FACEBOOK OSINT ITS FASTER THAN SPEED DATING Keith Lee
by user
Comments
Transcript
FACEBOOK OSINT ITS FASTER THAN SPEED DATING Keith Lee
FACEBOOK OSINT ITS FASTER THAN SPEED DATING 17 October 2013 | HITB2013KUL Keith Lee Jonathan Werrett Thursday, 17 October 13 INTRODUCTION Keith Lee Security Analyst, SpiderLabs, Singapore [email protected] http://github.com/milo2012/osintstalker @keith55 Jonathan Werrett Managing Consultant, SpiderLabs, Hong Kong [email protected] @werrett 2 Thursday, 17 October 13 AGENDA ‣ Background / Motivation ‣ Introduction to GeoStalker and FBStalker tools ‣ Problem they solves ‣ GeoStalker in-depth ‣ FBStalker in-depth ‣ What you can do to protect yourself 3 Thursday, 17 October 13 MOTIVATION Spend our days on “Penetration tests” Web apps and networks Day-in day-out 4 Thursday, 17 October 13 MOTIVATION Spend our days on “Penetration tests” Web apps and networks Day-in day-out 4 Thursday, 17 October 13 BUT WAIT Some times we get a real pentest Set specific targets Gain access any way you can ... 5 Thursday, 17 October 13 BUT WAIT Some times we get a real pentest Set specific targets Gain access any way you can ... Red team, Physical Security, Phishing Open Source Intelligence 5 Thursday, 17 October 13 OSINT Premise Details Geocoded Lat / Lon Google Maps Wigle.net Wireless DB MAC Addresses Photos Physical Address Whois / IP Allocations Twitter Instagram Company Domains Places Visited Company Name No. checkins together Checkins LinkedIn Network Names Facebook Photos Target Profiles Friends No. comments Education Age of friendship Background Likes Previous Jobs Tagged w/ ppl No. tags Visited 6 Thursday, 17 October 13 GEOSTALKER FBSTALKER Takes Takes ‣ Location (address or coordinates) ‣ Facebook profile user Retrieves location data from Uses Graph Search to reverse ‣ Wigle.net (Wireless DB) ‣ Friends ‣ Instagram ‣ Likes ‣ Twitter ‣ Check-ins ‣ Foursquare ‣ Comments ‣ Flickr Provides Provides ‣ Wireless access points near-by ‣ Social engineering targets ‣ Photos taken at that location ‣ Associates of those targets ‣ Social media accounts of people who’ve ‣ Times online visited ‣ Interests, commonly visited places 7 Thursday, 17 October 13 EXAMPLE OBJECTIVES Entry Points Google Maps Premise Recon? Geocode Lat / Lon Photos Facilities Twitter, Instagram, 4sq, Flickr Google Search Staff Interests LinkedIn, Facebook Phishing Targets? Staff Physical Address Geocode Lat / Lon Twitter, Instagram, 4sq, Flickr Associates 8 Thursday, 17 October 13 EXAMPLES FROM ENGAGEMENTS 9 Thursday, 17 October 13 EXAMPLES FROM ENGAGEMENTS FB Apps ‣ Indicate phishing target uses mac ‣ Ditch our Windows based payloads for OSX 9 Thursday, 17 October 13 EXAMPLES FROM ENGAGEMENTS FB Apps ‣ Indicate phishing target uses mac ‣ Ditch our Windows based payloads for OSX FB Friends ‣ Identify targets wife ‣ Wife runs Pilates studio ‣ Spear phish wife based on Pilates 9 Thursday, 17 October 13 EXAMPLES FROM ENGAGEMENTS FB Apps ‣ Indicate phishing target uses mac ‣ Ditch our Windows based payloads for OSX FB Friends ‣ Identify targets wife ‣ Wife runs Pilates studio ‣ Spear phish wife based on Pilates Instagram Photos ‣ Client was a power utility ‣ Staff target found via on photos from facilities 9 Thursday, 17 October 13 GEOSTALKER - INTRO Requires ‣ Address ‣ Latitude / Longitude Coordinates Queries sources Provides ‣ Wigle.net (Wireless DB) ‣ Wireless devices ‣ Instagram ‣ Photos ‣ Twitter ‣ Social network accounts ‣ Foursquare ‣ Searches social network accounts for ‘like’ names ‣ Flickr 10 Thursday, 17 October 13 GEOSTALKER - APPLICATION FLOW Google Search Instagram Youtube Linkedin Facebook Google+ UserID Wigle.net Flickr Twitter Instagram Foursquare Geolocation Data Source geoStalker 11 Thursday, 17 October 13 DEMO GEOSTALKER 12 Thursday, 17 October 13 GEOSTALKER - INPUT 13 Thursday, 17 October 13 GEOSTALKER - RUNNING 14 Thursday, 17 October 13 GEOSTALKER - RUNNING 15 Thursday, 17 October 13 GEOSTALKER - RUNNING 16 Thursday, 17 October 13 GEOSTALKER - RUNNING 17 Thursday, 17 October 13 GEOSTALKER - FOURSQUARE 18 Thursday, 17 October 13 GEOSTALKER - INSTAGRAM 19 Thursday, 17 October 13 GEOSTALKER - FLICKR 20 Thursday, 17 October 13 GEOSTALKER - HTML OUTPUT 21 Thursday, 17 October 13 GEOSTALKER - MALTEGO EXPORT 22 Thursday, 17 October 13 GEOSTALKER - LIMITATIONS Single threaded Query by GPS location or address only 23 Thursday, 17 October 13 GEOSTALKER - FUTURE VERSIONS Multithreaded - Run faster! Extend Maltego Mgtx export Allow to disable specific datasource 24 Thursday, 17 October 13 FBSTAKLER - INTRO Requires ‣ Profile Name Graph Search to find Provides ‣ Friends ‣ Reverse engineered friend list ‣ Likes ‣ Strength of associations ‣ Check-ins ‣ Regular posting time ‣ Comments (wake time?) 25 Thursday, 17 October 13 FBSTALKER - LOCKDOWN VS NON-LOCKDOWN Lockdown Profile ‣ Unable to see the list of friends ‣ Reverse engineer the list of friends from likes and tags Open Profile ‣ Analyze all friends of target and determine how two individuals are connected or know each other. ‣ Work place ‣ School ‣ Common interests ‣ Common friends ‣ Places that two individuals like 26 Thursday, 17 October 13 FACEBOOK GRAPH KEYWORDS UNDERSTAND HOW 2 INDIVIDUALS ARE CONNECTED / RELATED Pages that Friend X and Y likes Photos that Friend X and Y likes Pages that Friend X and Y likes Sports liked by Friend X and Y Books liked by Friend X and Y Places Friend X and Y worked at Places Friend X and Y likes Music that Friend X and Y likes Favorite interests of Friend X and Y Movies Friend X and Y likes Photos that Friend X and Y are tagged in Movies like by Friend X and Y Facebook Graph Places Friend X and Y been to Groups that Friend X and Y are in TV shows liked by Friend X and Y Restaurants that Friend X and Y likes Cafes that Friend X and Y likes Games that Friend X and Y plays 1 27 Thursday, 17 October 13 FBSTALKER - GRAPH SEARCH EXAMPLE 28 Thursday, 17 October 13 FBSTALKER - GRAPH SEARCH EXAMPLE 29 Thursday, 17 October 13 DEMO FBSTALKER 30 Thursday, 17 October 13 FBSTALKER - INPUT 31 Thursday, 17 October 13 FBSTALKER - RUNNING 32 Thursday, 17 October 13 FBSTALKER - MALTEGO EXPORT 33 Thursday, 17 October 13 FBSTALKER - PROBLEMS Facebook Graph API is limited PhantomJS had some issues with Facebook site Had to use Chromedriver Single threaded 34 Thursday, 17 October 13 FBSTALKER - FUTURE WORK ‣ Runs 100% headless ‣ Monitor changes / activities of user’s FB profile. ‣ Allow name as input instead of userid ‣ Point system for Association strength ‣ Photo Tags ‣ Check-ins ‣ Comments ‣ Post / Photo Likes 35 Thursday, 17 October 13 HOW TO PROTECT YOURSELF Turn off ‘location’ setting in social networking apps Tighten Facebook privacy settings 36 Thursday, 17 October 13 http://github.com/milo2012/osintstalker [email protected] @keith55 Thursday, 17 October 13 [email protected] @werrett