Googling Like A Boss: Expanding the Powers of OSINT

[Music] higher performance communication resources and faster and more reliable technology higher performance communication resources and faster and more how is everyone last Talk of the day been a good first day of bides yeah okay how many of you guys is your first time here awesome second time third time how many people in here have been here all four years okay a couple awesome this is my third time at bides I also spoke last year um and and it's a it's a lot of fun I love besides um how many you guys are staying for the after party tonight okay few should be more anyway okay so Googling like a boss expanding the powers of ENT for both blue and red

teams or red and blue teams which however anyway let me just let me just quit rambling my name is Ethan Dodge um I'm a Utah native however I currently do not live in Utah um but I took I recently took a job in the bay area and uh one of my contingencies on my acceptance was I have to go to bside Salt Lake City every year and they said okay so here I am um it's good to be back this is the first time I've been back in Utah since uh since I moved out there I uh do defer for a company called Nuna Health we're a Healthcare Company obviously from our name um I'm a Perpetual learner um

follow me on Twitter um if you'd like and then Dodge sec.com is where I do some blogging but I'm a terrible blogger going to tell you guys right now so sorry I'm a way better uh Tweeter and even that I'm pretty bad at so um Nuna Health um I doubt anybody in this room has heard of US unless you know me and know that I took a job at Nuna Health anyone in here heard of Nuna health I knew it no one so we work with government and self-insured employers to understand how um understand and improve how people use Healthcare that's just really fancy PR language for we are a healthcare data warehousing company um and we also do some some uh

analytics on the data um security is the foundation of our culture and our products um it's actually um I was talking to a couple guys when I started there was about 80 employees there were and there were eight security people um a tenth of the workforce right um we're taking security very seriously um because we are a health company and we kind of have to um we're accepting resumes um we don't necessarily have an open position right this minute but we will in the coming weeks and months so if you guys are interested come talk to me after I I uh love what I do um because I get to do some cool stuff like

what I'm going to talk about here um I'm throwing in a plug for my buddy Brian warheim um follow him and on Twitter Brian Wareheim and his blog is n NSE secure. org um uh all the research that I'm sharing in this talk um him and I did together um so and he we we wrote this talk together as well um also just a fair warning I gave this talk like verbatim at bside San Francisco 2 weeks ago so if you guys were there I'm sorry sorry but uh hopefully you guys can enjoy it okay ENT by the raise of hands who knows what ENT is okay who is willing to tell me what it what the acronym stands for Shout It

Out open source intelligence okay what is open source intelligence legal legal stocking I like that what' you say lean I said it depends on interpret

okay yeah the both of those definitely fall into um fall into the category of ENT um um it's pretty much using information openly available to gather some sort of intelligence um whether it's Intelligence on your brand um Intelligence on a person Intelligence on an industry whatever um how many how many red teamers do we have have in in the room penetration testers okay and you guys use ENT all the time for before going into engagement I'm sure um you could use information such as social networks public data records leaked customer data um but uh how many of you guys in this room um think that you've used ENT at one time or another okay I would imagine that was

about half the room I'd imagine almost everybody in this room has because of our good friend Facebook Facebook stocking most common form of ENT um also ENT is very popular among overaggressive girlfriends UMES or wives um lean was that you that said that I was I'm telling you wife she watch video um why ENT um private investigators detectives investigative journalism uh excuse me investigative journalism how many you guys are familiar with Brian Krebs he uses osen all the time in like every article he publishes well that I've read anyway I don't actively follow him but every article that I've read of his he has used osen in some form or another I know that if you guys

I have read his book spam Nation he uses T tons of ENT in there he he was crawling forums um to try and track down the bot Nets that were spamming out different uh pharmace fake pharmaceutical drugs stuff like that um criminal activity law enforcement also very common use and threat intelligence um as was already stated um this is one of my favorite explaining what ENT is it's not stalking it's called being an internet detective right when uh when you see when you see a Facebook picture that Peaks your interest and you all of a sudden start going through all their uh their profile for past three years look at every single profile picture right who's done

that we've all done it you guys are all guilty I know it it's not stalking but uh but it really is kind of is a cyber stalking um disclaimer real quick there actually is a really distinct um difference between ENT and stalking um depending on where you live right um I'm pretty sure I'm pretty sure in the state of Utah stocking um has to include some for of some form of physical following like you actually have to follow the person or or persons somewhere in order for it to qualify for stocking and yes stocking is illegal so don't do it or don't say that I told you to do it all right let's go over the basic

workflow for ENT um first step is we're going to identify the source um identify possible sources of intel if you're a red teamer um I know one super common uh form of Intel is LinkedIn if you have an engagement um for a company to do a penetration test on a certain company you're going to start looking at every single one of their uh Engineers LinkedIn profiles seeing what sensitive data uh specific data that they put on their profile uh then you're going to validate it uh see if it's uh see if it's valid see if it's true um some people will put dummy data on their LinkedIn profile um and then you're going to automate it and we're going to

talk about automation a lot more later on in the talk um analyze does what you have collected apply to your target if it doesn't get rid of it um because it's just noise um determine the probability of of something being true for instance in in the law enforcement case um determine the probability that this person really was at this place um that they said they were uh they said that they were here um at the time of the scene but they tweeted 2 minutes before the uh before the crime and that that tweet shows that they were right there apply confidence levels um we are 90% confident that this person was there at this at this particular time um and

then generate new potential sources it's kind of a spiral a can of worms you're going to you're going to get some you're going to apply confidence and you're going to want even you're going to want to find even more sources to raise that those confidence levels or to even diminish those confidence levels if you're not so sure about something you need to find something that'll tip the barrel if you're only 50% sure on something something uh keep uh you need to keep looking so that you can either be totally sure it's not true or totally sure it is true um and then enrich add context to the Target add probability and to devel develop a narrative this person was here

um at this time of the day and then they were here at this time of the day and this happened they were in this car crash whatever that's what developing a narrative is right um how many of you guys have ever used maltego or heard of maltego okay awesome altigo is one of my very favorite tools especially for open source intelligence gathering um it is a link analysis visualization tool um excuse me uh pretty so altigo what it is link analysis visualization tool you have a web of entities is what they're called you let's say you're Gathering Intelligence on one specific email address right then you could run different scripts that are called transforms um and it will show you

relations to the potential um names that this email address could belong to or if it's a person and you go um and you're trying to find out where they live you could run a specific transform or a script um that will um form a web and show you uh potential uh excuse me guys um show you potential addresses of where that person lives you could visualize relationships um common terms within maltego are entities every single point on the graph I have a screenshot of a graph here in a couple of minutes it'll make a little more sense um every single point on the graph is known as an entity whether it's an address a person a IP address a uh

whatever is known as an entity transform is I like to think of transforms as scripts um because that's essentially what they are um um that is that that is what the script that is actually going out and trying to find the data that you are looking for trying to uh find correlations and draw conclusions um and a machine is just running several transforms um here's a transform example this is a this a really common transform just by looking at it can anyone tell me what it's doing yeah that that just went out and grabbed the DNS records for uh reddit.com how many of you guys have ever developed your own transform really okay well let's go over it really

quick it's super easy and you can do it in pretty much any language you just have to point maltego to the to the correct binary I I like python so I'm going to go over in in Python they give you a nice um python Library called Malo transform and you just say from Malo transform import Star or whatever module you want to import um then you have to create an object um and then you just um with that with that object that object parses the system arguments each entity in maltego is taken as a system argument as if you were passing it through the command line if you were running the script from the command

line um such as this one this location equals s AR one um then um you call the uh is it you call the uh object and you have to return the output so that it will actually display on the on the graph um Shameless plug here how many of you guys have heard of a malgo transform called gavl lean the only one oh saw someone else uh Shameless plug because uh myself and Brian developed it um what it does is um it digs up court case records uh from individual states um we only have it working for a few States right now but if you uh it works for Maryland and Delaware and I think one other state

we're working on all 50 states but the pain is some of the states have their court cases filed uh Per County rather than per state um such as like the state of California they have tons and tons of counties and so that's a that's a lot of code to write um but it is on GitHub and we would love your help if you if you're interested in helping us out with it um but what it does is different states have different information um excuse me got the hiccups here different states store different information for every single um court case for every single um when you get pulled over there's a court case File with that um and that is public

information and different states uh Maryland when you get pulled over they store your license plate number in the coure case record so if I wanted to and you you got pulled over in in uh Maryland I could go in and and see the license plate to the car that you got pulled over with North Dakota this is sad stores the last four so uh numbers of your Social Security number so anyone here from North Dakota no I've never met anyone from North Dakota but if you're watching write your congressman and get that fixed because that's sad um tons and tons of sensitive information There's the link right there you just go to Brian warheim uh GitHub

and uh go to the gabble repository we have a we have a table on there on the read me that shows the states that we have completed and we would love your guys' help um here's an example of what it looks like in Malo um you got Brian's name right there and it shows two addresses that he would that he was associated with and three license plate numbers um yes this is dummy data this not real I tried to convince them to put the real information in but he wouldn't yeah I don't know why anyway okay story time um some people put some pretty stupid stuff online let's be honest right how many of you guys have ever

seen this yeah there's a whole Twitter account dedicated to retweeting this stuff people will post their license plate not their license plate their driver's license their credit card uh anything with sensitive information and this Twitter account will retweet it um there's there's dozens of these accounts um how many of you guys went to metac cortex's talk earlier today he talked a little bit about being stupid on GitHub I think he talked specifically about that and fact I stole this screenshot from him um so anyway how many of you guys have SE seen this commit the Etsy Shadow file to GitHub that's scary stuff that's the kind of stuff that keeps me up at night I don't know about you guys

um I'm

sorry devops loves to commit Etsy Shadow files to get home yep and then keep us up at night right devops in security it's an ongoing battle okay so um this is the story that I that I'm going to tell here um I was contacted by a local University a few months back um and asked to speak on ENT and maltego um and we were going to be speaking to their infoset club and we thought it'd be fun to try and dox somebody in the club um dox meaning dig up as much as information as we could about this person and show them the real value of ENT right there during the talk um there was a person in this

in this club that I had met previously that we thought would be a pretty good Target and so I emailed this person and asked um if if that would be okay and they said yes um I don't know how how well you guys could read that text anyway basically she just says oh man I was trying to hide the gender oh well basically she just says yeah that's totally fine um there's um there's a couple past bin leaks out there with my password and stuff and and uh but but no nothing worse than that um quick disclaimer um I have written documentation that she is okay with me sharing this at this conference um um

there is a fine line between um between Gathering intelligence and then sharing it with other people right and you can definitely cross that line um if you do not have if you if you don't have permiss for prior permission excuse me um and I do so anyway so start with the best source of data we looked at this girl's Twitter Pro profile she had something like 60,000 tweets and she tweeted an average of something like 16 times a day and almost all of them in the past three months or so had geolocation data enabled on them um so we went to so we went to Twitter we needed a way to parse through all the data so we automated it we

identified validated now we Analyze This is the code that we used um this this is this is a a python function Twitter only allows you to grab um 200 tweets per request um and then they only allow you to pull the past 3,200 tweets at a time uh sorry not out of time they only allow you to pass uh pull the past 3,200 tweets um so what this what this guy does is it's just going and it's grabbing the past 200 tweets and it's you'll notice I'm keeping track of the ID number of each tweet because I'm going to pass it to this function later on and the ID number is important there that I keep track of

it so I um can go back I could grab 200 then grab another 200 then another 200 another 200 so that I don't overlap tweets right um so we were so we pulled all the tweets and looked at all the um geolocation data and we M plotted it out on a map where do you guys think that is what was that home that is where she was living at the time um so this was fun um another quick disclaimer really quick um yes I could be totally making this all up because I censored all of these screenshots for her protection um so that that no information no sensitive information would get out there so you

guys are just going to have to trust me that this really did happen um so what this what this function does is it go it it gets all the Geo information from all the tweets and then it passes those uh latitude and longitude coordinates to the Google Maps API how many of you guys have ever played around with the Google Maps API um if you pass it a um a pair of latitude and longitude coordinates it has a function where it will spit back a street address um so we did that um in maltego we added a um you can we added a part in malgo where the thicker the line so it had her Twitter handle

right and then it had a bunch you'll see in the next um screenshot here these these lines you'll see some are thicker and thinner than others um the thicker the line the higher the confidence the high uh the higher the confidence that or or the which essentially in this situation means that there were more tweets from that location right those are five street addresses that came back from her Twitter profile I know it looks like I could totally make it up but promise you that's what's blacked out there so we were able to find where she lived we were able to find where she spent most of her time on campus um we did not go this far but we

definitely could have found we were trying um to find out what her school schedule was based on where she tweeted on campus at what times um we didn't have enough data to do that nor did we really try hard enough we just messed around with it um then there was this transform um how many of you guys have ever heard of have I been pwned.com okay so have iben pone.com will allow you to just put in an email address and then it'll spit back any data breaches that your email addresses have been involved in um she was involved in this one particular um data breach anyone know what that big long string is down there at the

bottom that is a password hash so this transformed what it did rather than using the web interface for have I been pwned um it um it just used the API and it went out went to have I been pwned we gave her email address we gave it her email address came back with a password hash that password hash is unsalted um so salt your has Sal salt your hashes people um and that's what it comes out to be we were able to find a rainbow table online and uh and crack it um and when we did that we kind of looked at each other and said okay we have we have a lot of power

here in our hands let's take a step back and before we go any further we need to tell her right well not necessarily tell her about the password so I sent her an email and I and I said hey we're running we've gotten to a point in this um engagement that we're hitting a bit of a gray line we want to attempt to log into some of your online accounts um are you okay with this she comes back and says yeah go ahead that's fine I don't have anything too embarrassing right so we go we take her Twitter handle we throw it into noom.com noom.com k wm.com um any of you guys familiar with this

website you just throw uh a handle in there and it will come back and tell you if that handle is available or taken on certain websites this is just a sample um it really has hundreds maybe even thousands of sites uh that it queries for that handle um anyway she had a unique username and um well I guess it wasn't unique because she was using it across all the websites right um anyway so we were able to go in um and log a few of these websites using that password and we got this type of information um that credit card was expired um but we were able to we were able to uh verify that we got the

correct home address for her because the billing address was was the same that we had gotten from Twitter there we are in her Reddit profile um or it could be my Reddit profile just with a black Square over my username you'll just have to believe me on this one um here's a list of all the things that we found um so we found her home address via Twitter and Etsy um that that credit card information that I just showed you guys that was from Etsy um we were able to determine some of her class locations and had we had more data we definitely could have um we were able to get her password we found her close friends

based on who she was communicating with the most on Twitter and Instagram she also made a nice little list for us um on Twitter that was called close friends um so that was easy uh we were able to verify her job history LinkedIn and Facebook um we were able to get her home IP address based on uh her login history on Reddit um which was really cool um and you can imagine the damage that you could do with that um we were able to verify her birth date um where she got her hair done because of Twitter because she tweeted it out um we were able to get the ad her addresses uh to her um

parents home um we were able to determine how many members of her uh there were in her family um and we were able to get all of their names as well um via uh via those sources um so it was a lot of fun that was that was my first um offensive is engagement um and I had a lot of fun um you red teamers out there what would you do with all of this information that we had gathered put it in a report okay what would you try before you actually finish the engagement though with all this information say she worked at a company that you were spear fishing fish all the things right

or social engineering um so we did try and fish her with this information um she opened the email but did not click the link however she did think the email was legitimate and for whatever reason just chose not to click the link so that was a that was a win on her part um so the the use cases for red team um the ENT use use cases for red teaming is are fairly obvious how many of you guys have ever thought of the um using ENT for blue teaming yeah okay few you guys um um how would you guys use it I'm curious okay okay perfect Seth what same thing anyone else understanding attackers perfect perfect um so any

Johnny Cash fans in here I'm not a Johnny Cash fan I just thought it was clever with what I'm about to say um this is a re what I'm about to um to go over is a is a very very fine line um uh monitoring employer employees and their behavior online um can be a huge privacy concern to a company um you should not do this lihe heartedly you should not do it without consulting first your CTO your privacy officer your CSO whoever or your legal team whoever it is that's over privacy they should be heavily involved with this this de decision should you choose to go this route um also another fine line to walk

is I'm not suggest um I'm not going to suggest that you you tell your users you can't be posting this kind of stuff online um but I'll I'll you guys will see later um what I what I will suggest so Twitter how can we use Twitter um in a blue team situation um see if public activity from any of your employees is malicious if they are spilling uh spilling company data right are they following competitors competitors that's really not that big of a deal but are they talking with competitors right um are they talking about your brand are they misrepresenting you right um Instagram kind of the same thing um but Instagram is also interesting because um because

it's it's solely pictures people posting pictures and includ that have them wearing their work badge and they don't realize it or is there a password written on the Whiteboard which there should never be a password written on a whiteboard behind them in the picture or network diagrams right are they just not are they just oblivious to their surroundings taking a picture in the office and saying oh look how much fun I had in the office today right um I'll go into now um automating um the analysis of of photos is is a little difficult but I'll go into that uh how how you can accomplish that a little bit later GitHub Danny or medic cortex went into a

great deal about this um earlier today um are they committing sensitive files are they committing proprietary code how many well no I'm not going to ask you to raise your hand if that's happened to you um are the committing company info um one time um I was participating on a on in a CTF on the red team and one of the BL we found one of the blue teams um shared GitHub repository lean's laughing because he was on the red team with me and uh we found their GitHub repository where they were collaborating for the CTF and there we found their emails and phone numbers and we had a good time prank calling them right are they so are

your employees committing info that should not be out there publicly on the internet Facebook kind of same thing as Twitter is any of the public information uh public activity malicious um are they friends with competitors are they talking about about your brand um brand monitoring so this is um this is a very interesting totally uh I I'm actually in the middle of writing a separate talk on this on this topic of monitoring brand your brand and and uh reputation via ENT how many of you guys have ever heard of scum by Netflix okay we got one person back there have you used it no okay all right what what scum does excuse me um basically you could tell scum um to

go look for um this email address or any email address at my company.com or you could tell it to go look for pretty much anything and it will and then you give it a list of sources that where you want it to look um and and it will come back and say it'll come back and say I found this on on this page for instance if you wanted to monitor the dark web right with a forbidden place where we never ever go um to see if the attackers are talking about your brand um and you one of your keywords is your company's name or one of your domain names or something and that comes up in some known hacker Forum

scum will alert you on that um you can monitor chatter or monitor for your name stuff like that um like I said I'm in the middle of writing another a whole another talk about this and in the middle of researching this this topic um rate employees so in this particular situation this girl that we doxed um like I said I'm not telling you to go up to employees like that and say you can't be posting this much online because that's that's not that's really none of the company's business right um but you could rate her and say she is very active online um we are going to monitor her much more than this person who

doesn't really do that much stuff online right um and and therefore um be uh you could throw you could alert if an alert comes from her on the through your sim um they it'll be a higher alert a higher critical uh criticality and then you could correlate as well um via your via your sim um so here's another Shameless plug here um interrogator is a web application that um Nuna uh us at Nuna that we're planning on developing and basically what it will do it it'll our vision for it is that it will be maltego in web form um and you will give it a person's name a Twitter handle a domain name whatever you want

and it will perform continuous ENT monitoring of your Workforce um you'll be able to visualize relationships on Via graph database like Luma or neo4j something like that um we hope to have at least an alpha or beta version out by mid 2016 but we we are very excited about it um we're going to open source it um because there's not a whole lot there there's a lot of tools out the out there available but they cost a lot of money um have any of you guys heard of Lexus Nexus or um what was the other one that they told me anyway there's a bunch of there's a bunch of tools that law enforcement use um but they cost a lot

of money because government is willing to Fork out that money right um so this is meant to be um an open source project community-driven so that everybody can have access to this type of information um how many of you guys have ever heard of Jus sites he wrote the books gray hat and black hat python there go there go the head head noots okay um he is he does a lot of ENT and this is from his blog um automatically finding weapons and social media images part one he just recently published part two as well um and basically uh in this article he goes through and he he shows you how you can use different um services online to

identify objects and pictures um he is uh as he States here he's specifically looking for weapons because he likes to track gang activity and other geopolitical military activity um but you could also apply this to your Workforce um is there a network diagram like I said in the picture or is there a badge or some other type of sense of information that you want to look for um I would highly recommend going and reading these two articles um so just some recommendations real quick I highly recommend following Justin's sites on Twitter as well as the gru how many of you guys have ever heard of the gru he is also very big and heavy into ENT automating ent.com is Justin's

blog and Belling cat.com is one of my very favorite websites um they are investigative journalists um uh more focused on the geopolitical activity um happening in the world um but they use completely open-source um investigations um and I really like reading it because it it helps me get my mind uh and the wheel spinning in my head about what um how I can possibly use ENT in my day-to-day job any questions no yeah yeah yeah sorry go for

it we were using the uh Community version yeah because most of those transforms that we were using we just wrote ourselves and you that's all you need good question any other questions

yes yeah it's going to take some time right and uh we were hoping to we didn't when we first started it we didn't realize what a how big of a can of worms we just opened right uh we just went to a couple States um uh and like we started out with Maryland and Utah because that's where we're from right and they both do it by State um and then when we dove into other states uh we try to do it for Arizona and California they file it by County right so really um the only way that I think we can accomplish it is through the help of other people in the community um and I would love to

be able to get all 50 states but to be honest with you I don't know how realistic that really is um but I I think our our our vision and our goal is that as someone needs information for certain state or county that they could they would work with us and develop the transform

yeah uh so specifics like that I'm not I'm not 100% sure how it works um I get I think that would depend uh and vary by state right if if a if a officer actually does file a warning or if it's just a verbal warning um I I I don't know um but great question any other last questions

yes um so in order to search court cases in Utah online you have to pay like a $25 $50 fee or something like that but you can go to any um County Courthouse um and search the the records there for free and print them out um and that's what we that's what we ended up doing in our um engagement with this particular person um and uh but to be honest with you this whole thing is a total pain because of course these Court these sites that hold the court case records don't have apis and so we're just using beautiful soup to parse through the HTML this guy's laughing because he's used beautiful soup before it's not a whole

lot of fun but um it's awesome data once we actually do get it any other questions no come find me after if you do have another question oh yeah

lean yes um in fact I had um I've written a couple yes um and that's that's actually how we were able to verify her parents address um in this particular situation was through the the county records um so when somebody buys a the house um that that purchase goes on on public record and you could go anyone can go and look that up but that is also by County U which is also a pain right so it's kind of in our situation we're just kind of doing it as needed um but it but it it's a great correlation tool any other questions all right if you do guys if you guys have any come find me or you

could hit me up on Twitter uh my email is Ethan nuna.com or uh and be sure to check out my blog thanks guys is