open source intelligence - cccsecuritycenter.org
TRANSCRIPT
![Page 1: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/1.jpg)
Open Source Intelligence Omer Usmani
Security Analyst
CCC Technology Center
![Page 2: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/2.jpg)
OSINT● Framework for gathering intelligence
![Page 3: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/3.jpg)
OSINT Sources● Information often found on social media, organization’s online
directory, linux servers open to the internet, log files, etc.
![Page 4: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/4.jpg)
Brief History
![Page 5: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/5.jpg)
Why is OSINT important?● Information from data breaches
● Find insecure devices connected to the internet
● Obsolete software
● Potential PII
![Page 6: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/6.jpg)
End Goals1) Social Engineering2) Discovering potential attack vectors3) Finding PII
![Page 7: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/7.jpg)
Identifiers● Name
● Birthday
● IP Address
● MAC Address
● Phone Number
● Home Address
● License Plate
● Etc.
![Page 8: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/8.jpg)
Pivoting● Searching for the same identifier across multiple datasets.
![Page 9: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/9.jpg)
WorkflowCan be used offensively and defensively.
1) Identifying the source2) Harvesting3) Data Processing4) Analysis5) Reporting
![Page 10: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/10.jpg)
OSINT Tools & Techniques
● Google Dorking
● Shodan
● SpiderFoot
![Page 11: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/11.jpg)
What is Google Dorking?
● Using the Google search engine to query for information that may or may not be intended to be available to the public.
![Page 12: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/12.jpg)
What type of Information can be found?
● Exposed critical directories● Vulnerable files and servers● Files containing usernames and passwords● Sensitive online shopping info
![Page 13: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/13.jpg)
How do search engines work?
![Page 14: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/14.jpg)
Common Operators● cache:● allintext: ● allinurl: ● allintitle: ● link: ● site: ● filetype:● *● |● +● -
![Page 15: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/15.jpg)
Google Dork Examples
● intitle: “webcamXP 5”● allintext:username filetype:log● intitle:”index of” inurl:ftp● allintext:db_password filetype:env● intitle:"report" ("nessus" | "nmap" | "burp") filetype:pdf
![Page 16: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/16.jpg)
Preventing Google Dorks
● Encode/encrypt sensitive data● Google Dork your own sites● Create a robots.txt document on your webserver.
![Page 17: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/17.jpg)
robots.txt
Disallow: /
Disallow: /admin/
Disallow: /privatearea/file.html
Disallow: /*?
![Page 18: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/18.jpg)
Shodan● Search engine for the IoT
![Page 19: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/19.jpg)
Shodan Filters● city● country● hostname● net● os● port● postal● product● version● vuln
![Page 20: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/20.jpg)
Shodan DemoOpen SSH (CLI)
shodan search port:22 city:"Portland"
Open VNC (Web)
"authentication disabled" "RFB 003.008"
Open RDP (Web)
port:3389
port:3389 city:"Portland"
![Page 21: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/21.jpg)
Preventing Shodan Searches
![Page 22: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/22.jpg)
Common Default Passwords● ACTi: admin/123456 or Admin/123456● Axis (traditional): root/pass,● Axis (new): requires password creation during first login● Cisco: No default password, requires creation during
first login● Grandstream: admin/admin● IQinVision: root/system● Mobotix: admin/meinsm● Panasonic: admin/12345● Samsung Electronics: root/root or admin/4321● Samsung Techwin (old): admin/1111111● Samsung Techwin (new): admin/4321● Sony: admin/admin● TRENDnet: admin/admin● Toshiba: root/ikwd● Vivotek: root/<blank>● WebcamXP: admin/ <blank>
![Page 23: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/23.jpg)
SpiderFoot Demo
![Page 24: Open Source Intelligence - cccsecuritycenter.org](https://reader030.vdocuments.us/reader030/viewer/2022012811/61c2866b14be8c4efe3200ea/html5/thumbnails/24.jpg)
Resources● HaveIBeenPwned
● Intelligence X
● DeHashed