OSINT for AppSec: Recon-ng and Beyond

0a6d9b1ad59ad436bf9d9d16b2a7133e?s=47 lanmaster53
September 26, 2015
330

OSINT for AppSec: Recon-ng and Beyond

0a6d9b1ad59ad436bf9d9d16b2a7133e?s=128

lanmaster53

September 26, 2015
Tweet

Transcript

  1. OSINT for AppSec:! Recon-ng and Beyond Tim Tomes! @lanmaster53! tim.tomes@nvisium.com

    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 1!
  2. Managing Consultant @nVisium. Hacker looking out for users by training

    ______. Write code. Love Jesus. Drive fast. OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 2!
  3. Disclaimer CAUTION: Live demos ahead. Offensive material is possible. While

    I don’t condone it, preventing it wouldn’t be much fun. OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 3!
  4. Credits Brian Fehrman – @fullmetalcache Micah Hoffman – @webbreacher Quentin

    Kaiser – @qkaiser Offensive Security – @offsectraining John Poulin – @forced_request Mauro Soria – github.com/maurosoria OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 4!
  5. What good is OSINT for an AppSec assessment when you

    have source code? OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 5!
  6. The “darker” the assessment, the more critical the need for

    OSINT. OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 6!
  7. Impact is the key to making risk decisions. OSINT for

    AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 7!
  8. How can OSINT help me show risk from AppSec perspective?

    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 8!
  9. CONTACTS OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 9!
  10. Contacts What •  usernames & email addresses Why •  user

    enumeration + no anti-automation + weak password policy = win •  user enumeration + account lockout = win OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 10!
  11. Contacts How •  [recon-ng] > search -contacts – recon/domains-contacts/salesmaple – recon/contacts-contacts/mailtester • 

    scrape metadata from files. •  tools vary •  recon/domains-contacts/metacrawler OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 11! #DEMO
  12. PROFILES OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 12!
  13. Profiles What •  social media profiles, public or private Why

    •  user enumeration + no anti-automation + in- band password reset = win •  LOW to PWNED, AppSec style. OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 13!
  14. Profiles How •  [recon-ng] > search -profiles – recon/companies-profiles/bing_linkedin – recon/profiles-profiles/linkedin_crawl – *recon/profiles-contacts/linkedin

    – recon/profiles-profiles/profiler – recon/contacts-profiles/facebook_directory OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 14! #DEMO
  15. BREACHES OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 15!
  16. Breaches What •  username and password sets •  breach details

    Why •  password reuse •  pattern analysis •  areas of weakness OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 16!
  17. Breaches How •  [recon-ng] > search -credentials – recon/domains-credentials/pwnedlist* – recon/contacts-credentials/hibp_breach – recon/contacts-credentials/hibp_paste

    •  https://www.privacyrights.org/data-breach – /data-breach-asc?title=<company> •  https://zeltser.com/was-company-hacked/ •  search OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 17!
  18. TECHNOLOGIES OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 18!
  19. Technologies What •  client and server-side technologies •  outdated software

    Why •  facilitates other attack vectors •  direct exploitation of the infrastructure OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 19!
  20. Technologies How •  http://builtwith.com/ •  job openings – usually on the

    home page – 3rd party job sites OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 20!
  21. VULNERABILITIES OSINT for AppSec: Recon-ng and Beyond - Tim Tomes

    2015 ! 21!
  22. Vulnerabilities What •  exploitable vulnerabilities •  source code leaks in

    news groups, forums, etc. •  searchable bugs Why •  no/low effort vulnerability discovery •  quick wins OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 22!
  23. Dynamic Vulnerabilities How •  online vulnerability scanners –  PunkSPIDER -

    https://www.punkspider.org/ –  ASafaWeb - https://asafaweb.com/ •  vulnerability disclosure sites –  XSSposed - https://www.xssposed.org/ –  Zone-H - http://zone-h.org/ •  [recon-ng] > search -vulnerabilities –  recon/domains-vulnerabilities/punkspider –  recon/domains-vulnerabilities/xssposed •  Target App must be public facing! OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 23!
  24. Static Vulnerabilities How •  Gitrob - https://github.com/michenriksen/gitrob •  searchcode -

    https://searchcode.com/ •  advanced searching with Github and/or Google OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 24!
  25. Github Dorking •  2 approaches – use Github advanced search – use

    Google with site:github.com •  Github search forces you to include keywords. – path:.ssh/id_rsa BEGIN •  Google “site” makes it harder to focus on a target. – inurl:secret_token filetype:rb site:github.com – inurl:secret_token filetype:rb site:github.com inurl:lockitron/selfstarter OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 25!
  26. Github Dorking •  “Goo-git” Dorks – Allows for searching more than

    just Github. Bitbucket, etc. – Results not as reliable as searching directly. •  [recon-ng] > search github – recon/companies-multi/github_miner – recon/profiles-repositories/github_repos – recon/repositories-vulnerabilities/github_dorks OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 26!
  27. SENSITIVE INFORMATION OSINT for AppSec: Recon-ng and Beyond - Tim

    Tomes 2015 ! 27!
  28. Sensitive Information What •  debugging information •  development notes • 

    out-of-band configuration storage Why •  learn about apps in private repos •  credentials & secret keys OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 28!
  29. Sensitive Information How •  Pastes •  Gists – Devs treat them

    like pastes. – Github doesn’t currently allow organizational Gists. – Grab the Gists of the organization’s developers. – Search for keywords, or just browse. •  [recon-ng] > search gist – recon/repositories-vulnerabilities/gists_search OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 29!
  30. GOOGLE HACKING DATABASE OSINT for AppSec: Recon-ng and Beyond -

    Tim Tomes 2015 ! 30!
  31. Google Dorking •  leads to credentials, source code snippets, contact

    info, vulnerabilities, files, etc. •  lots of dork sources – GHDB – Anonymous SQLi Google dorks – Goo-git dorks – custom dorks (appsec specific) •  also, BHDB – http://www.bishopfox.com/download/876/ •  [recon-ng] > search ghdb – recon/domains-vulnerabilities/ghdb OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 31! #DEMO
  32. Final Thoughts •  Nothing shown today requires pay-for API access.

    It’s all free. •  Please help me build out the lists of dorks and keywords. •  Shout out to the guys at Offensive Security for maintaining and providing access to the GHDB. •  Recon-ng as a Service (RAAS) •  #PWAPT | 5-6 November, 2015 | Charlotte, NC http://appsec.rocks OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 32!
  33. Tim Tomes @lanmaster53 tim.tomes@nvisium.com http://www.lanmaster53.com https://nvisium.com OSINT for AppSec: Recon-ng

    and Beyond - Tim Tomes 2015 ! 33!