Chema Alonso

The Power of FOCA 3

20/03/2013 2Chema Alonso

At the begining was the metadata

20/03/2013 3Chema Alonso

Anonym0us case

20/03/2013 4Chema Alonso

Drug Dealer

20/03/2013 5Chema Alonso

The breasts of Hacker’s girlfriend

20/03/2013 6Chema Alonso

Social Engineering Attack

20/03/2013 7Chema Alonso

• Hidden Relations–Companies–People

• Software Piracy

• History of documents

• Tactical information–Targeted Attacks

–Internal knowledge

• Ploting events–Places–Time

Metadata Risks

20/03/2013 8Chema Alonso

Forensic FOCA

http://www.elladodelmal.com/2012/02/forensic-foca-beta-trial.html

20/03/2013 9Chema Alonso

Metadata, hidden info & lost data

Metadata

Lost DataHidden

Info

Bad Format conversionBad management

New appsNew versions

EmbeddedFilesSearchers

SpydersDoc DB

Embedded Files

Bad managementEmbedded objects

20/03/2013 10Chema Alonso

Show Me Your Metadata

20/03/2013 11Chema Alonso

Targeting Malware

20/03/2013 12Chema Alonso

Targeting Malware

20/03/2013 13Chema Alonso

Hidden Info: Printers

20/03/2013 14Chema Alonso

Electing the entry point

20/03/2013 15Chema Alonso

Internal Fingerprinting

with FOCA

Chema Alonso

Phase 1: Metadata

20/03/2013 17Chema Alonso

FOCA 2

20/03/2013 18Chema Alonso

Recursive Network

Discovery• Servers• Domains• HostNames

• IP Address

• Roles

20/03/2013 19Chema Alonso

Network Discovery:

WebSearcher

20/03/2013 20Chema Alonso

Network Discovery: DNSWell Known

RecordsZone

Transfer

Diccionary Search

SOA, MX, SPF, DKIM, LDAP, VoIP, Active Directory….

AXFR

Server1, Intranet, Private, DNS, etc….

20/03/2013 21Chema Alonso

DNS Search

20/03/2013 22Chema Alonso

Primary Master

20/03/2013 23Chema Alonso

Network Discovery: Bing IP

20/03/2013 24Chema Alonso

Network Discovery: PTR Scannig

20/03/2013 25Chema Alonso

Network Discovery: Robtex

20/03/2013 26Chema Alonso

Network Discovery: Shodan

20/03/2013 27Chema Alonso

Digital Certificates

20/03/2013 28Chema Alonso

Roles View

20/03/2013 29Chema Alonso

Google Slash Trick

20/03/2013 30Chema Alonso

http://apple1.sub.domain.com/~chema/dir/fil.doc

1) http -> Web server 2) GET Banner HTTP3) domain.com is a domain4) Search NS, MX, SPF records for domain.com5) sub.domain.com is a subdomain6) Search NS, MX, SPF records for sub.domain.com7) Try all the non verified servers on all new domains

1) server01.domain.com2) server01.sub.domain.com

8) Apple1.sub.domain.com is a hostname9) Try DNS Prediction (apple1) on all domains10) Try Google Sets(apple1) on all domains

Network Discovery Algorithm

20/03/2013 31Chema Alonso

http://apple1.sub.domain.com/~chema/dir/fil.doc

11) Resolve IP Address12) Get Certificate in https://IP13) Search for domain names in it14) Get HTTP Banner of http://IP15) Use Bing Ip:IP to find all domains sharing it16) Repeat for every new domain 17) Connect to the internal NS (1 or all)18) Perform a PTR Scan searching for internal servers19) For every new IP discovered try Bing IP recursively20) ~chema -> chema is probably a user

Network Discovery Algorithm

20/03/2013 32Chema Alonso

http://apple1.sub.domain.com/~chema/dir/fil.doc

21) / , /~chema/ and /~chema/dir/ are paths22) Try directory listing in all the paths23) Search for PUT, DELETE, TRACE etc.. methods in every path24) Fingerprint software from 404 error messages25) Fingerprint software from application error messages26) Try common names on all domains (dictionary)27) Try Zone Transfer on all NS28) Search for any URL indexed by web engines related to the hostname29) Download the file30) Extract the metadata, hidden info and lost data31) Sort all this information and present it nicely32) For every new IP/URL start over again

Network Discovery Algorithm

20/03/2013 33Chema Alonso

Click & Go

20/03/2013 34Chema Alonso

How Foca found a data

20/03/2013 35Chema Alonso

Multiple Search Engines

20/03/2013 36Chema Alonso

Huge domain case

20/03/2013 37Chema Alonso

• 404 messages• Apps Error Messages• HTTP Banner

– Hostname– IP Addres

• SMTP Banner• Digital Certificates• Shodan• Version.bind

Fingerprinting Options

Chema Alonso

Phase 2: Network

Discovery

20/03/2013 39Chema Alonso

An0nymous #OpGreece

Chema Alonso

Phase 3: Vulnerabilities

20/03/2013 41Chema Alonso

Vulnerabilities

20/03/2013 42Chema Alonso

Backups

20/03/2013 43Chema Alonso

Directory Listing

20/03/2013 44Chema Alonso

DNS Cache Snooping

20/03/2013 45Chema Alonso

DNS Cache Snooping

20/03/2013 46Chema Alonso

• Internal Software– Windows Update– Gtalk

• Evilgrade– Detecting vulnerable software to

Evilgrade attacks

• AV evassion– Detecting internal AV systems

• Malware driven by URL– Hacking a web site ussually visited by

internal users

DNS Cache Snooping

20/03/2013 47Chema Alonso

.DS_Store

20/03/2013 48Chema Alonso

PHP CGI CODE EXECUTION BUG

20/03/2013 49Chema Alonso

Insecure Http Methods

20/03/2013 50Chema Alonso

Search & Upload

20/03/2013 51Chema Alonso

Juicy filesWhite/black list of matches for

keywords and extensions

20/03/2013 52Chema Alonso

Juicy files

20/03/2013 53Chema Alonso

.listing

20/03/2013 54Chema Alonso

Multiple Choices

20/03/2013 55Chema Alonso

.svn/entriesA .svn/entries file looks like:

20/03/2013 56Chema Alonso

.svn/entriesThere is a plugin that parse the file

20/03/2013 57Chema Alonso

IIS Short Name bug

20/03/2013 58Chema Alonso

• Mod_proxy

• Ad-hoc–Normal

–Transparent

Proxy Server detection

20/03/2013 59Chema Alonso

Proxy Server Detection

20/03/2013 60Chema Alonso

Leaks:modsecurity_crs_50_outb

ound.conf

20/03/2013 61Chema Alonso

Error Enforcement

20/03/2013 62Chema Alonso

Leaks

20/03/2013 63Chema Alonso

User directories

Search for ~USER in Apache webservers

20/03/2013 64Chema Alonso

• Network Discovery

• Document Search

• File parsing– Directory

Listing– Robots.txt– .Listing– .DS_Store (not

yet)

All your Foca needs is URLs• Domain

Crawling– Bing– Google

• Technology Recognition

• Custom Search

• Manual load

20/03/2013 65Chema Alonso

Domain Crawling

20/03/2013 66Chema Alonso

Custom Search

20/03/2013 67Chema Alonso

FOCA + Spidering

20/03/2013 68Chema Alonso

FOCA + Spidering

Chema Alonso

Phase 4: Plugins

20/03/2013 70Chema Alonso

Plugins: FOCA API 0.1From FOCA to plugins

(Events)- OnNewDomain - OnNewNetrange- OnNewURL - OnNewRelation- OnNewIP - OnNewProject

From Plugins to FOCA (Calls)- AddDomain - AddSQLi- AddProxy - AddIp …. And much more….

20/03/2013 71Chema Alonso

Plugins: .svn/Entries

parser

20/03/2013 72Chema Alonso

Plugins: .svn/Entries

parser

20/03/2013 73Chema Alonso

Plugins: WebFuzzer

20/03/2013 74Chema Alonso

Plugins: Auto SQLi searcher

20/03/2013 75Chema Alonso

IIS Short Name Fuzzer

Chema Alonso

Making an esay Plugin

20/03/2013 77Chema Alonso

FOCA Reporting Module

20/03/2013 78Chema Alonso

20/03/2013 79Chema Alonso

Threat Analisys & Modeling

20/03/2013 80Chema Alonso

Reporting OSSTMM 3.0:

STAR

20/03/2013 81Chema Alonso

OWASP Report Generator

20/03/2013 82Chema Alonso

“i64” Web Audit Report

20/03/2013 83Chema Alonso

Fear The FOCA

20/03/2013 84Chema Alonso

FOCA Online

20/03/2013 85Chema Alonso

Cleaning ODF: OOMetaExtractor

http://www.codeplex.org/oometaextractor

20/03/2013 86Chema Alonso

IIS MetaShield Protector

http://www.metashieldprotector.com

20/03/2013 87Chema Alonso

Evil FOCA

20/03/2013 88Chema Alonso

Thanks to Apple

20/03/2013 89Chema Alonso

Thanks to Apple (2)

20/03/2013 90Chema Alonso

Chema Alonso

• chema@informatica64.com

• @chemaalonso• http://elladodel

mal.com• http://www.info

rmatica64.com

20/03/2013 91Chema Alonso

FOCA

http://www.informatica64.com/foca.aspxamigosdelafoca@informatica64.com