Open Source INTelligence Gabriele Zanoni @infoshaker OSINT Fes+val ICT Sikurezza.org
Jul 02, 2015
Open Source INTelligence
Gabriele Zanoni @infoshaker
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Index
Informa+on that we share
Introduc+on to OSINT
Tools and examples
The power of analysis
Summary
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
InformaCon that we share
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Social networks expose our private and professional life…
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Companies expose their own informaCon…
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
IntroducCon to OSINT
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
OSINT
Open Source INTelligence is intelligence collected from publicly available sources.
[1] http://en.wikipedia.org/wiki/Open-source_intelligence
It’s not a tool , it’s not a website , it’s not with fee it’s not free…
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Why OSINT
In a world that changes rapidly we need to have high quality informa+on in the exact moment that we need it.
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
What’s the value we get from OSINT
«You see? you hesitate. But as a captain, you can't. You have to act. If you don't, you put the en+re crew at risk. Now that's the job. It's not a science. You have to be able to make hard decisions based on imperfect informa+on. Asking men to carry out orders that may result in their deaths. And if you're wrong, you suffer the consequences. If you're not prepared to make those decisions, without pause, without reflec+on, then you've got no business being a submarine captain.»
Lt. Commander Mike Dahlgren U-‐571
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
• What’s the need?
How can we use OSINT?
Raw Data
• Mailing List • Newsgroup • Chat • Pastebin • Blog
Preprocessed Data
• Journals • Publica+ons
Elaborated Data
• Researches • Reports • Analysis
Alerts in real time
Handling and Monitoring
of the situation State of the Art
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
• What’s the need? • How to reach the scope?
Raw Data Preprocessed Data Elaborated Data
• Dedicated search engineers
• Keywords • Ad-‐hoc early warning systems
• Feeds from generic sources of informa+on
• “standard” monitoring systems
• Are available “when ready”
• Feeds from specialist sources
Ways to perform the searches
Alerts in real time
Handling and Monitoring
of the situation State of the Art
How can we use OSINT?
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Time VS Quality VS Efforts
TIME
QUALITY
Level of the effort
Volume of the data you
have to parse
Reliability Relevancy } Quality
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
The InformaCon Search Process
Discovery
Selec+on
Formula+on
Delivery
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
#HowToFail
• Incomplete iden+fica+on of the sources • Not always structured data -‐> Are you searching in a library on in a bazar?
• “Not easy to access” data -‐> methods and/or formats
• Too many info
«It refers to a hypothe.cal situa.on wherein an ass that is equally hungry and thirsty is placed precisely midway between a stack of hay and a pail of water. Since the paradox assumes the ass will always go to whichever is closer, it will die of both hunger and thirst since it cannot make any ra.onal decision to choose one over the other..» hbp://en.wikipedia.org/wiki/Buridan%27s_ass
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
TOOLS AND EXAMPLES
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Analysis of a Web Site
• From the website to the people – Owners – Shareholders – Maintainers – Etc…
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Who has registered a website
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
An example
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Back in Cme
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Registro Imprese
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Finding people on Social Networks
Finding a nick: • h^p://namechk.com • h^p://www.namechecklist.com • h^p://www.namecheckr.com
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Creepy -‐ h^p://ilektrojohn.github.io/creepy/
• A Geoloca+on OSINT Tool. Offers geoloca+on informa+on gathering through social networking plaiorms.
• Support: – Flickr – Instagram – Twiber
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Image Analysis
• Where a photo has been taken ?
hbp://imageforensic.org
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Law and the metadata
“La proposta di legge di Gabriella Carlucci per “regolamentare Internet” è in realtà l’ennesimo goffo provvedimento “an+pirateria” mascherato da qualcosa d’altro. Del resto l’onorevole Carlucci si è faba in ques+ anni una vera e propria competenza in materia (dove competenza è termine da maneggiare con estrema prudenza). E comunque la proposta Carlucci liberamente scaricabile sul suo blog in formato .doc ha qualcosa di strano. Come ha notato Guido Scorza il computer sul quale il documento è stato scribo è intestato ad un certo Daniele Rossi di Univideo. Evidentemente un amico di Gabriella, omonimo del presidente della Unione Italiana Editoria audiovisivi.”
hbp://www.rigeneriamoci.com/i-‐metada+-‐e-‐lon-‐carlucci/
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Why metadata are important
• You will discover the true authors of the documents • Or clues about if the documents have been shared with someone (e.g. the user that has saved the document)
• Verify if the document is from a certain company, person etc..
• Who is working in a company o for a specific company
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Finding Metadata with FOCA
hbps://www.elevenpaths.com/labs-‐tools-‐foca.html
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Foca and Foca Forensics
• Foca: it’s a tool to scan websites and download documents in order to extract metadata in those documents
• Foca Forensics: same as Foca, but it works on already downloaded data
• Download: • hbp://www.informa+ca64.com/foca.aspx
• hbp://www.informa+ca64.com/forensicfoca/
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Foca Forensics
Anonymous has leaked some data and you want to verify if the informa+on contained is true….
You have to download the data and scan it with Foca Forensics
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Shodan -‐ h^p://www.shodanhq.com/
• Shodan is a system able to index services and devices on Internet
• You can easily iden+fy Webcams, Web administra+on systems, vulnerable sorware (e.g. based on the sorware banner)
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Fbstalker -‐ h^ps://github.com/milo2012/osintstalker
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Maltego -‐ h^ps://www.paterva.com
Maltego is an open source intelligence and forensics applica+on. It will offer you +mous mining and gathering of informa+on as well as the representa+on of this informa+on in a easy to understand format.
A Maltego analysis can start from: – A person name
– A document
– An email
– A phone – Etc..
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
The power of analysis
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Nobody knows…together we know!
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
hbp://wisdomofcrowds.blogspot.it/2009/12/vox-‐populi-‐sir-‐francis-‐galton.html
SIKUREZZA.ORG
Who is using OSINT ?
“For the past three years, Elaine Rich and 3,000 other average people have been quietly making probability estimates about
everything from Venezuelan gas subsidies to North Korean politics as part of , an experiment put together by three well-known
psychologists and some people inside the intelligence community.”
“According to one report, the predictions made by the Good Judgment Project are often better even than intelligence analysts
with access to classified information, and many of the people involved in the project have been astonished by its success at
making accurate predictions.”
http://www.npr.org/blogs/parallels/2014/04/02/297839429/-so-you-think-youre-smarter-than-a-cia-agent http://www.goodjudgmentproject.com/
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
hbp://gizmodo.com/5947393/remember-‐youre-‐not-‐only-‐naming-‐your-‐pet-‐youre-‐also-‐securing-‐your-‐digital-‐future
There is a funny comic strip in which the father gives this advice to his son: “You should pay a-en0on while choosing your dog's name because it will be your security ques0on answer for the rest of your life!”
SIKUREZZA.ORG
Reality Check!
http://www.theguardian.com/technology/askjack/2008/sep/19/security.email
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
How do you answer your security quesCons?
The scope is to op+mize the abacks making low noise. Info for password cracking: • Girlfriend/wife name • Pet name • Date of Birth • Sport teams • Place of birth • Addresses • List of schools
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
I know where you are…I know your password!
hbp://www.oversecurity.net/2014/02/27/casaleggio-‐bucato-‐la-‐password-‐usata-‐e-‐lindirizzo-‐della-‐sede-‐legale/
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Google Hacking #1 – The unexpected
Knowledge of Google Operators and how Internet or sorware work helps reach any informa+on
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Google Hacking #2 – Passwords from backups
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
So you forgot to remove the geo-‐tag ?
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Shodan -‐ how to idenCfy the distribuCon of a vuln • A recent vulnerability about a backdoor listening on port TCP/32764 in Linksys WAG200G (and also on some other devices) has been published
• Using Shodan is possible to map the vulnerability
• hbp://shodanio.wordpress.com/2014/01/23/quick-‐sta+s+cs-‐on-‐the-‐router-‐backdoor-‐on-‐port-‐32764/
• hbps://github.com/elvanderb/TCP-‐32764
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Recorded Future Inc. -‐ h^ps://recordedfuture.com/
“is a sorware company based in Cambridge, Massachusebs, United States, and Gothenburg, Sweden, specializing in web intelligence and predic+ve analy+cs. Using what they call a "temporal analy+cs engine", Recorded Future provides forecas+ng and analysis tools to help analysts predict future events by scanning sources on the Internet, and extrac+ng, measuring, and visualizing the informa+on to show networks and paberns in the past, present, and future.”
“Both Google (on May 3, 2010) and the CIA have invested in the company, through their investment arms, Google Ventures and In-‐Q-‐Tel, respec+vely.”
http://en.wikipedia.org/wiki/Recorded_Future
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Event Analysis
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Analysis
“Pressure cooker bombs have been more commonly seen in Indian and Southeast Asian abacks than anywhere else. Recent reports out of India also suggest that the weapon has become a “fad” in militant camps along the Afghanistan/Pakistan border. In contrast, discoun+ng thwarted abacks such as the abempted aback on Times Square in 2010, the United States has experienced just one bombing with a pressure cooker, and that was back in 1976. There’s also lible to see in Europe during the last several years.”
http://analysisintelligence.com/terrorism/pressure-cooker-bombings-map/
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Summary
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
SIKUREZZA.ORG
Summary
• Pay aben+on to the informa+on we leave on Internet every day
• Internet usually contains the informa+on that we need
• Keeping in mind our goal we need to iden+fy the proper methods to extract the informa+on we are looking for
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
Thank you!
OSINT -‐ Fes+val ICT -‐ Sikurezza.org
Gabriele Zanoni @infoshaker