From OSINT to PWN

my name is Bryce Crum I am an associate penetration tester with the Verdean and the topic today that I'm gonna be talking about is from Moo sent to pone and the primary topic of this is gonna be centric around kind of a different viewpoint from what most people experience when discussing open source intelligence so with open source intelligence you're typically getting a forensics viewpoint or some form of kind of investigative viewpoint I would say and for this purpose this talk is going to talk about how an attacker or in this case a penetration tester or red teamer can utilize that same information to kind of enumerate and have access to situations and services we may not have

identified or been able to breach previously so that's kind of the the overview very quickly for the the presentation as just kind of quick introductions as I said I thought it was a Veridian I have held many different roles in the past I've been a c-sharp developer I've been working through business systems analysis went into security operation center for a time I worked as a red team member for quite some time and then moved into my current role I personally kind of describe myself as a perpetual newb I'm always trying to understand and learn new things but I always find myself even when I get the grasp on the the smallest thing I believe oh now I've got you know

some general understanding I realize how massive that web truly is and it's it's the impossibility for me to have understood it at that level so it's it's one of the amazing things about our industry you oh but you think you've understood everything about a room only just turn your head and realize you were standing in the far corner so really an enthusiastic viewpoint there the I am also an ETSU alumni as well as an offensive security certified professional I have a wonderful wife who deals with me putting presentations together and kicking her out of the house to give presentations I'm also a hobby jumper which basically is a terminology I didn't know existed but fits very well which means that I jump

from hobby to hobby depending on the day as well as depending what I'm feeling he recently was rock climbing but with kovat we all know how that goes and then the primary thing that you'll notice throughout these slides is I mean and I have quite a few of them throughout so if you're not interested in memes I apologize in advance but you'll see quite a few a quick disclaimer though all the views that I expressed during this presentation are my own and don't necessarily represent the opinions of my employer or any entity who I'm currently or Prest associated with it's just you know very generic standard disclaimer so diving right in as I go through each of these

to kind of give you some more insights I never tried to present attack methodologies or any form of offensive standards without giving some form of a background around defense tactics as well so each category as we go through I will give an overview of the knowledge that you're going to be looking for the insight that you're trying to gain from that category then we'll move into the attacks that we typically perform with that knowledge after accumulating it and then some defenses that can be performed to prevent me from being able to get that information or to slow me down at the worst so that'll kind of all come into play after the introduction the other side of that through this overview

each of these categories are going to build on one another they're put in this order for a reason so typically this is my methodology obviously there are many others who may have much better methodology but this is the one I prefer to use and from that it's kind of ever-expanding but the general way that I progress is I'll follow through from general information users and email addresses you know kind of hunt down a little bit into passwords and secrets and then the numeration system information and source code where available so that's kind of you'll you'll hear me refer back to previous categories as I progressed through just know that these kind of build on one

another so I guess to start off what is open source intelligence well from the viewpoints that I've seen most people discuss in kind of the the other ways that I've seen it described it's basically data that can be obtained publicly from multiple sources any source that doesn't require some form of authentication or is bound in some way to be then used to process and make a decision and typically to make an informed decision if possible so a lot of times when people discuss open source intelligence you'll hear social media you'll hear around information around blog posts or the very generic well-known sources but the other things to consider our repositories DNS information academic papers court information as well as the

the common other ones blogs videos articles so on and so forth so there's a lot of data that accumulates into open source intelligence and with it kind of comes various definitions depending on the environment you're in once again this is from an attackers perspective so we'll be covering a bit more around the obscure as well as that tends to be where we're gonna find more interesting information so starting off with general information we're not typically begin these types of these OSINT investigations as they were from an attackers perspective it really depends on what environment were what engagement I'm going to be dealing with obviously if I'm dealing with an external penetration test versus a web

application assessment those are two completely different spheres and I'm gonna be targeting completely different information depending so obviously it's kind of the start game with what do you know or what has already been provisioned to you when you're starting off in dealing with very specific engagements where a client or someone has came in and given very detailed information about what they want to cest it then changes the way that these types of information gathering and building and utilizing that kind of passive recon if you will being able to take that information in and use it is is changed quite a bit because the more specific for the engagement details the more specific the open source intelligent has

to be intelligence has to be to match it so obviously if a would say someone has come in and decided that they want an assessment done that they've said you have free rein basically here's the name of the company go figure information out then give us the option to decide whether or not it's in scope but we just want to see what's there right that office obviously is a very broad scope you're you're in a situation where you're going to be doing a lot more open source intelligence on more aspects in a lot more areas whereas if someone comes in and says these are the exact hosts I want checked these are the exact services on those hosts I want

checked I want you know XYZ done that then very you know that there is down the amount of research that you're going to be doing and what you're currently targeting so the biggest hint there is to read the information because that information is going to not only narrow the scope down as what you're going to be doing but also gives you the the benefit of understanding some other intricacies around what you're going to be doing with this assessment and the network that people are dealing with so general information what you're going to be going after depends on what you started with but realistically the things that I always try to grab names anything as far as aliases go around

someone addresses phone numbers for the company especially around company directories or front desk things of that nature email addresses if you can find them right off this gets we get a lot more into that later but this is kind of the generic if you will first page of Google moment right websites their domains possibly that are just immediately apparent through SEO images videos so on so forth just grabbing the quick things what I will say is on images and videos I tend to leave those out until much later on as I'm progressing through simply because it's kind of a a time sink and obviously with these types of engagements as well as in in the real world a real world attacker

doesn't necessarily have an infinite amount of time although we we'd like to talk about that from time to time unless they're extremely dedicated more often than not an attacker is going to be trying to gather information on a large number of targets right and they only have a set amount of time they're willing to spend and it's kind of the same idea from a penetration test perspective unless they're it's a very targeted situation obviously so how do we attack general information right obviously okay we've pulled names of locations and we've seen some pictures of the buildings they have what are we doing with this information well this tends to be the foundation that all the rest will be laid upon

right this will give you the more that you gather and generate and pull together for this type of baseline will give you basically the structure you'll build the rest of your attacks on so anytime that you run into information even if you may find it very tedious if you will it may be valuable make a quick note of where you found it even if it's something that doesn't get used you have source notes for it you can go back and find it some of the ways that I typically will immediately jump into password list generation you know if you've got a information already that you've built up around individuals at the company products they've they sell

things of that nature the things that you can pick up fairly quickly on like I said a front page of a search engine alright take that information dump it into the tools like crunch cups crew or cool is also a really good tool if you're gonna be doing web scraping it's a good tool for targeting a company's website and generating password lists off of it obviously password lists come into play in multiple attacks but realistically it doesn't by its own nature give a direct attack so more often than not you're not going to beep owning from general information right and don't forget about two users or don't forget about rules so especially if you're dealing with an internal

situation where you're gonna be doing internal engagements and you've captured hashes now you've turned back to that password list you generated during the information or general information session use rules to go ahead and and get the most out of that password list because very minor changes such as a zero instead of an O or a dollar sign instead of an S the standard modifications that people make are the types of things that tend to throw off standard password cracks right from social engineering standpoint the more general information you can gather the more credibility you have I've actually found myself in some of my own situations where I've needed to social engineer my way out of sticky situations

or I've been in a situation where I need to discuss with an individual to get access to an area and just knowing basic information that a corporation would expect an employee to know gives you a level of credibility beyond the general populace and sometimes that's enough to convince them to allow you to then can in you on obviously it depends on the context and obviously you know the the information that you're gonna be using is gonna vary depending on who you're discussing with or what you're targeting but by and large the just very generic information such as building number or a store location or store number or whatever information else you can pull can give you a lot of credibility when

dealing with a persona that you've put together for social engineering as well as for phishing campaigns physical security comes into its own here general information is typically going to be the biggest data dump that you can get around physical if you're going to be targeting from a physical perspective you can get a fairly strong understanding of the electronic security controls that are in place you can get a strong understanding of kind of the the physical security as far as locks possibly door handle styles right maybe if you're gonna be deploying stuff like an under door tool or things of that nature you may be able to pull information such as camera locations and the parking arrangement understanding

where to park and where to move and see the flow of where individuals tend to stand and move within the location is extremely valuable anytime that you can get that information definitely go after it obviously Google Maps typically strip or strips out cars from parking lots things of that nature but you can typically see it inside of corporate locations where they've added images to their website or things of that nature especially if they have buildings that they're they're particularly proud of that can be a lot of great insight into understanding the normal business operations and flow to give you a lot of credibility also kind of plays into the same dress code that way you don't have

to do as much active reconnaissance you don't have to risk yourself being there in inappropriate attire necessarily you know if you are going to be targeting a location and you're assuming their business professional you show up in a suit and tie and you watch and everyone's walking in with khakis and a polo on then you put yourself in a situation where you're highly likely to be detected while doing recon right even if you're just sitting in your car you can still be noticed and so it's kind of that situation of you're eliminating that aspect if you can gather that information here and then the biggest one of course is the doors and windows that's your ingress and egress points

that's gonna be how you get in get out whatever you can do and also understanding the the door controls right can you tailgate is there situation where the door isn't is not a turn stall or something of that nature you can just follow someone in or is it a turn stall situation where you're gonna need electronic controls to get into the building is there gates what kind of other security controls are you're gonna have to bypass to even get in so security kind of comes in or physical security kind of comes into its own during general information gathering so how do we defend with people gathering general information well typically defense side is going to come

in to a weird situation with general information where it's almost going to not be worth the the battle depending on the populace you serve right so if you have a client group that is the general populace you can't risk closing down information such as phone numbers or email addresses or things of that nature from search engines because you need that for business it just makes logical sense there but if you are someone who is or if you are representing a company that does not have you know a direct need to share that information try to get business listing information unlisted right anytime that you can unlist information that's more digging than a tagger has to do can they still

get it most certainly are there a number of tools out there that can get it most certainly but the more you unlist the harder it is to find reduce web presence so it's kind of the joke the counter opposite of doing development in development they talk a lot about optimizing search engine optimization right getting that down to where your keyword searches are nailing every single time if you're going to try to be avoiding people finding even general information about your company you don't necessarily want search engine optimization in place as well as reducing the web presence as much as possible we'll get into that more later consider reducing the social media posts you make obviously if you're at this

level you're probably not making many social media posts but if you are make sure that you are making you know the most out of the post you do use and that there is something in the process that is making sure that security is considered as you're progressing through something that allows for individuals that are making these posts to have a second set of highs that has the mindset of a security professional and knowing that that background image of the card reader at our door may give away insight into whether it's kind of your low frequency high and 25 kilohertz or high frequency card reader right and the cure can be worse than the element here so

realistically many of these may not be valid options for your company or the the options that you used to defend your company so keep that in mind you can't be locking down the fortress when there's other holes or if it's you know you can't pull the drawbridge up if you need the population to come in so so moving on to users and emails this one's kind of in three parts I typically break it up the the target that I typically go after first is to identify email patterns this tends to be what I will build the rest of the list on this tends to be what user name as if any of you were able to catch Michael Berardi

stalking passwords bring this to be where I'm gonna build the the username list that I'm gonna utilize for password sprang out of all of it depends on me identifying an email pattern typically taking that email pattern and applying the identified users which comes into the next category that's generates the list so how do you identify those email patterns I typically like to use generic tools obviously you can just go to a search engine pull it up throw in an email or throw in a domain name and see if you can kind of enumerate through the or metadata there to find an email address if you can't and if you can't make a informed decision off of even

five six there I like to use things such as hundred I Oh which is kind of done all of that for you where they do the scraping you just go in there punch in the domain and it will spit out way believes is the pattern obviously it's not gonna work for companies that have multiple patterns if they're using four or five six different pattern styles depending on department or depending on whatever that can all come into play and make much more difficult for an attacker the harvester I've had some luck with it in the past it hasn't really I haven't had as much luck with it here as of late but it definitely was pretty powerful in the

past and then recon ng has various modules as well really powerful tool great tool for various portions of open source I don't myself tend to use it as often but it is still many of my colleagues do and it's it's an excellent tool I think if I possible users at this phase this is where you're gonna be at numerating who works there that's basically the goal you're going after pulling as many names that you can past or present and putting them to a list to then be transformed based on the the patterns identified during the previous stage so LinkedIn is probably the most valuable target here from my experience simply because it tends to be a socially

accepted way for people to correlate to a company without having a company directory on the website the only thing with LinkedIn is that when you attempt to go to a company page and make that navigation typically they're gonna require you to have some form of degree of relationship with individuals to then be able to see their name that's the benefit where LinkedIn Lyon accounts I don't know how many of you are familiar with that but it's LinkedIn open networking is what Lyon stands for LinkedIn Lyons will connect with almost anyone just simply as a way to try to prevent gatekeeping and allowing people to come into industries that may be more difficult to to kind of pull that all

together typically it's not necessarily a difficult way to find even if you don't have a lion your way into a company and be able to see the listing you know a decent persona will get you in but even beyond that a lot of search engines for public profiles you can actually directly do searches around a in title and do specifics like - LinkedIn or the - the company name insight LinkedIn and you can pull back a list of users that have public profiles without ever having that degree of relationship so that's another way that you can kind of work around it company directories obviously come into play here that's a huge source of knowledge if

they're available and publicly I'm online social media I don't tend to find as often sometimes you'll get lucky there it's kind of hard to make the correlations and a lot of times you get a lot of false positives search engines as I said you know you can do those there's particular places that proper terms at Google dork for it you can kind of identify very particular patterns and and then utilize those in certain events or just to find users another kind of gray area of open source intelligence is metadata scraping from public files or files that are hosted on a website that a user has of some sort of web server grabbing those files down and then

enumerated the metadata out of them to find users is a great way to identify a company that may be using usernames that are non-standard or not the local part of the email address obviously that's something that will kind of break the chain that I have currently right and if you're not aware of that fairly early on you can spend a lot of time generating these these possible user names only to find that the user names actually an alpha character followed by multiple numerix right so some really cool tools on the scraping for metadata power meta meta groove automatic medical file I'm sorry and many others custom scripting you can do this tends to be kind of an area where

I'll go to from time to time I'm not gonna always do it depending on if I already have some insight but typically it's something worth doing if you're not certain why a particular you're not getting results in some of your other attacks so attacking users and emails obviously the easy one is a phishing campaign taking those email addresses that you've enumerated putting them to direct use by emailing users with the general information that you've already enumerated about the company can give you some very success depending on the target and especially the more general information you gathered as I said that's the foundation so piling that in if you find out they may be going through some form of company transition

or something of that nature that can be extremely powerful ammo to the NPAC behind a phishing campaign building possible username list as I said in the previous slide same idea basically taking those users that you identified that do work at that location I guess at that point employees taking those employees appending them into the standards around email addresses and things of that nature to then generate lists that can be done very easily with Python scripts or things of that nature there's plenty of tools out there that can do it which we'll get into in a minute but it basically passed referring still valuable you can use those usernames against any service to try basic passwords season twenty twenty

exclamation mark and all the other Commons and check for previous breaches so if you do get you email addresses that you have identified as valid by some manner whether that be through a web app that's giving a verbose error message on login or something of that nature or you have an OWI server which makes it really easy you know take that information and run it through previous you know information like searches have I been pwned by Troy Hein great tool for defense as well but it's also something that can give an attacker insight into whether this individual has been compromised before maybe they're still reusing this password somewhere else so defending users and email addresses is

primarily around kind of the unfortunate situation of security by obscurity which of course as we know is not security at all but it does make it more difficult for an attacker non-standard email formats is very frustrating for people who are going to be dependent on tools to generate that information for them you have seen first or one that I saw at one point that about broke my mine for a moment was first initial middle name last initial as the the email layout and although that's still something that an analyst that sits down and performs you know check on or an attacker of the system and performs a check on could very easily create a custom script to

put together a trivial trivial action there it's not something that you're typically going to find in the common tool sets so if it's someone who's more dependent on the tools you may be able to to escape that it also can be extremely valuable to vary the styling and the form emails internally if possible so each department has a different styling of the email layout for the local part that can be extremely frustrating to an attacker because the the list gets ever-growing larger and larger as you're trying to make the all possible enumerations of this which makes it easier for defenders to detect this type of attack all right especially if you're going to be going for Mike a password

spray or something of that nature so you separate you know difficult to guess usernames don't make the local part of your email address the username necessarily there's other alternatives that you can do that are better options and be careful who you add on LinkedIn as I said the minute that you add someone on LinkedIn you're adding them as a degree and everyone that you know and everyone they know just became correlated to that person at least to the point of being able to see their name and their company affiliation so keep that in mind for passwords and secrets this one tends to be a lot where people don't believe it until they see it necessarily this happens a lot where

especially obsoleted technologies such as forms like Google Groups things of that nature where people were using them prior to maybe migrating into an internal teams or something you know I guess like something of that nature if there was ever a shadow IT presence before or if there was ever like documentation that was being publicly shared and maybe they didn't want to have to worry about adding everyone each time that they got new people you may run into public Google Groups or things of that nature that you can enumerate through and identify processes and things of that nature have found documented processes and Trello boards before that in concluded information such as usernames and passwords so

always something to be aware of belief Trello now by default it's private so you do have to forcefully make it public there multiple error warning messages but still something that was out there and still is wiki pages blogs things of that nature I don't run into those as often sometimes if the company has them and they've just forgotten them with legacy situation you may run into that but it's not as prevalent videoso mentioned in the beginning that typically leave videos and pictures till much later in the the process well this is where I tend to come back to those videos and pictures can give you a ton of insight to secrets and possible keys passwords physical keys physical badges

things of that nature so much of that can be seen in videos because people don't necessarily think through how the marketing video is viewing the background right they're focused on the initial shot they may not even have a blurring in the background you'll see that a lot more with older videos but we're training videos as well many a time I've jumped on to a site where someone has been given a seminar and you hit the seminar and you look back in on the whiteboard there's credentials right - probably a wireless network or something of that nature I've seen that multiple times in multiple environments and it's something to keep aware of right it's not just

YouTube as soon as this VMO find out what that int that group is using identify those videos and see what you can see sometimes it's gonna be too poor of a quality as far as the videos resolution goes to be able to pull interesting information other times it's gonna be as plain as day to anyone that was willing to look outside of the directed scope of a video and images in the same format for finding public code repositories today is a little bit harder than it used to be unless it's been purposely open sourced even still if you do run into this situation check for uploaded config files a lot of repositories are trying to prevent

people from uploading secrets anymore API keys passwords it still happens despite the best effort that you know there are those developers that will just completely ignore warnings I used to be one at one point before I turn to security so I can attest to that so you kind of have to really consider that and you know there's been there's an awkward moment of how making sure that you're properly deleting it and not just resubmitting them and creating a history situation where the history can be reviewed for credentials attacking passwords and secrets obviously the there's the blatant one which is if you've identified credentials via a repository for a particular service to try the credentials on that service if

you've identified credentials via a white board or something go check those against wireless network if you've identified credentials on a sticky note in a video go check those for a D or something of that nature right there's the obvious side but even if the credentials aren't immediately active right if they've been deprecated in some manner they're still valuable there's credential stuffing you can use those credentials across multiple applications password reuse as I said is still a thing so you may run into that and be able to utilize that there's also the the pattern drivet deriving patterns out of them so obviously there's the the common one that everyone laughs at which is the season year and an exclamation

mark right taking that in most any attacker is gonna be able to glide to that and guess that the next one maybe spring or summer right but there's also the other side of that which is phrases that people will typically use an example maybe be like this is a password let's say for our web portal so this is a password web portal one right or a company named bang well if I take that and move it into a situation where I need to get access to another service right and they named it after the service and this is a password that service name one bang or whatever will more than likely give us the same result

so be looking for those types of patterns out of any credentials that you accumulate as you're going through this process with social engineering there was been a lot of attackers actually utilized this methodology it's something very effective if you many of you will probably remember a few years ago there was a situation where there were sufficient campaign being sent out where people were attempting to exploit the fear of public shame for someone who the attacker would claim that they had gotten ahold of a video of them in a compromising situation and they would include a previous password from a known data breach for that email address and in hopes to force that user to believe

them that they were able to compromise their system so with social engineering especially to those that don't have a very strong understanding of computing it can be extremely impactful to them to see what they believe and hold as something that shouldn't be publicly available at all and if can give validity to a threat right so kind of comes into play there and then from a physical security standpoint this kind of comes back around if you see pictures of keys if you see pictures of badges things of that nature there's a ton of information you can pull from that if you see a picture of a key and it's high enough resolution or even if it's low resolution but you can get it

laid out just right there's many a talk out there about people cutting keys from the bit layout of the key put you can put them over well there's a grid overlays that are publicly available to cut a key those all come into play here clamshell badges the old-school kind of the 125 kilohertz badges 26 bit or 35 bits hidden readers right those badges a lot of times we'll have numeric values written on them from time to calm those can actually be the badge number and the facility code alternatively you may run into a situation where you see a barcode on the badge if you scan there you know obviously from a user standpoint you don't really think much about that

barcode being visible from an attacker standpoint we can interpret that barcode and it typically is something such as the badge number facility code and for sensitive information that you don't want to be giving away so how do we defend this obviously the primary amount defense is to know what's out there be aware of what you have going on in your own environment around shadow i.t around any form of external systems know how they're being used and by what departments and what they're storing in those systems establish an end-of-life process so this is what bites alot of people is as they're migrating from tool to tool they never really set a process to handle ending the usage of that

previously used service so make sure that you have a defined end of life process and how to handle that service once it's been completely you know disregarded as far as the company goes make sure that that's useful and not something that's too difficult to follow and something that if you do have a shadow IT environment that they will try to follow it as well when moving away from the shadow IT environment as you bring them back into the standard environment when we discuss later on about system information Kentucky audits a source code management know where your source code is why is it there who needs access to it why do they have access to it obviously with open

source intelligence we're talking about this from a very a very public viewpoint but if you are in an internal situation and I get a hold of a low privileged user and they have access to a source code repository my first question should probably be why why did they have access to that did they truly need access to it so conduct frequent audits of who has access to your source good with systems and source code distance to be where you're going to be pulling the most data from an attacker standpoint to move into the next phase so this is going to be information that's kind of an immediate translation phase if you will with domain information Whois information DNS

records subdomains all of that are extremely valuable you can pull that those of course correlate to some form of IP address or some form of cayenne that gives you more insight into the environment they're using whether they're in a cloud environment whether they're on prim who's you know who's managing the situation it there's there's all of that information publicly out there and available Whois information will also give you unique inside that you can kind of dig into by looking at email addresses that the domain was registered with what other domains have been registered with that email address what other domains have been registered under a particular company making those correlations and then continuing to dig

through the same way in a loop as we'll get through later it gives a lot of insight to a lot of hosts that maybe even the client didn't realize we're publicly available so make sure to if you're on the defending side make sure that you know what's out there and that you're doing this yourself from an attacker standpoint you know that we're going after those unknown hosts so be willing to dig in really far and do this loop multiple times public ports and services typically this is where an attacker is going to move into active reconnaissance and start throwing scans at systems but if I find myself in a situation where I'm dealing with a

assessment that's not going to provide me a whitelist or something of that nature or except list or something of that nature for traffic then I'm going to go ahead and move into a kind of more stealthy approach which is to use these public scanners that already provide information for me from like since sto showed and things of that nature they can provide port information as well as the services running showed em premium actually will give you a screen shot of if it tries to make a connection and what the view look like since this will give you header information depending and you can kind of start to build a system for Sona around what the system's

supposed to be doing and how it's supposed to be implemented for their environment and the more that you can understand around the personas of each system the more you become begin to understand their network without ever having touched it and so it can be a really powerful tool without having to risk getting blocked via scans and then of course as we mentioned before finding code repositories that's kind of the Holy Grail situation it opens up so many possibilities and so much time can be spent in that realm that is you can deep dive to find low level exploitations you can find single injection that would be blind and especially as situations where you're dealing with time-based blind

injections right you're not going to be able to pinpoint those very easily from an external viewpoint in which you have a very particular query your standardized set of queries that work frequently mmm a lot of times especially on unstandardized or if there's a very particular layout for the day query you're not gonna be able to pinpoint that things also such as deserialization vulnerabilities so on so forth is just a whole number that opens up with code repositories attacking standard information or system information and source code at this point it's around the the standard tactics right taking that information enumerated that bringing it back determining if there's owner abilities out for those versions understanding why those versions are

employed and if they have any differentials or the standard falls that people fall into I always suggest performing active recon before you move into the attacking phase for system information because you need to verify that that's up-to-date and hasn't been outdated especially if you're dealing with a crowd cloud environment where services could have been changed also social engineering for system information of source code this would be a very targeted principle this is going to be if you're going after helpdesk or if you're going after a technical individual and you want to come in as maybe a consultant viewpoint or something of that nature and be able to act as though you have a very intricate

knowledge of how their networks are operating to try to build that trust very quickly it can be helpful if you are going to be putting on the persona of the helpdesk and contacting a user but by and large this level of information not as much with this you're when you get into the code review aspect as we talked about identifying those exploits that are difficult to to locate in publicly available code can it can lead to exploits but I'll also warn once again time is a valuable asset when it comes to these types of situations and remembering that can give you unless this code base is very prominent and used frequently right and in which case

there are other better resources which we'll get into here in a minute to be doing so from an attacker standpoint you may not have as much value going down that rabbit hole for too long defending system information in source code who is protect or privacy protection is always a good idea even for major and larger companies just having that protection in place to prevent users from being able to make those correlations it does make it difficult on the offenders as well being able to pinpoint but it's the situation of it's a give and take the auditing external host frequently is something that regardless of your viewpoint on the rest of this you should be doing forgetting an external host is

out there and having a vulnerable service on it is a very problematic thing as we've seen with so many times snv's issues so know what's out there know your network right ensure that all the services are needed publicly if you have a hose that is serving a web server and you are publicly serving the database that's on that same server that's utilized for the web server you don't need that database publicly available they'll kill that port right to make sure that you're not allowing that access will kill the port externally so make sure that your you understand what services you truly need externally and why this is also this can be extremely difficult for larger companies but it's

still something valuable to be doing and if it's not being done definitely need to be considered performing source code reviews is an excellent option if you have a lot of open source projects and that you're going to be dependent on them to remain that way you kind of have to defend depend on the community it may be a good move to not only do it through your you know a standard code review but also to in employee bug bounty programs and things of that nature to try to keep that code secured as best as possible and prevent that information from falling into the wrong hands to be used and the people you don't want with with

all of this a lot of these issues are going to spawn from people taking action on their own so discuss best practices with your admins provision their repositories that they need make sure that they have the the team communication resources that they need and want because those avoiding those situations avoiding those discussions with your admins and developers is going to lead to that awkward moment of shadow Otte environments throughout and those can be extremely impactful so some quick final thoughts kind of wrapping up here this is a rinse and repeat methodology right take this and kind of apply a belief that the original whose name was at the OODA loop from military reference you know take that observation

orientation make a decision and act upon it right and you're gonna be progressing that throughout this open source intelligence process once you've found your way through the external and you're found your way onto the internal network this isn't over necessarily as you find new services as you find new users as you find whatever you can rinse and repeat this process to find more information don't get lost in the hunt though obviously time is money right and time is a very valuable thing and a lot of times there are a lot of data that you can be going through especially if you're not just looking at the company but also looking at the individuals there's a ton of money that you can

spend in hunting that as far as hours go or you can spend that time maybe looking for the easy wins so don't get lost in the hunt if you found nothing else and you just absolutely need something you know go crazy but it's something to keep informed and knowledgeable about tom is a commodity as I said open-source intelligence is only one part of much larger assessments by and large so use this as a tool as you progress and use these methodologies and find your your speed you're going to be able to bring this together fairly quickly kind of get your own mentality down and move through it and do it quickly right it's it's not gonna be something

that takes you a lot of time but that being said be weary especially if you find yourself with a lot of time left and you're just trying to find a way to piece together these minor little bits at the end make sure that you're not spending time there when there could be much more valuable areas and then the biggest one is have fun and teach each other none of us are masters of everything right and especially with open source intelligence I am far from a master of it I know people who are infinitely better at it than I and I have learned so much from them and as this community and in every way but it's

it's so interesting these types of topics to come together and have these communications and discuss teachable moments even to the client and end users those who don't have the technical knowledge necessarily because you can bring that together and bring them into the understanding that can help them to secure themselves and not only their company but also themselves in their family as they progress on and learn more about these types of external facing information they're providing to others so have fun teach each other and enjoy it so any questions concerns considerations otherwise let's I talked out I haven't seen anything pop up over there yet okay does anybody have any questions for bikes let's see looks like

I've got I just pulled up discord oh now I'm not over in discord sorry okay yeah no I was gonna check through here and see multigo I actually don't use multigo or I haven't primarily simply because I haven't ran into a situation where I've needed to take the time to kind of compile that data in Mass together I've heard that it's an amazing tool by and large when I'm taking notes of this information I have my own scripts that are run to kind of pull it together into notes and stored in locations so it's just kind of my own thing that I have together I was trying my best to recover the data as far as the ransomware

question I'm that's a highly debated topic I don't know that that's something the question for those who are not in discord is the individual had an interview question where they were asked about if they were hit by ransomware where they try to pay for the ransom to recover the data and from my perspective there it's it's it's a situation by situation basis it most people will always say you never pay the ransom and that tends to be my own viewpoint as well simply because it may be a destructive malware and unless you truly understand what you're dealing with you may never get the information back anyway but can you tell the sources for code source code is like github

repositories bitbucket repositories those types of things you're typically gonna find if you're if you know the service you're looking for and you're doing searches through that that's gonna be how you're gonna find those open public repositories so that's just kind of the two bits I have for that what tools or frameworks do you used to track results from open source intelligence RG like I had said it's I kind of keep my own thing I just have a list of scripts that I kind of use multi gives a good one for compiling that I've heard and there's a quite a few other sources and tools out there that you can use to bring it all together like I said

by and large since I'm kind of moving through these quickly I just use what I'm comfortable with which is the scripts that I wrote so

all right and I don't see any other questions anything else

it looks like what is your favor over all open security intelligence and then the tool list looks like over in the regular zoom chat I don't know if you see those yet or I see oh there we go what's your favorite tool overall for open source intelligence as far as favorite tool goes like I said I tend to use there's there's a ton of open source tools out there as I listed through the slides probably the ones that I use the most are gonna be around probably a passive total I use a lot for if I'm in the system information phase direct linking information I have like I said I've got a lot of custom stuff that

I've written along the way that there are much better tools out there to do but it's just one of those when you're in the moment like at least for me I tend to be really bad about that I'll be in the moment and I'll just craft a tool to handle that situation that I'm in right at that moment instead of going out and trying to find a tool that I can familiarize myself with so I have a lot of those but I would say that probably the most commonly tool use tool that I'm using frequently for open source intelligence it's probably through passive total together like I said that DNS loop getting that information identifying the IP addresses pulling

that back together they have both a free and a paid version but I didn't just take with the free cos portions there

all right well if no other questions feel free to reach out to me I'll be in discord for a little bit so feel free to hit me up there it's brycie there yeah and thank you all for your time