OSINT Track: The Subtle Art of Not Giving a F*ck | Sagar Tiwari & Shubham Sharma | BSides Mumbai 24

we have Sagar tiari a security researcher and shubam Kumar senior information security Analyst at TransUnion they will be discussing about oan tracking the subtle art of not giving U let the speakers let them let you know so Sagar tiari is a enthusiastic learner and cyber security researcher and he has written and published over 50 blogs articles and he's in ENT lover you will get to know more about it and he's also a sand speaker as well so next up we have with him he uh co-speaker will be sham Kumar who's also a passionate cyber security researcher and an ENT researcher so give them a big round of [Applause]

applause hello everyone good morning I hope you are awake so without any further Ado let's start with that so as quoted I don't have money but what I do have are a very particular set of skills skills I've acquired over a very long career skills that make me a nightmare for a people like you these iconic Lines by the famous actor Liam n from a movie called a taken are just not memorable they are what is defined as in ENT we use our set of skills in order to track some things for example there are small details that make the part of a biggest story isn't it so we use all of our skills in order to navigate the

intricate web of cyber security in order to form the actionable intelligence so consider yourself that you are sitting comfortably in a corner or right now as you are sitting and uh with your browser open you can actually uh access is a CCTV camera or even track a Giant floating vessel and that to from the comfort of your seats actually right this doesn't sounds like uh a scene from a movie oh thank you I hope suppose say there okay now this doesn't sounds like a scene from a movie or from a show that is Mr Robot from which we are both inspired by and we have done our research too well this is today's reality and with that we would like you

to Welcome to our talk and that is oan tracking the subtle art of not giving a f star star star now as they say with great power comes great responsibility that is why we would like to give some disclaimer and that is the content discussed on this platform is meant for educational purposes only so please use it wisely uh the misuse of any information provided herein shall be the sole liability of the abuser and disclaimer two is that this talks also Bears no authorization from speaker's employers and that is TransUnion now having said that let's move to our L story and for that we have Saga so before we hop into the ocean title waves

and learn more about it let's take a moment of step back let's just understand that how to security guide that is me and shabam who were passionate about cyber security suddenly hop into the field of oan well it was time during the pandemic when we all were strangled at our homes at that time we decided to form a team called f society and with my colleagues and friends including sham we participated in multiple International competitions while solving multiple challenges and stumbling across the problems we Face a problem of oent and specifically oent tracking that particular field Peak our interest because it was quite fascinating and new and while researching doing more work and over the

period of span and years with the working cases we get to get you the oan tracking so that's what we do we o and we know things so before we start let's just make a boiler plate line of what this stock is going to be about you know expectations and what not to expect so this talk consist of all the tools resource tactics techniques that we have used over the span of years and working on the cases which will you will introduce with the field of oan if you have not heard about it different segments of oan how vehicle security vehicle oan you know Maritime ENT Works definit definitely multiple things apart from this you know one thing to make

sure that you will be learning about the techniques and about the critical and analytical thinking that is required because you know you can get data from these tools and resources anywhere but you need to know the point you need to know the pattern that is from going from point A to point B so we try to bring that perspective to you moving forward you know yeah so more of an obligatory slide of who am I so my name is Saga tiari I'm an independent cyber security researcher an ocean investigator a cyber journalist uh I write create content for multiple Publications around the globe I've shared stage with shubam Kumar on multiple respected uh you know

conferences like s Summit 2324 Defcon dc91 as well as grimon ox7 apart from this I lead a CTF team from India called s and I go by the Alias name L m87 well over to you sham uh my name is sham currently employed as a senior security Analyst at TransUnion beside that I'm also a cyber security evangelist and an oen Enthusiast and in particular we have been given multiple talks on ENT at various conferences which are namely uh sanset Summit 2023 and 24 and other than that is Defcon dc91 where we have also taught multiple peoples at different universities regarding end and cyber security portions and uh have been playing CTF in the team f society and going by the name

flamex with that let's set uh set our agenda today and that is table of contents so starting with that we will go with uh what is ENT uh understanding the basics of it then we will move to the relevance of it that why it is it so importance uh then we will understand the 101s please take care of that because one ones are the uh ones that you can plug in into the other o stuff that we are going to discuss and after and that is the social media analyzing vacle ENT uh Maritime ent ent for aircraft and Signal ENT and in the end to top it all we have the conclusion so that you can grab what we have discussed

till then now starting with our journey and that is what is ENT now how many of you are here that know a bit about ENT just raise your hands okay that's nice so ENT is basically an art it is more of a technique where you analyze collect and disseminate the information that is from the publicly available resources and since it is from the publicly available resources it is very fast it is indeed the fastest out there it runs like fire everywhere uh ENT is basically being utilized from EV everyone basically utilizes it whether be a threat intelligence as they have discussed before and to the law firm comes to the militaries and to the government agencies everyone uses it and

since oen in itself is so powerful that is why it is so relevant in today's time as you can see there are some of these news Clips anyone of you have heard about this just raise your hands if you can read and associate with any of those news headlines I will give it a moment okay so if you have following the geopolitical scenarios that has been constantly going on then you should know that there are vessels that are being targeted by different Pirates out there and since a lot of glob global trade happens through that that is why oan becomes a lot more important other than that there is a very grave news and that

is influencer 23 shares lunch on Instagram attacker finds and shoot her and this is not something which is months old there some days old that we have seen uh and it was morly because that oent is not just utilized by us as good people but also by the adversaries that is why we need to arm ourselves we need to arm ourselves from the point of more than a financial resources but to a art which helps you to master it now we start with the 101s so coming to the 101 so basically these are the techniques that is kind of mutual among different social media intelligence we intelligence and different segments so starting with we have the stock puppet

accounts image reversing and the CCTV footages imagine a scenario while you're traversing a social media account as an investigator you know you have a target a person of interest you don't want your digital footprint to be traced back down to you and for that particular reason you use sock puet accounts so these are nothing but just an alternative identity of yours on digital world so your original one will be secured to create these you can use a temporary mails which is one of the most famous one so you know you have to sign up on particular account you don't want to give your original email IDs but if you want the more persistent one accounts

then you can go for the different mail servers create different accounts in the different region depending upon the on again the cases as well as create the social media profiles accordingly on Instagram Facebook Twitter X and as well as apart from this always make sure to use the virtual environment and you know T Network vpns and everything other than that can secure your network logs because you don't want the attackers to know you moving forward we have the image reversing which is an another weapon in the ENT Arsenal for investigator so as we uh whether you are tracking a particular individual vehicle aircraft or Maritime vessel as we have discussed in the earlier talks at the

SOS and Summits image reversing can be pivotal and very much useful so let's take a scenario you know there was an investigator who has a particular set of skills and right set of tools that were able to geolocate a particular place just by looking at an image a image of a electrical wall socket in a room in another the case an investigator were able to track down a particular building just by looking an electrical uh elevator M menu panel well you know these kinds of image reversing tools are very much pivital when you're looking in especially in the geospatial intelligence segment so to do the image revering there are multiple tools available online you can go for the 10

pmis as well as multiple search engines in different regions have the image uh reverse searching capabilities available but once again the points boil down to this segment that it depends upon the case and which region you're targeting and accordingly use a search engine the CCTV footages are basically what we can the Border Lines for any kind of harking movies or C uh you know web series well CCTV footages provide you a dynamic and real-time activity of what is actually happening and as an ENT investigator it's become very much useful but always make sure that when you are fimbling with these kinds of things ethical reasons do come into play so always make sure that you have the right set of

permission with authorities while using these kinds of things to uh track these kind of C footages you then either either use Google Docs as well as go for the Internet connected search engines like the showen sensus or binary Edge apart from this there are multiple centralized repositories that can be used that have the exposed cameras CV footages as well as the webcams so you can have the footage and have the realtime analysis well that's with the 101 let's move toward the social media analysis okay coming to the social media analysis now most of the dynamic information that comes to you is from the social media um as we said that it spreads like fire right so social media investigations or

analysis becomes critical in that sense having an email address with you you can utilize platforms like or sites like uh have I been PA or dehashed in journal these sites does not are not just meant to provide you or identify whether the account that you have has been in any of the data breaches but if you take a closer look at that then you can understand it forms a behavior pattern for example there are multiple sides that are related to the food eating for example that is dominoes or zomato in fact then it's a habit that a person actually loves food and if there are multiple uh sites associated in the data breach that are related to some pets

then you can understand or form a bit of a pointer that the person ALS so loves pets in that sense not only this since the email has been in data breaches hence platforms like dhash can provide you information such as the username the location or the passwords in a plain text and we have tested this on multiple of our investigations where we were able to not just guess but the see the password of a person and that was in a PL one now the important thing to note down here is that once once you get this username you can use tools like Sherlock in order to see where that account has been used on different sites not only

this a platform that is very famous and that is what's my name and if you utilize you can find uh much more of that information including some of the sites which are not safe for work and if you know what I mean by that right so um and please understand this that not all the information here will be 100% accurate but it helps you to find form a pointer right and once you have that information for example in our case we were able to leverage that even to the social media platform such as the Instagram uh Twitter and Facebook and not just that Tik Tok in sense yes uh we have ways I mean everyone has right so

once we get to that point then we were able to relate and form more behavior of the person because people do have a habit of uh uh uploading oh so sorry not uh uploading uh they have a frequent habit of uploading their pictures on social media of with whom they are interacting and thus you can form and say and take a look okay this is the person who has a connection with this one I've seen this one too and then it spreads like a wildfire as we said and not just that that people have a habit of posting out the pictures of what they love or where they are going on every single day that is on on platforms like

Snapchat right and this details can be harnessed in order to see the location of the person out there not just that some people do have a habit when they are going to travel to some place then they uh upload a picture of their own airplane ticket you give the information out there and then you are asking right but it does not happen that way and also people upload a picture of their own vehicles with the vehicle numbers and you can leverage or pivot that information to to the vehicle ENT part now vehicle ENT in journal is also very important because it helps you to analyze all these portions that all these informations that you have gathered till

this point now vle oen can start with vrm or vehicle registration Mark or license plate and journal so if you take a closer look at the license plate you will be able to analyze and see what information it gives you on a very small level but when you can use platforms like wind decoders and that comes with the license plate recognizing to uh then you can get information such as the win number if you can see uh yeah win number and other than that the make the model year Etc details but please take a close look at the win too other than that in India for example you have uh the RTO that enable or they

provide you with the various vrm or the license plate numbers so when we were doing our investigations we were able to find even the owner's name out there in plain Tex and other than that they have the Chalan information it's more like a ticketing information but you say why is it so important because it helps you to form the behavior pattern of a person why because if a person is found to be uh charged with intoxication during a driving then you know that kind of a person he is and you can ALS sometimes these tickets can also reveal information about the clothes associate with that person who are seen or driving that vehicle too and these helps in the

tracking of those people too now coming to the win number now win number in journal is a 17 digigit alpha numeric number it is very important it's more like a fingerprint to your vehicle now the important thing is that it reveals a lot of informations and you can do a decoding by manual method or through the online method uh utilizing platform like wind decoders again can help you to understand the vehicle aspects for example you can get details like the report summary which gives you about the vehicle specifications too like what the make the model the engine Etc but but these informations are okay but also then you get the recalls and complaints and then the sales records recalls and

complaints guys are very important too and aspect because they tend to tell you a kind of a problem that Associates with the vehicle that can be harnessed it has been done in one of the incidents if you haven't uh read about it then please do it's called kab boys incident it was a issue with the Kia cars and uh the hyai cars that were targeted mly and it was more of a trend in Tik Tok now other than that we have the sales record now sales records tells you the ownership of the person associated with that vehicle other than that you have the Salvage records now these Salvage records and ownership records tells you a brief history about the vehicle in

itself which can be utilized as in um for tracking purposes or even by the fishing people now the thing is that utilizing a platform like that Sim we were able to plug in this or or do a bit of an investigation on our win number and we were able to get this information about a person you see like something like this and if you have been taking a note on the social media profiles that we were seeing this is the same person and that is the beauty of O and guys because it helps you to relate the facts from multiple facets and come to a point you are able to analyze a person that the vehicle is

related and even in this we were able to find phone numbers primary residence and another email address that was associated with that same person isn't it the beauty it's not magic it's hent now coming to the world of Maritime ENT this is very important and as I was saying if you have been following some of the geopolitical scenarios and love doing that stuff then you can utilize this information for example one of your loved ones is going on a ship and you want to see whether they are safe or not you can utilize this one too for example you have the tool of AIS now AIS stands for automatic uh identification system now it's more of automated targeting uh

system that uh helps you or that helps the vessels to identify themselves within their vicinity the important part here is that AIS is more like uh it has um to give you a technical review it has a um it has a basically a transponder in itself uh which actually helps you to see what the vessels are nearby and that works on two basic frequencies that is 167 975 MHz to 162.5 MHz with a bandwidth of around 25 khz now the important thing to note down here is that this map if you can see it reveals a lot of details about various vessels out there right and all these vessels are quite important because no you can

know that some of these are unidentified vessels and that can be a part of some important features too right um AIS also helps you to get different kinds of information from the static to the dynamic static information is more like IMO mmsi vessel name vessel type everything and the dynamic information is what you are interested in that that is the position and where it is going and with the speed that it has and it helps you to crack down even the illicit activities that are being going on now coming to the vsat portion vsat in itself stands for very small aperature terminal which is more like a satellite device based on a ship now it provides more bandwidth with

a greater bandwidth control greater connectivity and when the ship is in an offshore region because AIS has some limited capability because it has some range in itself like it has a range of almost 20 nautical miles to 340 uh 350 nautical miles which approximately relates to 30 to 500 and 600 kilm and this is and this also depends on various other conditions but vat provides you a continuous activity and vat is being used by not just cruise ships but also by some of the military or the important vessels to in that aspect and and that is where it becomes very important now the thing that you can hear is uh see is that we have utilized and seen two of

them that Sor 600 800 900 so utilizing platforms like sensors with you you can find all these uh vat uh Terminals and once you get into the IP addresses uh that is there you can access the vsat console and it provides you a depth of uh information I mean um and those are all Dynamic that is they are constantly updating they are not static in joural so you get the gnss position whistle heading satellite position Etc but the and these all requires no administrative P privileges you don't have to exploit anything to get this information other than that there is also a not administrative access which comes into the support section which gives you some

of the static reports that is days weeks and months and these static reports when we were doing our investigation we were able to find 884 of these different fields that had information from the location to different other fields and they were quite critical and that is what we are trying to infer that all these informations like such as AIS and vat helps you to see or identify these vessels which can be in grave danger or do your bit of Investigation on yourself now um keeping it aside now we will move to the adsv of the portion so now as you have seen already about the maritime vessels you know from the stormy seas now let's move to the

fiery skies and that is where we are going for the aircraft oent now imagine a scenario like you know you have your investigator you have been tossed with a case where you have to find a particular person using social media you able to find that this person is flying from one point a but unknown lenss of point B but while you know their flight number you can track their flights well that's a similar case but know let's take it another level let's say now you have been tasked to track a private private plane a chartered plane that might be a part of some kind of illicit operations well in that cases they won't be going

to use the officials runways and official airports they will be going for the abandoned Landing strips which is obviously in the unknown Parts but what is the happening is that the aircrafts are continuously transponding and broadcasting the signals using specific tools and techniques you can track those aircrafts down and you will know exactly in which part of the world they're going to land and which part of the World Landing Strip are going to use for that the technology that is used is called adsb that stand for automatic dependence surveillance broadcast so automatic means that no human interaction is required for the transponders to work dependent means it requires the on dependent upon the gns gnss satellites

like the GPS for its location surveillance means location is being tracked all the time and broadcasting means that the information is being broadcasted to the nearby vicinity aircraft as well as to the Land Based stations it operates on 978 MHz and 10 90 MHz there are as you can see on the left top Corner we have used one of the public base resource that is called the airv radar where you can track the aircraft as you can see that we are targeting one of the government operated aircraft and we know that which part of the world they are flying from the flight through they are going to take in there are multiple other resources such

like Anar like flight 24 as well as a Flight Aware they all work on a similar principle where they are being crowdsourced by the different users who support the these kinds of web applications by supporting their broadcaster information like whatever their transporter has been feeding with they they give this data to these servers and anyone can see this data now moving forward we have the adsb Hub so adsb Hub is basically Aggregates the data from various receivers around the world so why use this one well there's a problem what happens with this public based resources as you have seen previously the problem is that they comes with the business plan they want you to buy a

subscription to have the more advanced level filters and information apart from this another problems comes while working on Investigation cases is that lots of information has been reducted like if you if you have heard about the musk plane case where Leon must have asked these uh web applications to to reduce their data from the servers so while tracking any particular person of interest and you know higher importance of aircrafts you it has become very much hard to track these things down using these online resources but what happened with adsb Hub is that it is the data in the rawest and the purest form so it's like if anybody with an antena or receiver Ana and adsb software decoding

software can show you this data from the servers as you can see that there are thousands of servers that are being tracking the aircrafts thousands of aircrafts per second so we have Target as you can see in the top one we have targeted one in the Venice Italy which is uh tracking multiple aircrafts in this vicinity location as well as we are getting much more data like the coverage area so we can know that which part of the sky has the highest density of the aircraft so imagine a scenario where you have to track a particular aircraft you know a location while the other resources might not give you the data but using the adsb Hub you can know that

which part from point A to point B the aircraft is flying apart from this you can see in the charts and the tables that lots of other information like the Ico call sign as well as a vertical height barometric altitude and different kinds of informations are available that can be used in different form of aircraft based ENT moving forward we have the adsp exchange well this resource is more or less in a similar manner to the airf radar of flat 24 but there is a catch the catch is that this server does not reduct any kind of information and become very much useful when you're tracking aircrafts of higher importance let's just keep it in

that sentence only so you can get lots of information about the aircraft like the score code is which is very important which is for the ATC transponders on the ATC call center to know if aircraft is in any kind of danger or emergency situation so as you can see that one of the particular filter that we are very much fan of is that you can as you can see in the top image that there are thousands of aircrafts there but in the below image there are very less aircraft because what has happened is that all the civilians aircraft have been reducted now we are looking at some of the government operated aircrafts that not only includes the aircraft but also the

Choppers drones and different kinds of things so while working on any kind of GE geopolitical investigations this become very much useful because you know which part in the world has been introducing which kind of aircraft what is actually happening to understand it is in the Roy and purest form well that's all about the aircraft based oan moving forward uh we have the signals so oan for radio signals is not only crucial for the cyber security world but also for in the purpose of intelligence so if you're familiar with any of the movies that include intelligence like the imitation game they use the receiving antenas to listen to the signals decode the signals and you know

hop Snoop into the live radio communication that is happening well that segment covers something like that so we are using SDR which is software defined radio which is basically a replacement of the traditional and conventional Hardware based radio components for the modulation demodulation all the other works but here we will talk about the web SDR that is the web version of the SDR that are connected to the internet and all the servers are available so you can track that particular radio signals well jumping before onto that let's have a interesting story of how we stumbled across the web SDR so while working on one of the cases we were looking at a forum on Reddit and we get to know about

a particular web asdan University of Twi uh that univ has a good enough antenna and was listening to the radio signals of a conflict zone of a war zone and we were able to listen to the live radio communication that were happening between the two different parties covering this a New York Times documentary is also available on YouTube there were only few hundred people around the world who were able to track these signals down so in that segment it shows you that how important web sdrs can be when you're looking and snooping into the signals so as you can see that in the top one we are uh accessing one of the web as that is on the goali radio

station in the UK that has a 25 m radio telescope dish that is been targeting and logged to a cut Oscar 100 narrow band SDR satellite that is basically used for the mature radio communications as well as different part so by knowing the right set of frequencies the modes you can snoop in tune in to the right frequency sets and listen to the R communication that is happening which is quite crucial when you're working on Investigation case and you want to know that what kind of actual events are happening moving forward uh the radio signals are not only for the snooping part or just to listening part but they can also be used to know that decode the

information so as I've been saying about the adsb for aircraft tracking web SDS can also be used in this segment so there are uh open source software like open web RX that provides you the modes to decode the uh right side set of frequencies and the data so imagine a case like because there are only limited numbers of adsb receivers around the world so in a particular location X there might be a there might be and there might not be a receiver but if an aircraft is going through that particular location and if there is no receiver they will not not data on any of the sites but if you know a correct web SDR in that area you can tune in to

that particular frequency and have that decoded information which is not readily available anywhere on the Internet only you would be listening it to in the lifetime and decoding in the lifetime so in that sense these kinds of web SD decoders are very much useful apart from this there are different modes like a cars for marine vessels AIS once again as sham has covered you can do the similar manner we have the ft8 as well as the pager device which is quite use uh used in the uh emergency Industries like the healthcare industry and the FEDS industry as well as the SSV for the media signals to be decoded over the radio signals so that's what about the

oen for radio signals and let's move toward the conclusion so you have to uh know that oan tracking represents a powerful tool for Gathering intelligence and specifically in today's world that is today's connected world you need to know that by leveraging the publical information oan can use for Harvest lots of information and currently in the geopolitical drama that is going on it has become widely important to understand and as in in uh investigation journalist it become more vely to know these what kind of resource are available there are various resource methodologies techniques and tactics involved to do it but always and crucial to emphasize that you have to consider the Privacy concern that are required

with the oan activity so you have to make your ethical standards High because always remember control can sometimes be an illusion but sometimes you need illusion to gain control and with that we like to thank you everyone and thank you besides Mumbai to give us this opportunity this is me Elli m87 he's playmax this is my team curs Neo Mac fan D thank you sh