OSINT for AppSec: Recon-ng and Beyond

Transcript

1. 1.

   OSINT for AppSec:! Recon-ng and Beyond Tim Tomes! @lanmaster53! tim.tomes@nvisium.com

   OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 1!
2. 2.

   Managing Consultant @nVisium. Hacker looking out for users by training

   ______. Write code. Love Jesus. Drive fast. OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 2!
3. 3.

   Disclaimer CAUTION: Live demos ahead. Offensive material is possible. While

   I don’t condone it, preventing it wouldn’t be much fun. OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 3!
4. 4.

   Credits Brian Fehrman – @fullmetalcache Micah Hoffman – @webbreacher Quentin

   Kaiser – @qkaiser Offensive Security – @offsectraining John Poulin – @forced_request Mauro Soria – github.com/maurosoria OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 4!
5. 5.

   What good is OSINT for an AppSec assessment when you

   have source code? OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 5!
6. 6.

   The “darker” the assessment, the more critical the need for

   OSINT. OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 6!
7. 7.

   Impact is the key to making risk decisions. OSINT for

   AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 7!
8. 8.

   How can OSINT help me show risk from AppSec perspective?

   OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 8!
9. 9.

   CONTACTS OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

   2015 ! 9!
10. 10.

    Contacts What •  usernames & email addresses Why •  user

    enumeration + no anti-automation + weak password policy = win •  user enumeration + account lockout = win OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 10!
11. 11.

    Contacts How •  [recon-ng] > search -contacts – recon/domains-contacts/salesmaple – recon/contacts-contacts/mailtester • 

    scrape metadata from files. •  tools vary •  recon/domains-contacts/metacrawler OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 11! #DEMO
12. 12.

    PROFILES OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 12!
13. 13.

    Profiles What •  social media profiles, public or private Why

    •  user enumeration + no anti-automation + in- band password reset = win •  LOW to PWNED, AppSec style. OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 13!
14. 14.

    Profiles How •  [recon-ng] > search -profiles – recon/companies-profiles/bing_linkedin – recon/profiles-profiles/linkedin_crawl – *recon/profiles-contacts/linkedin

    – recon/profiles-profiles/profiler – recon/contacts-profiles/facebook_directory OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 14! #DEMO
15. 15.

    BREACHES OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 15!
16. 16.

    Breaches What •  username and password sets •  breach details

    Why •  password reuse •  pattern analysis •  areas of weakness OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 16!
17. 17.

    Breaches How •  [recon-ng] > search -credentials – recon/domains-credentials/pwnedlist* – recon/contacts-credentials/hibp_breach – recon/contacts-credentials/hibp_paste

    •  https://www.privacyrights.org/data-breach – /data-breach-asc?title=<company> •  https://zeltser.com/was-company-hacked/ •  search OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 17!
18. 18.

    TECHNOLOGIES OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 18!
19. 19.

    Technologies What •  client and server-side technologies •  outdated software

    Why •  facilitates other attack vectors •  direct exploitation of the infrastructure OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 19!
20. 20.

    Technologies How •  http://builtwith.com/ •  job openings – usually on the

    home page – 3rd party job sites OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 20!
21. 21.

    VULNERABILITIES OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 21!
22. 22.

    Vulnerabilities What •  exploitable vulnerabilities •  source code leaks in

    news groups, forums, etc. •  searchable bugs Why •  no/low effort vulnerability discovery •  quick wins OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 22!
23. 23.

    Dynamic Vulnerabilities How •  online vulnerability scanners –  PunkSPIDER -

    https://www.punkspider.org/ –  ASafaWeb - https://asafaweb.com/ •  vulnerability disclosure sites –  XSSposed - https://www.xssposed.org/ –  Zone-H - http://zone-h.org/ •  [recon-ng] > search -vulnerabilities –  recon/domains-vulnerabilities/punkspider –  recon/domains-vulnerabilities/xssposed •  Target App must be public facing! OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 23!
24. 24.

    Static Vulnerabilities How •  Gitrob - https://github.com/michenriksen/gitrob •  searchcode -

    https://searchcode.com/ •  advanced searching with Github and/or Google OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 24!
25. 25.

    Github Dorking •  2 approaches – use Github advanced search – use

    Google with site:github.com •  Github search forces you to include keywords. – path:.ssh/id_rsa BEGIN •  Google “site” makes it harder to focus on a target. – inurl:secret_token filetype:rb site:github.com – inurl:secret_token filetype:rb site:github.com inurl:lockitron/selfstarter OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 25!
26. 26.

    Github Dorking •  “Goo-git” Dorks – Allows for searching more than

    just Github. Bitbucket, etc. – Results not as reliable as searching directly. •  [recon-ng] > search github – recon/companies-multi/github_miner – recon/profiles-repositories/github_repos – recon/repositories-vulnerabilities/github_dorks OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 26!
27. 27.

    SENSITIVE INFORMATION OSINT for AppSec: Recon-ng and Beyond - Tim

    Tomes 2015 ! 27!
28. 28.

    Sensitive Information What •  debugging information •  development notes • 

    out-of-band configuration storage Why •  learn about apps in private repos •  credentials & secret keys OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 28!
29. 29.

    Sensitive Information How •  Pastes •  Gists – Devs treat them

    like pastes. – Github doesn’t currently allow organizational Gists. – Grab the Gists of the organization’s developers. – Search for keywords, or just browse. •  [recon-ng] > search gist – recon/repositories-vulnerabilities/gists_search OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 29!
30. 30.

    GOOGLE HACKING DATABASE OSINT for AppSec: Recon-ng and Beyond -

    Tim Tomes 2015 ! 30!
31. 31.

    Google Dorking •  leads to credentials, source code snippets, contact

    info, vulnerabilities, files, etc. •  lots of dork sources – GHDB – Anonymous SQLi Google dorks – Goo-git dorks – custom dorks (appsec specific) •  also, BHDB – http://www.bishopfox.com/download/876/ •  [recon-ng] > search ghdb – recon/domains-vulnerabilities/ghdb OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 31! #DEMO
32. 32.

    Final Thoughts •  Nothing shown today requires pay-for API access.

    It’s all free. •  Please help me build out the lists of dorks and keywords. •  Shout out to the guys at Offensive Security for maintaining and providing access to the GHDB. •  Recon-ng as a Service (RAAS) •  #PWAPT | 5-6 November, 2015 | Charlotte, NC http://appsec.rocks OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 32!
33. 33.

    Tim Tomes @lanmaster53 tim.tomes@nvisium.com http://www.lanmaster53.com https://nvisium.com OSINT for AppSec: Recon-ng

    and Beyond - Tim Tomes 2015 ! 33!