foca training hackcon6
DESCRIPTION
Foca slidesTRANSCRIPT
![Page 1: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/1.jpg)
FOCA Pro Chema Alonso
![Page 2: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/2.jpg)
What’s a FOCA?
![Page 3: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/3.jpg)
FOCA on Linux?
![Page 4: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/4.jpg)
FOCA + Wine
![Page 5: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/5.jpg)
Previously on FOCA….
![Page 6: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/6.jpg)
FOCA 0.X
![Page 7: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/7.jpg)
A document is
What you see… And what you don´t
• Template paths• Users worked in it.• Departments.• File & Printing Servers• Version History• Embedded files• …
![Page 8: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/8.jpg)
What kind of data can be found?
• Metadata:– Information stored to give information about the document.
• For example: Creator, Organization, etc..
• Hidden information:– Information internally stored by programs and not editable.
• For example: Template paths, Printers, db structure, etc…
• Lost data:– Information which is in documents due to human mistakes or
negligence, because it was not intended to be there.• For example: Links to internal servers, data hidden by format, etc…
![Page 9: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/9.jpg)
Metadata Risks
• “Secret” relationships– Government & companies– Companies & providers
• Piracy• Reputation• Social engineering attacks• Targeting Malware
![Page 10: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/10.jpg)
2003 – MS Word bytes Tony Blair
![Page 11: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/11.jpg)
Targeting Malware
![Page 12: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/12.jpg)
Targeting Malware
![Page 13: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/13.jpg)
Electing the entry point
![Page 14: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/14.jpg)
Social Engineering Attack
![Page 15: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/15.jpg)
Anonim0us case
![Page 16: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/16.jpg)
Metadata created by Google
![Page 17: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/17.jpg)
Lost Data
![Page 18: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/18.jpg)
Lost data everywhere
![Page 19: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/19.jpg)
Metadata in Search Engines
![Page 20: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/20.jpg)
Pictures with GPS info..
EXIFREADER
http://www.takenet.or.jp/~ryuuji/
![Page 21: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/21.jpg)
Even Videos with users…
http://video.techrepublic.com.com/2422-14075_11-207247.html
![Page 22: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/22.jpg)
OLE Streams
• In MS Office binary format files• Store information about the OS• Are not cleaned with these Tools• FOCA finds this info
![Page 23: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/23.jpg)
FOCA: File types supported
• Office documents:– Open Office documents.– MS Office documents.– PDF Documents.• XMP.
– EPS Documents.– Graphic documents.• EXIFF.• XMP.
– Adobe Indesign, SVG, SVGZ (NEW)
![Page 24: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/24.jpg)
What can be found? • Users:
– Creators.– Modifiers .– Users in paths.
• C:\Documents and settings\jfoo\myfile
• /home/johnnyf
• Operating systems.• Printers.
– Local and remote.• Paths.
– Local and remote.• Network info.
– Shared Printers.– Shared Folders.– ACLS.
• Internal Servers.– NetBIOS Name.– Domain Name.– IP Address.
• Database structures.– Table names.– Colum names.
• Devices info.– Mobiles.– Photo cameras.
• Private Info.– Personal data.
• History of use.• Software versions.
![Page 25: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/25.jpg)
Demo:Single files
![Page 26: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/26.jpg)
Sample: FBI.gov
Total: 4841 files
![Page 27: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/27.jpg)
Are they cleaned?
![Page 28: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/28.jpg)
FOCA 1 v. RC3
• Fingerprinting Organizations with Collected Archives– Search for documents in Google and Bing– Automatic file downloading– Capable of extracting Metadata, hidden info and
lost data– Cluster information – Analyzes the info to fingerprint the network.
![Page 29: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/29.jpg)
Metadata tracing
![Page 30: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/30.jpg)
Alternative Domains
![Page 31: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/31.jpg)
Alternative Domains
![Page 32: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/32.jpg)
Sample: Printer info found in odf files returned by Google
![Page 33: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/33.jpg)
Types of Engineers
![Page 34: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/34.jpg)
DNS Prediction
![Page 35: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/35.jpg)
Google Sets Prediction
![Page 36: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/36.jpg)
IP Scanning
![Page 37: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/37.jpg)
Manually-added Data
![Page 38: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/38.jpg)
![Page 39: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/39.jpg)
Demo:Mda.mil
![Page 40: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/40.jpg)
What’s new in FOCA 2.5+?
• Network Discovery• Recursive algorithm• Information Gathering• Sw Recognition• DNS Cache Snooping• Reporting Tool
![Page 41: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/41.jpg)
FOCA 2.5: Exalead
![Page 42: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/42.jpg)
Huge domains case
![Page 43: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/43.jpg)
DNS Search Panel
![Page 44: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/44.jpg)
Búsqueda de URLS en buscadores
![Page 45: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/45.jpg)
DNS Search & Zone Transfer
• IP resolution• Well-Known records– NS– TXT (SPF)– MX– SOA (Primary.master)
• Zone Transfer• Diccionary search
![Page 46: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/46.jpg)
Bing IP
![Page 47: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/47.jpg)
PTR Scannig
![Page 48: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/48.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
1) http -> Web server 2) GET Banner HTTP3) domain.com is a domain4) Search NS, MX, SPF records for domain.com5) sub.domain.com is a subdomain6) Search NS, MX, SPF records for sub.domain.com7) Try all the non verified servers on all new domains
1) server01.domain.com2) server01.sub.domain.com
8) Apple1.sub.domain.com is a hostname9) Try DNS Prediction (apple1) on all domains10) Try Google Sets(apple1) on all domains
![Page 49: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/49.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
11) Resolve IP Address12) Get Certificate in https://IP13) Search for domain names in it14) Get HTTP Banner of http://IP15) Use Bing Ip:IP to find all domains sharing it16) Repeat for every new domain 17) Connect to the internal NS (1 or all)18) Perform a PTR Scan searching for internal servers19) For every new IP discovered try Bing IP recursively20) ~chema -> chema is probably a user
![Page 50: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/50.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
21) / , /~chema/ and /~chema/dir/ are paths22) Try directory listing in all the paths23) Search for PUT, DELETE, TRACE methods in every path24) Fingerprint software from 404 error messages25) Fingerprint software from application error messages26) Try common names on all domains (dictionary)27) Try Zone Transfer on all NS28) Search for any URL indexed by web engines related to the hostname29) Download the file30) Extract the metadata, hidden info and lost data31) Sort all this information and present it nicely32) For every new IP/URL start over again
![Page 51: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/51.jpg)
![Page 52: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/52.jpg)
PC/Servers view
![Page 53: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/53.jpg)
How Foca found a data
![Page 54: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/54.jpg)
Role Oriented View
![Page 55: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/55.jpg)
Vulnerabilites View
![Page 56: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/56.jpg)
DNS Version.bind
![Page 57: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/57.jpg)
Primary Master
![Page 58: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/58.jpg)
Demo: fbi.govwhitehouse.gov
![Page 59: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/59.jpg)
Customizable Search
![Page 60: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/60.jpg)
FOCA + Spidering
![Page 61: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/61.jpg)
FOCA + Spidering
![Page 62: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/62.jpg)
Demo : Foca + Spidering
![Page 63: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/63.jpg)
Internal PTR Scanningusing FOCA
![Page 64: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/64.jpg)
Internal PTR Scanning
![Page 65: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/65.jpg)
Fingerprinting Options
• 404 Not Found messages– Domain names and software
• Aspx Error Messages• HTTP Banner– Hostname– IP Addres
• SMTP Banner• Digital Certificates• Shodan
![Page 66: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/66.jpg)
Digital Certificates
![Page 67: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/67.jpg)
FOCA 2.5 & Shodan
![Page 68: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/68.jpg)
FOCA 2.5 URL Analysis
![Page 69: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/69.jpg)
.listing
![Page 70: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/70.jpg)
Unsecure Http Methods
![Page 71: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/71.jpg)
Search & Upload
![Page 72: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/72.jpg)
Searching for Server-Side Technologies
![Page 73: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/73.jpg)
Proxy
![Page 74: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/74.jpg)
Fuzzing options
![Page 75: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/75.jpg)
Backup discovery
![Page 76: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/76.jpg)
Playing with URLs
![Page 77: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/77.jpg)
DNS Cache Snooping
![Page 78: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/78.jpg)
DNS Cache Snooping
![Page 79: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/79.jpg)
DNS Cache Snooping• Internal Software– Windows Update– Gtalk
• Evilgrade– Detecting vulnerable software to Evilgrade attacks
• AV evassion– Detecting internal AV systems
• Malware driven by URL– Hacking a web site ussually visited by internal
users
![Page 80: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/80.jpg)
DNS Cache detection
![Page 81: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/81.jpg)
Demo: DNSCache Snooping
![Page 82: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/82.jpg)
Log filter
![Page 83: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/83.jpg)
FOCA Reporting Module
![Page 84: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/84.jpg)
FOCA Reporting Module
![Page 85: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/85.jpg)
Demo: Log & Reporting
![Page 86: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/86.jpg)
Fear The FOCA
![Page 87: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/87.jpg)
FOCA Onlinehttp://www.informatica64.com/FOCA
![Page 88: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/88.jpg)
Cleaning documents• OOMetaExtractor
http://www.codeplex.org/oometaextractor
![Page 90: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/90.jpg)
Buy a FOCA T-Shirt
And be «Sexy» }:))
![Page 91: Foca training hackcon6](https://reader033.vdocuments.us/reader033/viewer/2022061305/5498b5a7b479593b038b45b6/html5/thumbnails/91.jpg)
Questions?- Chema Alonso
- [email protected] http://www.informatica64.com - http://www.elladodelmal.com - http://twitter.com/chemaalonso- http://www.forefront-es.com- http://www.seguridadapple.com - http://www.windowstecnico.com- http://www.puntocompartido.com
- Working on FOCA:- Chema Alonso- Alejandro Martín- Francisco Oca- Manuel Fernández «The Sur»- Daniel Romero- Enrique Rando- Pedro Laguna- Special Thanks to: John Matherly [Shodan]