IP address tools online
- pentest-tools.com - google hacking, find subdomains, find vhosts, metadata extractor, icmp ping, whois lookup
- intrigue.io - official site, github
- spiderfoot – open source intelligence automation tool for process of gathering intelligence about a given target, which may be an IP address, domain name, hostname or network subnet
recon-ng (kali linux) - good (and huge) tool for various reconnaissance vectors
- Google dorks:
site:example.com -site:dev.example.com
- search for subdomains, excluding those we already know about (bing, yandex, github etc.) (ghdb.html) - archive.org
- check list of merges and acquisitions (e.g. List of mergers and acquisitions)
- maltego - to me it looks more like a toy
scanning tools
- subresolve - resolve and quickly portscan a list of sub-domains
Subdomain / ip / e-mail harvesting / enumirate / etc. (concrete tools)
- Subdomain enumiration
- process of exposing subdomains of one or more domains
network recon
search for other sites on virtual hosting:
- VHostScan
- my-ip-neighbors.com - under maintenance for one week (in fact for a year already)
whois, ASN, etc.
whois
(console utility) (never pass the domain name as the parameter, pass domain name’s IP-address), etc.whois -h whois.cymru.com " -v 8.8.8.8"
- using cymru.com get AS of an IP addresswhois -h whois.radb.net -- '-i origin AS35995' | grep -Eo "([0-9.]+){4}/[0-9]+"
- sing radb.net get ip-subnets of AS- whois.domaintools.com, reverseip.domaintools.com, …
- www.skvotte.ru
search ip-addresses and ip-address pools
- 2ip.ru/whois
- nic.ru/whois
ASN lookup
- bgp.he.net - hurricane electric internet services
- IP to ASN Lookup (Cymru)
RIPE databases (exists 5 databases)
- apps.db.ripe.net/search/full-text.html (Europe, Central Asis)
- www.arin.net (North America)
- wq.apnic.net (Asia, Pacific)
- lacnic.net (Latin America, Caribbean)
- www.afrinic.net (Africa)
curl -s http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip | gunzip | cut -d"," -f3 | sed 's/"//g' | sort -u | grep -i twitter
(MaxMind geo-ip base)
reverse ip lookup
dig -x 8.8.8.8
host 8.8.8.8
- yougetsignal.com
subdomain recon
Categorial/concrete tools/attacks:
- CloudFail - utilize misconfigured DNS and old database records to find hidden IP’s behind the CloudFlare network
python cloudfail.py --target rublacklist.net
subdomain enumerate
- searchdns.netcraft.com
- virustotal.com
also look up:https://www.virustotal.com/en/domain/<domain.name>/information/
- domainsdb.info (≈260 Mb)
- domains-from-csp - a script to extract domain names from Content Security Policy(CSP) headers
python csp_parser.py -r http://example.com
Everything beneath can be done faster if you will use frameworks and other complex tools
Subject Alternative Name (SAN) - X509 extension to provide different names of the subject (subdomains) in one certificate
Even if there is non-resolvable subdomain, probably admins use the same certificate for intranet connections.
- crt.sh example:
https://crt.sh/?q=%25.example.com
- crt search bash script
- transparencyreport.google.com
- certspotter.com/api
- certdb.com
- censys.io example:
https://censys.io/certificates?q=.example.com
- certificate transparency monitor (facebook)
- crt.sh example:
Forward DNS
- Rapid7 - Forward DNS (FDNS ANY) lists (120 Gb) - how it works - list is not full
zcat snapshop.json.gz | jq -r 'if (.name | test("\\.example\\.com$")) then .name else empty end'
- dnsdumpster.com (also contains historical data about dns) (online tool)
- Rapid7 - Forward DNS (FDNS ANY) lists (120 Gb) - how it works - list is not full
zone transfer - does DNS server expose a full DNS zone? (via AFXR) (AXFR zone transfer scan (by sergeybelove))
dig axfr zonetransfer.me @nsztm1.digi.ninja host -t axfr zonetransfer.me nsztm1.digi.ninja host -avl zonetransfer.me nsztm1.digi.ninja nslookup -query=AXFR zonetransfer.me nsztm1.digi.ninja
fierce -dns zonetransfer.me
dnsrecon -a -d zonetransfer.me
NSEC walking attack - enumerates DNSSEC-signed zones
Take your DNSSEC with a grain of saltapt-get install ldnsutils
ldns-stroll @ns1.insecuredns.com insecuredns.com
ldns-walk @ns1.insecuredns.com insecuredns.com
- nsec3map – DNSSEC Zone Enumerator – позволяет перебрать содержимое всей доменной зоны и найти поддоменты, если на dns сервере работает dnssec (https://github.com/anonion0/nsec3map)
- nsec3walker
nmap -sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=example.com <target>
nmap -sSU -p 53 --script dns-nsec3-enum --script-args dns-nsec-enum.domains=example.com <target>
subdomain bruteforce
Comparison of subdomain bruteforce tools: massdns, gobuster, dns-paraller-prober, blacksheepwall, subbrute (pic)
SecLists - check bruteforce lists
compiled GIANT subdomain wordlist (march 2018)
- massdns
- fierce
fierce -dns zonetransfer.me
fierce -dns zonetransfer.me -wordlist /path/to/wordlist.txt
- for custom wordlist - subbrute
- dnsrecon
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
dnsrecon.py -n ns1.example.com -d example.com -D subdomains-top1mil-5000.txt -t brt
nmap --script dns-brute --script-args dns-brute.domain=domain.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000000.lst
- SDBF - smart DNS bruteforcer (paper)
- DNSenum
- gobuster - tool for URL and DNS bruteforce
- manually check existance of
dev.example.com
,beta.example.com
,db.example.com
,admin.example.com
, …
e-mail harvesting
Google Chrome extentions:
- Email finder
- Email finder (automatically opens queries to yandex,google,rambler, … and searchs for emails ++ automatic Google Dorks)
Email Extractor - extract emails from visited pages
- hunter.io
- emailhunter - extract emails from visited pages
Google dorks:
"@" site:example.com
(searching e-mails) (ghdb.html)
AWS buckets search
Technique works through bruteforcing bucket names and searching for public buckets.
- bucket_finder
- lazys3
- slurp - removed after microsoft purchased github - Wierd!
- s3-buckets-finder
Social engineering / phishing
The social engineering framework - a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering.
Social engineering questions: who? (clients/employees), purpose? (awareness assessment, checking Incident Response Center, get confidential information, …), intruder model (insider/outsider), when? (at night, at the end of working day, …)
- SET - the Social-Engineer Toolkit
- urlcrazy (kali) - tool for generating and autochecking availability of domain names with similar spelling
dnstwist - domain name permutation engine for detecting typo squatting, phishing and corporate espionage - GoPhish - opensource phishing framework
King phisher - phishing campaign toolkit
Fierce Phish - other phishing framework (looks young) - evilginx2 - standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, alowing to bypass 2-factor authentication.
evilginx 2 - next generation of phishing 2FA tokens - spoofbox.com - spoof e-mails, messangers, …
For spam delivery:
- dnsbl.info - database of blacklisted ip-addresses
- mailgun.com - “powerful APIs that enable you to send, receive and track email effortlessly (10,000 emails free every month)”
- sendpulse.com - “maximizing open rates automatically with Artificial Intelligence, Hyper-personalization, Predictive analysis for email, SMS, Web Push, SMTP”
- mail-tester.com - first send your email, then check your score
protection methods:
search for phishing sites: altdns - generates permutations, alterations and mutations of subdomains and then resolves them
- configure domain (example.com TXT record “v=spf1 +a +mx -all”), mail-servers, spam-filters, sandboxes, etc.
- monitor anomalies
- employee training
- carry socio-technical testing
phishing emails
Metadata
crafting metadata
- FOCA (Fingerprinting Organizations with Collected Archives) - search for company’s documents (through google, yandex, bing, rambler, etc.) and afterwards exports and consolidate metadata (FOCA not maintained anymore, but still brilliant)
- Belati - the traditional swiss army knife for OSINT (FOCA’s good/better alternative)
metagoofil - extracting metadata from public documents found by google
metagoofil -d example.com -t pdf -l 100 -n 25 -o example -f example.com.html
- scan for documents from a domain (-d example.org) which are PDF files (-t pdf), searching 100 results (-l 100), download 25 files (-n 25), saving the downloads to a directory (-o example) and saving the output to a file (-f example.com.html)- snitch - automate information gathering process for specified domain
- Google dorks:
site:example.com filetype:pdf
(ghdb.html) - More tools on github: search for
dorks
in github - grep the internet: commoncrawl (get the latest date and start)
data can be downloaded or can be searched online or you can use command-line tool
(march 2018: databases, online search)
exiftool -jk
- tool for extracting metadata from files
analyzing metadata
Metadata can be treated as bigdata: splunk (offitial site)
Articles:
Tricks
- email headers may contain ip-addresses from internal companie’s infrastructure
Other approaches
- Lookup github.com, bitbucket.org and other open control version systems for client’s backups, configs, dev code, etc.
GitMiner - tool for advanced mining for content on Github
Comentários
Postar um comentário