2013/10/12

Internet Footprinting (aka OSINT – Open Source Intelligence)

What is OSINT? Well, according to Wikipedia it is:
“Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.”
In general, OSINT is simply the identifying, collecting, and analysis of publicly available data about a person, place, or thing.

OSINT is NOT merely used for cyber stalking or DOXing. (DOXing is the act of gathering personal information about people on the Internet, often including real name, known aliases, address, phone number, SSN, credit card number, etc. typically for the sole purpose of causing embarrassment, mischief, and/or harm to the targeted person.)

OSINT has many valid/beneficial uses. These include (but are not limited to):

  • identifying information about yourself (or your own company) that may be available on the internet
  • part of a network penetration (or social engineering) exercise
  • perform additional/extended background check on potential corporate partners or employees
  • identifying possible information leakage from your company

There a few typical types of OSINT, each with their own PROs/CONs:

  • Purely Passive
    • PRO - no traffic directed toward the target (i.e. no evidence in server logs)
    • CON - only relying on second hand data at best
    • Examples
      • search engine cached pages
      • archive.org saved pages
      • searching across pastebin (and similar sites)
      • searching social media sites
      • browsing Shodan for ports, systems, and service banners
  • Typical Internet Traffic
    • PRO – gaining data directly from target’s websites and systems
    • CON - traffic is being sent directly toward the target thus showing up in server/system logs
    • Examples
      • DNS queries
      • Visiting web pages owned by the target
      • downloading documents from websites
  • Checking Locks and Doors
    • PRO - possibly gaining amazing amounts of data about types of system, websites on odd ports, and other services such as ftp, vnc, etc…
    • CON - lots of traffic sent to target and chance of eing detected is considerably higher
    • Examples
      • perform DNS brute forcing
      • perform ip scans across the target’s ip space to identify active systems
      • perform port scanning to identify open ports and gather banners

There are numerous commercial/free tools/websites that can be used to perform or assist in OSINT gathering. In future posts, I will be covering many of these tools and websites and discussing how they can be used to perform OSINT.

What are a few sources of data of OSINT: (more will be discussed in future posts)

  • Pastebin (an similar sites)
  • DNS (zone transfers, txt, hinfo, etc… records)
  • Websites (email addresses, org charts, documents, addresses, phone numbers, etc…)
  • Search engines (google, bing, etc…)
  • Social networks (linkedin, twitter, facebook, etc…)

2013/09/12

Building a New Pentest Lab

A while back I decided that I was going to start a personal infosec “re-education” process during which I hope to learn new tools/techniques, polish up on the abilities I already have, and enhance any areas where I may be lacking.  In order to facilitate this, I needed a work area.  As with any project (woodworking, automotive, or information security), having the proper work area can make a huge difference in one’s ability to succeed in their endeavors.

For my information security “re-education” project, one key part of my “work area” needed to be a wide variety or operating systems to target/test against.  There are a few different approaches I could have taken to achieve this:

1) Use what is available.
Look around your house/office.  You probably have a few older Windows/Unix systems which you do not use on a regular basis.  Odds are you also have a personal printer and/or other network attached devices.  All of those make excellent targets.

2) Use what you can borrow.
Much like the previous option, but in this one, you should ask around with friends/family/etc… to see if anyone has any old/unused hardware/system which they can loan/give you.  If lucky, you can obtain some good (possibly rare) equipment this way.

3) Use a simple virtualization approach.
Since you probably do not have access to lots of unused desktops/laptops/etc..  on which to install your desired target operating systems, you should look into virtualization.  There are several good virtualization solutions available to use (and in most cases, the software itself is free).

  • VMWare PLayer
  • QEMU
  • VirtualBox

Any of these solutions can be easily setup/installed on a personal laptop/desktop.  Depending on the number of “guest” operating systems you wish to install and run at one time, you may encounter resource contention.

4) Build a full virtualization solution.
If the previous option does not provide you with the options/flexibility/resources that you need, you can always build a system solely dedicated to running your “guest” operating systems.  This option may require the expenditure of additional money in order to build your new virtualization host system.

Note: The above options/approaches are NOT mutually exclusive.  You can make use of any/all of them as needed/desired.

The approach I decided to take was a combination of #1 and #4.  I first took inventory of all the systems I had connected to my home network (laptops, desktops, printers, etc…) and then to house/host all of the other “test/target” systems I thought I would/may need, I decided to build a dedicated virtualization host.  For this I decided to go with VMWare’s ESXi server.  The reason I chose ESXi, is that I have had some experience with it in the past, I can easily get the parts to quickly build a decent system, and it is free.

Below is my shopping list of parts I bought to build my system:

  • ($189.99) Seagate Desktop HDD 4 TB SATA 6Gb/s NCQ 64MB Cache 3.5-Inch Internal Bare Drive ST4000DM000
  • ($78.99) Silverstone Tek Micro-ATX Mini-DTX, Mini-ITX Mini Tower Plastic with Aluminum Accent Computer Cases PS07B (Black)
  • ($17.99) Lite-On Super AllWrite 24X SATA DVD+/-RW Dual Layer Drive - Bulk - IHAS124-04 (Black)
  • ($168.99) SUPERMICRO MBD-X9SCM-F-O LGA 1155 Intel C204 Micro ATX Intel Xeon E3 Server Motherboard
  • ($279.99) Kingston Technology ValueRAM 32GB Kit (4 x 8GB) 1600MHz DDR3 ECC CL11 DIMM with TS Intel Desktop Memory KVR16E11K4/32I
  • ($233.99) Intel Xeon Qc E3-1230 Processor
  • ($59.99) Corsair Builder Series CX 600 Watt ATX/EPS 80 PLUS (CX600)
  • TOTAL COST = $1029.93

All of the parts were purchased from Amazon.com (mostly because I have an Amazon Prime account and thus did not have to pay for shipping).

As can be seen, the total cost of the system was just over $1000.  I may have been able to shave some $$$ off of the cost by reusing some of my old/surplus hardware, but I opted to go with all new equipment.

Now that I had my ESXi server built, I need to populate it with various “guest” operating systems.  First, I started by installing a couple old Windows XP and Vista licenses I had, but I needed more operating systems than that.  Luckily for me, there are lots of free VMs and operating systems available: Debian, Ubuntu, Fedora, Mint, etc…  In addition, there are great “target” operating systems available as well:

  • Metasploitable 2
  • Damn Vulnerable Web Application
  • Search on “http://vulnhub.com/” for additional targets.

If I needed additional Windows guests, I could:

  • Download any available “trials” from the Microsoft website.
  • Purchase a MSDN Operating System subscription.

I also need “Hacker” boxes to perform all of my scans from.  For this I could either build my own 
system, follow one of the many guide on the internet to build a pentest windows/linux machine, or simply download one of the prebuilt systems.  Here again, there are LOTS of options to choose from.  Personally, I like Kali (the new version of BackTrack).

Well, that is a quick overview of my pentest lab.  If you have any comments/questions/suggestions, please feel free to contact and/or leave a comment below.

2013/06/12

Beware of strangers with candy.

Just as that has always been as good rule to help guide you safely through life, there are also simple rules to help protect you and you home computer while surfing the internet.
By following a few simple guidelines as well as a few precautions you should be safe from the vast majority of dangerous threats you will encounter on the internet.
Precautions: (Safety measures)

  • Use a host-based firewall.  On Windows, the built-in firewall works fine.
  • Use a anti-virus detection application.  On Windows, the free Microsoft Security Essentials application works fine.
  • Enable automatic download and installation of operating system patches and updates.
  • When possible, try to update all of your other programs (firefox, adobe, etc...) to the latest stable versions.

Internet Guidelines:
  • Do not go to suspicious websites.  (i.e. such as URLs from China ".cn" and Russia ".ru".  Nothing against the countries themselves, but a lot of malicious activities originate from those internet domains.)
  • If the website says that you need to install special software in order to view the site, do not do it.  Unless it is adobe or java, it is a safe bet that it is a malicious program that they want you to install.  Even if it is adobe or java, you should go to the products website to download and install the program instead of following a link on the webpage.
  • Practice safe information handling:
    • Do not post anything to the internet (Facebook, chat, IM, Myspace, Linkedin, blog, etc...) that you do not want to be viewed by everyone.  Once something is on the internet, it is there forever and eventually will be viewable by anyone.
    • Do not provide your password(s) to anyone.  No valid customer support will require you to provide them your password.  They already have it.
    • For each internet/website account you have (email, Facebook, banking, etc...) use a different password.  This makes it much more difficult for someone to get your banking information if they happen to get you Facebook password.
  • Practice safe email handling.  It is best if you...
    • Do not open (or preview) emails from people you do not know.
    • Do not click on any link contained within an email.  You must use the link due to something such as an activation code, retype the link into a new web browser window.
    • Do not open any document (.pdf, .doc, .xls, etc...) attached to an email.  It can be a malicious document that could install dangerous software onto you system.
    • Do not respond to spam or scams.  If you receive an offer in an email, and it sounds too good to be true, it probably is!!!
    • Do not email personal information (SSNs, credit card numbers, etc...).