Reconnaissance: I Know Why You Are

Nothing vanishes, nothing is lost, we know the simple rule of universe. Nothing that is created disappears, everything is transforming. The basic pilar of nature perfectly suited to any information we ever left in internet or even our private data stored on local machine might be synced in cloud without our consent. You will be surprised how much personal identifiable information (PII) might be extracted from internet. Right, I am talking about You. Let’s count how many social media account you owned, how many wifi networks stored on your mobile, how many application is running right now and having access to geolocation or sync somewhere in a cloud location? Do you take care about having up-to-date home router, mobile OS or any smart home devices like bulb or cool flashing light on your modern desk? It is scary how many ways to get access to private data and take control under any devise you have. This even more scary, how simple is it.

I do not want to talk a lot about possible ways or techniques. There are tons of good books and services aroud. Just refs a few ones for whom are interesting in:

• Certified Ethical Hacker All Guide Matt Walker
• This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth
• Social Engineering: The Science of Human Hacking by Christopher Hadnagy

Just follow my next posts and I will try to share more about my learning path in cybersecurity, what resources would be especially useful as a starting points and of course how to hands-on. Labs are the most essential way to ‘compile’ all of information available. Constructing your own knowledge base is practically not possible without practice and only practicing will make your truly competent.

OSINT

Open Source Intelligence (OSINT) is a method of gathering information from public or other open sources. The method could be used by any security specialist, government or intelligence agencies, or cybercriminals. Open source might be used for the good by cyber defenders or white hackers, whose purpose is to discover publicly available information related to their organization or employer that could be used by attackers, and take steps to prevent those future attacks. From another had, bad ‘black hats’ are eager using your information against you. They do money by stealing confidential information or causing financial loss to the victim. This is completely against the government policies and rules. Lets give an example. You sit in coffee shop and see someone mobile has some very critical and confidential document. Owner has left the mobile on the table went somewhere. You noticed someone (victim) phone pattern/pin and can get confidential document. But you being his friend (ethical hacker). Knowing password/pin will change it, and make the mobile inaccessible for the bad guys why set behind of you and may be already noticed the vulnerability as well. Then later you told ‘the victim’ what’s the new pattern/pin, reported what exactly was exposed to anyone and provided with an instruction how to avoid the situation in future.

OSINT leverages advanced technology to discover and analyze massive amounts of data, obtained by scanning public networks, from publicly available sources like social media networks, and from the deep web – content that is not crawled by search engines, but is still publicly accessible.

Let’s have a looks at some interesting tools and methods. And see how simple is getting personal information shared directly in internet.

Google Dorks

The google search bar is the most common way to find information nowadays. This is a largest database of information available all over the internet and people have access to. But a tins of information available make it difficult to find exactly what you want. Basically Google makes assumption by search query based on popularity of the topic, your location and even search history or device you are searching on. It is easiest way to find out popular information but the result of same query may warries from time to time. For example, searching for New York population, Google will find the most popular search query and returns the population New Your City, which is about 9 mln but completely avoid New York in Lincolnshire province in England, where lives about 150 citizens. Of course, why care about small village in England. But what if you really need it. So, the answer is advance google search, sometimes called Dorks.

What is Google Dorks? Google Dorks is advance search engine language which leverage additional tags and exact match quotation to find exact match you need. Doing so, it able to search in public available databases which are not properly secure, contact information for individuals and even credential, passwords left in logs or dumps.

Returning to New York example. Just typing it google bar probably returns one of the famous city on east cost:

google> New Your

let’s specify more precisely, including tag “+” and “post” to filter out information only connected to magazine:

google> "New York" +post

what if use quotas for direct match and filter out tag “-” with “city” and “post” to avoid “New Your Post” and specify location:

google> "New York" -city -post "England"

This is exactly how dock works. Let’s find something more interesting, like site which does not use SSL, so it means all of traffic form/to the site in not encoded and might be sniffed easily or logs contains plain text password.

Here is a list of popular dorks :

• inurl:<term> search for specified term in the URL. For example: inurl:http
• site:<site> search to a specific site only. Example: site:.com or site:public*
• intext:<term> search for specific string in text. Example: intext:ip* or intext:password
• filetype<type> looking for file type. Example: filetype:tmp or filetype:log
• intitle:<term> search for string in title
• after:<date> filters query after some date
• before<date> filters query before some date
• or check google hacking database for much more

What if we want to scan entire domain or even internet for specific vulnerability. Definitely you need automation tool to do so. There is a bunch of tools available but Passive Google Dork (PaGoDo) is my favorite one. PaGoDo is easy to configure, supports python shell to explore the data. Please follow my next posts, I will describe Passive Google Fork automation in more details.

Hunt Social Accounts with Sherlock

Social Media Accounts means any websites or applications by which users are able to create and share information, ideas, personal messages, and other content (including, without limitation, text, photos and videos) or to participate in social networking. Waking up, on the way to work or school we are constantly posting progress in social media. And significant part of such information is open source and public available. The only name of your social account my say a lot in skillful hands, what is daily routine, what is your favorite coffee bar you send a hour each day, why are your friends and name of your puppy. Gathering such kind information about any target account called social engineering and this is a first step to find out the best way phishing you turning into friend from FB or just guess the password or secret phrase for laptop or bank account as a pet’s name or best vacation spot.

Sherlock is amazing tool for been able to find out social account or investigating connected accounts references which attacker no hope to find in. From a single clue like an email address or screen name, Sherlock can grow what we know about a target piece by piece as we learn about their activity on the internet.

To get started, we need a computer with python instilled and just follow the instructions included in the GitHub repository. Run:

 Voila, we have got all information needed in one single *.txt. Perfect!

Footprinting with IntelTechniques Tools

For many, recon is more of an overall, overarching term for gathering information on targets, whereas footprinting is more of an effort to map out, at a high level, what the landscape looks like. They are interchangeable terms.

Search engines can provide a treasure trove of information for footprinting and, if used properly, won’t alert anyone you’re looking at them. Mapping and location-specific information, including drive-by pictures of the company exterior and overhead shots, are so commonplace now people don’t think of them as footprinting opportunities. However, Google Earth, Google Maps, and Bing Maps can provide location information and, depending on when the pictures were taken, can show potentially interesting intelligence. Even personal information, like residential addresses and phone numbers of employees, are oftentimes easy enough to find using sites such as Linkedin.com and Indeed.com.

Another perfect resource I like the most is IntelTechniques by Michael Bazzell. This one portal contains hundred of search engines, able find any peace of information extracted form email address, phone number, IP address and even vehicle identifier.

IntelTechniques is good in finding genuine information all over the world, perfect way to check if someone scam you or you are a target of a phishing attack. Strongly insist to play with all of tool available by yourself, only remember, use information responsible, preserving the privacy of personal data to which you have access.

Search for Exposed Devices with Shodan

Search engines index websites on the web so you can find them more efficiently, and the same is true for internet-connected devices. Shodan indexes devices like webcams, printers, and even industrial controls into one easy-to-search database, giving hackers access to vulnerable devices online across the globe. And you can search its database via its website or command-line library. Thanks null-byte for wonderful overview.

You can imagine hunting for vulnerable devices as similar to trying to find all the pages on the internet about a specific topic. Rather than searching every page available on the web yourself, you can enter a particular term into a search engine to get the most up-to-date, relevant results. The same is true for discovering connected devices, and what you can find online may surprise you!

First of all we need an account to get started with Shodan. Go to www.shodan.io and create free account.

Now, we are ready to rumble. And starts with something very simple like webcam:

Shodan returns us a list of public exposed services tagged with ‘webcam’. Very interesting, is not it? Scrolling down throw the list, it is very straightforward to find out any unsecure server or even live stream available directly from browser:

We found the service is somewhere in Hino, Japan. Internet service provider is Sony Network Communication and even ports exposed: 80, 443 and 9000. Diving deeper we will get access to live stream and even info about ssl certificate with no any significant efforts.

Going further let’s specify port number as 80 for services available over http and search for “/cgi-bin/” for administrator panel access. Please, try it yourself. Easy? This is scary what people expose right into internet without even knowing about.

If you really want to automate scanning for vulnerable devices exposed over the network, try shodan cli. This is a perfect tool for scanning private and corporate networks:

$ shodan scan submit 198.20.69.0/24

And, of course, shodan api for automated development and scan with for python or any other scripting language. Follow me and I will write more detailed review later on.

So, guys, I have shown you how straightforward is find any specific information you want just using browser and having a basic knowledge of internet and how social network works. It is really scary what a professional penetration tester or hacker may extract right from internet and how huge amount of personal or security information already exposed to everyone eyes in www. Even small peace of personal information left in blog comment or unconsciously exposed server log or service running in internet with default credentials may cause a significant damage for your business or private life. Mix of OSINT techniques with social engineering approach like scamming, phishing or using pretexting based on information available about You in social media, an attacker may impersonate your friend, colleague or even bank manager getting access to your account and stole everything on it. Never leave personal information if this is not really needed, expose only necessary data and service access over the internet, provide least access for your employees only need to do they work and,

be an ethical,

save your privacy!