It's not stalking, it's investigating

so there's kind of an impromptu talk so a lot of people may not know really what it's about so this is pretty much based on open source intelligence gathering and not just kind of randomly stalking individual people it's more of in support of Red Team operations so I've noticed a lot of companies nowadays are you know advertising oh we do Red Team you know will pop shells and just own your company left them right which is cool and it's fun but oftentimes actually narrowing down the scope of what like a red team operation involves tends to be the most difficult bit because a lot of it tends to be black box oftentimes companies don't even know

what they want in regards to red team operation so one of the things that really gave me inspiration in this talk is when I kind of started with NCC group why I asked my manager how can I contribute the most value so I really like red teaming I really suck at it but I want to get better and what's the best way I can contribute to be around people they're a lot better than me um so he goes pretty much this is it so I kind of went headfirst into it and I'll just kind of elaborate from here so this is it's not stalking it's investigating right so what we're gonna do is we're gonna run down I guess just the main

core elements of this so if anybody's familiar with open source intelligence gathering a lot of it you can see them like DEFCON talks or whatever where they talk about oh we're gonna find somebody we're gonna find like his house blueprints we're gonna find his wife we're gonna find his kindergarten grades all that's really fun and cool but this is gonna be very much to support a successful red team operation and we're gonna do that based on the presumption that our target is going to be medium to large-sized and I'll elaborate on that in a bit I'm gonna go over useful tools apps just kind of everything all the tricks of the trade to make it easy fast

efficient pretty much automating this and then just utterly destroying whatever our target is and I'm gonna do that by we're gonna do a live together actually I'm gonna pick any kind of random company name I'm gonna show you what we can find out about them in a very short amount of time so yeah I have zero artistic talent so these slides are gonna look really busted cool so I've already cover the top of it can't we just make it rain shells the main thing about this is it is passive right I'm sure everybody's smooth authorization forms computer misuse Act bla bla bla bla bla everything that we do is going to be entirely legal right

because off form we don't need your off form all right we can do this whenever we want okay this is really fun to do just on your own time just to learn kind of a lot of what companies leave exposed oftentimes companies will have stuff that you can just walk onto server access that didn't they didn't even know they had it mean is shocking sometimes what you can find online even through something simple at google dorky like i found a bank my personal bank server exposed I'm not gonna tell you who they are but yeah it's just insane so the main things that we're looking for you can see right here fishing fishing this will align very much with a

full kind of cyber red team engagement so you're looking for names emails job titles etc login pages is huge because you know working to clone some pages and to have a really successful phishing campaign because that's pretty much a guaranteed way in a lot of companies red team the cyber is bit so a lot of this stuff like we need to know what kind of apps are using what email filtering right if they've got mine cast then you know we know how to bypass that to get like you know links through or whatever else so profiling this readily important so one thing that I will do quite often is when I'm doing this and I'm profiling everything that a

company has I will actively put everything - burp suite so especially their online presence it's kind of amusing what burp suite will pick up sometimes because I'm sure well aware of all the lovely false-positives likes to give however what it really is cool on doing is identifying like local file inclusion you know like full path disclosure email addresses and a lot of times like hidden pages so like you know if you are depending how loud you want to be if you passively or like one thread spider or something and it picks up like some crazy back-end page that they have they never knew they had existed then you know a web app could potentially be your way in but that's

kind of disgusting so other things that we can think of metadata ripping I mean this is so I've never ever been on a lot of red team engagements I've never seen a company properly filter their metadata from documents ever every single time I will find user names I'll find internal domains I'll find internal IPS or find passwords I'll find all this just from ripping documents from a company's website one of my favorite things to do is if I just don't care about being caught or that's not really part of the scope is I can pretty much recon ng as a cool module or you can even dork for it manually identify every single file that they've got

hosted like Word documents PDFs etc and then what you can do is take that dump into a text file W get - I filename and just watch I'll watch your VM blow up because you've just downloaded 300 PDFs in about five minutes and I'm pretty sure their stock is probably having a heart attack but it's really fun to do they also really juicy stuff like RDP Citrix BP and share points right is port 3389 open things like that okay these are all kind of big key things that we're looking for as we go along so domain and host hunting right this is kind of the the meaty bit of what we're doing for the Red Team engagement okay

so just to clarify we're not doing spearfishing or any kind of thing like that right now okay this is pretty much the big juicy bits to support a Wrentham operation okay so recon and gee I love it okay I love it a little bit it has a very Metasploit feel but it will make you rage at times because a lot of it just doesn't make sense so one of the most awesome things that we're looking for DNS Dinah's gives us just everything DNS isn't working I would say are probably the two biggest ways to profile company right so and what we will constantly remember in iterate to ourselves to do is to make everything in

a nice kind of list CSV text file whatever okay because we will be using that okay we will be using that and feeding that to recon and GK we'll be using that and feeding that into whatever like fishing platforms that you use anything right but keeping a log of this and keeping it organized is really really important I'll go into parsing a bit later okay but you will be receiving a ton of data okay especially when you go into a bear organization right eye cheek leer and some discovery stuff on Microsoft last night and about 35,000 hosts later I kind of thought okay I need to stop because it's just it's blowing up my VM with plain text it's

just insane what some companies actually have exposed in which you can find login pages okay this is really really big fishing isn't always the funnest thing to do I mean you're not like you know pop and cool exploits or anything like that but good fishing will always be a way in okay every single Red Team engaging I've had we've gotten a shell with this I mean you can do like a cobalt strike web drive-by you can do whatever kind of like the recent kind of PowerPoint mouse over exploit that got released anything like that is a really really awesome cool way get access however login pages will always kind of be the most important to

stress bit okay we want them to go in and enter their credit right that we want them to think okay I'm just logging into outlook right but really they're giving us their credentials now when you've got a massive business okay let's use hypothetically mark stuff for example okay how do you then go through thirty thousand house and then find login pages okay or other like web applications that may be vulnerable or really good right so like dev portals or whatever else that they use I witness is a really cool tool it will automate all of it for you okay so I'll go into how I use this specifically but right here you can see a nice juicy report okay

so I ran this like I have a friend that works here I got the OK to do this but I just kind of pointed recon ng at the FCO and just ran like a discovery on the the domains and subdomains and then once it's done with that then it spits you out this really nice report okay because everybody at the end of this I assume will be writing a report right so you mean to keep in mind we need report fodder even for like open source intelligence gathering a lot of this is really important and we don't know what the client will eventually ask us like either be at the beginning of engagement in the middle or at the end but yeah

this is really really nice so I highly recommend if you're gonna use this on a large scale or a medium scale eyewitness's amazing alternatively you can hold ctrl and click click click click or click every single host right which is no fun to do people hunting this is also I'd say probably one of the most important things right we need email addresses of people to fish if a company goes to you and they say you know you're supposed to be some elite hackers you can find the people yourself right and you're like ok jerk fine so there's a couple things that we can do a few publicly available things that are really cool email Hunter hunter tayo has

a free API and you can just rip through it this I just ran this last night and I just in me I probably had 600 emails for organization and probably like 20 seconds really really good email format this is a web application that is kind of there to tell you the format of a company's emails okay but it also kind of doubles is a really good kind of email hunter both of these return often very unique results so it's really good and another one that I found going through the code for discover discover by Lee Baird I think it's on github however it points you towards this thing called Salesforce hey I'm sure everybody similar cells

forces to some degree you can then go create a free account with Salesforce okay and you can search a company or you can search for people okay when you search for a company okay you can get a whole ton of really juicy results okay you get full names you get their job titles you get when they join right a lot of this is publicly submitted information but it's extremely accurate okay from what I've seen anyways so you can double check to make sure these are valid and I'll say what we can do with this in a second because if we have full names we have emails okay and if we have emails left full names bubble ball vice

versa okay also job titles we want to avoid IT security we want to avoid Sox right we want to avoid all that stuff we want to identify the people in HR marketing etc who may not be technically fluent okay so this is a really cool way now you might be asking how do I export this and use this I've gotten really good at a skill I like to call ghetto parsing and what that is is when you get data in this atrocious format and you try to purchase this or export this it's gonna charge you a huge amount of money it's gonna try to in the format that they want you can alternatively select all of

it and right click in Microsoft Excel and paste as plain text and that may just be a perfect format for I'm not saying it is but it could be harvester if you've ever used the harvesters built-in cally really good application however you will capture yourself and likely your company what I like to do typically is BPM through one of our other offices and so some locations of events you see might find themselves surprisingly google captured for an hour but it's better than our own office applications some of the really cool ones this I wasn't aware of until recently the OSINT framework is really good okay it has a huge repository of really cool stuff to go stock people and

companies however it's got so much it gets a bit murky I will try to make all this publicly available as well including like a tool list so if you guys are curious you want to go grab some stuff be my guest ok so I will try to make everything publicly posted but by all means take pictures do whatever a really cool juicy trick that I find that surprises a lot of people is IP history can often bypass CloudFlare or whatever right if company's trying to hide behind CloudFlare ok but you have their actual domain name if you just take that and you plug that into a satellite ddns an info in the IP history oftentimes they

will have deployed their site before deploying puddler and you'll get their real IP straightaway so couple second kind of a bypass of CloudFlare so connect data companies house this is fantastic just four more people stalking this looks up every kind of company within like the UK they're presidents who the directors are cetera oh this tells you their yearly income so you can tell if they're kind of ghetto busted or if they're actually like a little be profitable company MX toolbox etc Spokeo for more people hunting but that's going market doing that right now tools these are probably the main tools that I'll use recon ng additional recon ng modules these are really juicy and highly recommend you guys go find this

this actually has modules to automate email hunter an email format and a lot of this other web application based stuff but this will do it and keep it nice and organized in your database that I'll show you in just a second I witness again harvester API keys are going to be the bread and butter of recon ng this is pretty much the main framework did I use for everything get your API keys okay if you don't want to give me a real info just use guerrilla mail something like that oftentimes the domain I think poki mail isn't flagged so they think it's like Pokemon fan site or something it works really well but yeah highly

recommend you spend maybe 15 minutes sign up for these okay they will make your reconnaissance exponentially more powerful okay parsing yes we do have to parse all the information at the end grip foo said wizardry Python scripting Excel when we had that Salesforce bit and we right-click and we paste that as plain text okay if you have a first name last name this is a really easy way to just make full emails with it okay just Excel concatenate dead easy okay don't worry about Linux foo and all that stuff exhale do it and yes parsing is like crawling naked to feel a broken glass but we have to do it okay cool pass the red team and make it rain shells now

live demo I'm gonna need a company name from somebody any company name and medium to large-sized don't be shy who rapid7 yeah let's do it alright

I'll show you how easy it is so how much time we have left

25 minutes all right own them in like 25 minutes okay so back workspaces add rapid7 okay beautiful okay so now we're making our own workspace being organized is really important right I hate it and we hates it but just making new workspace is really important so if I go workspaces list right you can see all the other ones that I've done and just kind of poked around and right lashing Persky F CEO Amazon Microsoft right there's a lot of data in here take snapshots as well because some of the models that I've imported have utterly busted my VM sometimes and just restoring a snapshot is a lot easier so ad domains either rapid7 calm yeah cool so hacker target

okay this is a really cool service all right these guys have a it's awesome right there this they also own the website DNS dumpster but they have seriously spot on like a free API and you'll see in a second hello rapid7 so from here already that's just a single module and that all that does is just kind of like sub domain lookups right but you can see look at all this right if you ever look at a company's like subdomains of whatnot I mean and you you can typically see what services they have on the back end for example file transfer right so immediately we've got already kind of potential things to go look at okay remember we're not

touching rapid7 we're looking around them it's a big difference okay so we're gonna use other really cool things I didn't even know that this was written by another NTC guy but apparently this module is it's a certificate transparency okay so looking up Oh okay right so already that one model we've already got 1009 total of some of these look duplicated but there will be different IPS once we look into it so yeah as you can see the Metasploit help okay so that's just two modules that we have okay now here's an example of everything that we have an arts at our disposal um so one of the things I'm doing right now is I mentioned before

hand is domains and host lookups right that's kind of the main bread and butter that I'm looking for right now so I want to have a very rough understanding of their external presence right so remember I'm coming at this from a Red Team perspective I wanted to see what is potentially exploitable I want to find their login pages okay I'm gonna find their employees because I want to know who to fish okay anything that's potentially juicy you know like do they have like what anonymous FTP or just silly stuff like that that you'd be shocked at what companies have exposed so I'll see what's another favorite of mine

I get caught up in my own tabbing okay and so we're just doing reverse DNS lookup so we can already see it right there cloud front okay cloud front CloudFlare so we can see they have a lot of easy to presences okay it's going through Amazon's so all these are just different Amazon data centers God knows where right everyone uses ec2 nowadays so already we have 256 unique hosts okay and you may be wondering oh I don't know these IPS well it has a really nice option to resolve the IP addresses okay so and it's just gonna crawl through so uh right now I can pretty much save quite Oh audio discover that's nice Auto discover is a nice little juicy

trick okay if you want to find somebody's Outlook login right are discovered dot company name comm is a really lovely way to get kindly redirected straight to their Outlook login page so I'm just gonna keep on to tour presence as anybody from rapid7 here sorry okay so that's an additional forty nine host Kay so inside VM I think they're demoing that outside so yeah it's already all exchanged so we've got exchange server anybody familiar with ruler at least recently right so already we've got loads of hosts and it has a lovely way of taking the hosts that it finds and then dumping it into domains tables so one thing you learn to hate about recon ng is it has a very lovely

kind of like my you know standard sequel database profile but as you can see a lot of it is kind of a bit redundant so if you find hosts for example it will not automatically populate domains so which can be a little be reading but however it's a nice difference because you'll have IPS and different host name right so should we look up some people let's see if we can find someone that's out there right now right companies contacts email hunter okay show info so very much like Metasploit okay and this gives you a nice description of it so this is leveraging the free api it's actually a lovely guy that runs the service it's got really good customer

service and support so if you guys ever want to use this a lot how they recommend the paid version so we'll just run that real quick okay so we've already got hundred thirty-four employees so that's also 137 phishing targets okay 137 phishing targets on potentially others login pages that we just found okay so while I do this I'm gonna go ahead and crack off eyewitness and we're going to see what login pages we can find - there's

okay

with me and we'll just look for the web presence this right here is this is just gonna look for 80 and 443 we can specify this to look for RDP VNC etc okay and I'm sure you if you're on a specific and engagement you can just go fiddle around with the code and add whatever kind of port you're looking for okay we're gonna crack that off and that is going to automate the entire process it might take a bit because 231 houses a lot to kind of go in this green shot but we're gonna just let that run in the background while we hunt for more employees

you see what I mean by unique results okay so now we've got I think over two hundred hundred seventy four okay fair enough I'm gonna show you another really cool creepy module that I really like in this okay this is where it gets a bit kind of stalkery well investigate

there we go full contact full contact is a lovely service and it gives you about a thousand free queries with its API so another good usage for gorilla mail and put a temporary emails so just sign up as like a pokemon fan and get your API so you've got a thousand queries and this is just gonna run based off the emails in the contacts that we currently have okay and you'll see wise creepy in just a second wait for a person to come by any day come on now Courtney you didn't hit I really hope it's not an underscore there it is sneaky that's okay so anyways you see it's still returning quite a bit okay I should bear in mind

what this has picked up beforehand okay well I had to explain how I found an IT managers pornhub account and this was just the sheer automation okay this is also why you shouldn't reuse usernames okay it's almost as bad as passwords I'd say because it's really really easy to do reverse lookups across it okay so if I have somebody's username like I will find everything else where they are on the internet so you can see it's still going as well that's gonna keep ripping through that's going for a bit right it's any questions so far well these kind of crack off

yeah yes yeah yeah yeah so I think also so I've had it run I I think that service is used a lot okay I see it referenced a ton when it comes to just like large-scale marketing data everything else so I'm sure that loads of stuff is just pounding this it's really never been that big of an issue so you'll see a lot of stuff that uses like clout like what maybe I'm just not very social media like adapt or anything but I have no idea what the hell cloud is okay I mean and you'll see some other kind of like slowly archaic things that have searches for on here however one of the big things it is hitting is Google+

LinkedIn Twitter okay those are the big ones like I've been on fishing and fishing campaigns where I've pretty much been speaking to the person like well I'm looking at their LinkedIn that I just found and it's just so obscenely easy to to leverage just basic information about somebody to establish that that chain of trust and so this is really really useful as well like if you're confused about I don't know maybe they've shifted jobs or you are spear fishing or etc right this is where this really comes in handy okay remember I found there so they're full names their social media profiles their emails right and this is how long has it been like maybe 10 minutes 15 minutes okay and the

lovely people outside here I kind of don't ask them but so this is where explaining yourself when you're doing this is it can be difficult at times however when it comes to just actual reporting so I'll show you a report that I'm had just in case this blew up on me and this is the FCO this is a full report and you can see as I browse through here it's gone through and it's automatically screenshotted so if I want to clone a website or something I can look for something that isn't like insane with like a little different dynamic rat on it right so if it looks incredibly problematic to try to clone a website then you

Brow's who maybe look for something more simple for example right here also you get a lovely kind of you get a nice IP address it kind of totally I mean it tells you kind of what it's based on

boom okay we've got an Outlook page for the FCO okay so if I was an attacker guaranteed I would try to fish him with this page all right and it would work too because I mean who expects to see a pink like Outlook login page right that that's fairly unique I would say and so immediately if you have something that's quite distinct and unique that they may not think people find like for example that was found by using auto discover right and if we just click that and that's just trying to reason boom see it just redirects us straight to it okay so you can see how fawning just like and I'd say most companies leave this here

like autodiscover okay and so this is a really really awesome juicy lovely way to just get an instant phishing page it works most time right because everybody every company will have this I'd say unless like it's hidden behind like a VPN or something oh and office 365 ok I'm sorry that's outlook.com yeah yep yeah typically we read we do we direct them straight to the actual logon page yeah yeah so I mean like if you're doing like a standard phishing campaign although oftentimes clients will ask for like a phishing awareness campaign where it redirects them to like okay I've gotten fish not to sit this really boring video right or if it's a proper Red Team engagement then it will just be

a redirect back to like the proper site so it'll look like maybe there was just some standard issue you know the page again it's how that works a lot of the times as well this is almost and I do not expect this to hit that much

okay

okay so typically what I would also do move wait moussah life okay so typically what you do is a bit of manual kind of investigation always kind of goes into this is also right because most companies will name their subdomains pretty much similar with the service it offers okay so typically speaking with Amazon I typically try not to piss off the Amazon so I won't cope forcing any subdomains or anything like that however what I will do is then start looking through here and looking for any kind of juicy like subdomains that kind of give me this will tell me a lot about their services and their technology already and those just from looking at

the names of it okay Oh perfect okay would you all like yes I would like to open the report now okay so welcome to rapid sevens web presence and here's where we go down so okay we've got a bog-standard is installation I wonder what kind of default pages are on their project sonar interesting don't know what that is app spider that looks like a really good phishing page right bog-standard login username and password email email and password are to eat these are the droids you're looking for I like that and we're gonna like kite works Oh secure file transfer that's potentially reducing so you can see where you can like immediately it's been less than 20 minutes okay and okay I've

already got version them okay that's Amazon you're mine so you can see is like going down it can get pretty intrusive in a company and this is all just public stuff right this is pretty much it Dorking around the internet oh okay that's nice we got stacktrace okay let's not look at that too much now I don't want to rapid out there okay so I'm just gonna get rid of that but you can see just doing passive reconnaissance and 20 minutes right how horribly intrusive things can get and that's against the security company right so imagine what you could find on a company that's like Humpty hump we do HR marketing that's all we do only have

one security guy named Bob and he works like Monday to Friday like 8 to 10 10 a.m. right and so that actually happens quite a bit and so just passive reconnaissance without even touching their infrastructure ok we've pretty much got enough information to utterly like potentially destroy a company I'm not so I mean this this is what I find this cool anyways which is one given the talk but yeah much time 7 minutes ok that's pretty much it questions banter tell me how bad this sucked thank you thank you any questions at all stalking I really like stalking yeah yes that's a good question Rico ok smaller companies you might be better off manually like poking around

especially like burp open I'll have done that quite quite a bit recon and G is kensey a bit overkill with with companies with like for subdomains or something like that but it's good to have those active API keys because you never know I mean sometimes I've seen like a tiny company that just ended up just have blowing with tons of subdomains wait no it's a really good question like a smaller company it can be a big giant waste of time and you're better off doing a lot of this manually sorry yeah sorry who's next

it's a good question I had originally a slide called bleep your API and that was specifically targeted because I'm really bitter about linkedin's API they're jerks and you can only really get a juicy version of their API if you like our really big business partner web crawling is frowned upon however there are some modules out there that have it well we kinda use an internal one right now to do it efficiently but I'll highly recommend getting into web crawling especially for like custom stuff there's a lot of really good resources out there and this is pretty much what well a lot of this is so it's doing DNS lookups and like web crawling right and you just like

grabbing certain information you need from web page and just dumping it into easily readable parsable format so yeah that's a good question is LinkedIn is really like the Holy Grail and I have manually gone through LinkedIn raging right getting like employees and their job titles because a module wouldn't work but yeah I did look into that I haven't managed to use that efficiently yet I would love to because I mean I I've owned a few companies because like the you know employees they have pictures of like their computers and like I mean it's just in saying what people still post on Facebook so they live there they're very stringent on their API usage as well but that's

something that I need to keep looking at so it follow means if anybody knows something please share it because that would be another kind of Holy Grail type thing is being able to really just rip through an exploit Facebook recon engine used to have one a couple years ago but then Facebook got wise and give us a banhammer yeah uh yeah it's an option it can be very loud and it's gray area when it comes to all form no off form so it's a really good way if a company just wants like an ocean job then yeah by all means go buckwild right throw the biggest giant just word list you have at it like and

just go crazy on their subdomains however some companies may try to get fresh with you like yeah if if you really do like a million look up the hell are you doing we want you to be quiet and not get caught you know so oh another quick thing I want to show you guys before I go sorry question no one other really good thing is while of hacker target is it everybody's familiar with dirt Buster Derb right it pretty much brute-force is pretty much like page links this has a pretty much inter buster without dirt Buster as I like to call it so as you can see here this is a really nice lovely way to pretty much

have it you can see already some PDFs of it already so one of the things I really love to do here which gets me into trouble sometimes as is if you look oh this is resolution sorry people so for example here it says rapid can you guys read that know it says slash global assets slash PDFs slash PDF right so one of the things I'll immediately do is I see something juicy like that that says like it's on the disallow list right from its robots or whatever is I'll good who like these things that looks like they'll have lots of files and lo the web sites and domains will have this to where it'll just list everything and

this is kind of a really cheeky fun way to find like stuff that they really don't want you to find online so hidden links here's a really good one so hidden links it doesn't information that wrapped 7 o SC magazine right so typically from here I will then go love one more cheeky poke I'll just see if it hits so lots of times you'll see something like this it'll be like a company slash file slash download slash file name right and then if you go to it it's like okay they're smart all right okay but a lot of times this would result in pretty much listing like all the files that they have available right which we can

find anyways with Google tour kings but yeah so yeah any other less bit questions No cool thanks for coming