$30 off During Our Annual Pro Sale. View Details »

OSINT for AppSec: Recon-ng and Beyond

lanmaster53
September 26, 2015
490

OSINT for AppSec: Recon-ng and Beyond

lanmaster53

September 26, 2015
Tweet

Transcript

  1. OSINT for AppSec:!
    Recon-ng and Beyond
    Tim Tomes!
    @lanmaster53!
    [email protected]
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 1!

    View Slide


  2. Managing Consultant @nVisium.
    Hacker looking out for users by training ______.
    Write code.
    Love Jesus.
    Drive fast.
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 2!

    View Slide

  3. Disclaimer

    CAUTION: Live demos ahead.
    Offensive material is possible.
    While I don’t condone it, preventing it
    wouldn’t be much fun.
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 3!

    View Slide

  4. Credits

    Brian Fehrman – @fullmetalcache
    Micah Hoffman – @webbreacher
    Quentin Kaiser – @qkaiser
    Offensive Security – @offsectraining
    John Poulin – @forced_request
    Mauro Soria – github.com/maurosoria
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 4!

    View Slide

  5. What good is OSINT for an
    AppSec assessment when you
    have source code?

    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 5!

    View Slide

  6. The “darker” the assessment,
    the more critical the need for
    OSINT.

    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 6!

    View Slide

  7. Impact is the key to making risk
    decisions.

    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 7!

    View Slide

  8. How can OSINT help me show
    risk from AppSec perspective?

    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 8!

    View Slide

  9. CONTACTS
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 9!

    View Slide

  10. Contacts
    What
    •  usernames & email addresses

    Why
    •  user enumeration + no anti-automation + weak
    password policy = win
    •  user enumeration + account lockout = win
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 10!

    View Slide

  11. Contacts
    How
    •  [recon-ng] > search -contacts
    – recon/domains-contacts/salesmaple
    – recon/contacts-contacts/mailtester
    •  scrape metadata from files.
    •  tools vary
    •  recon/domains-contacts/metacrawler
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 11!
    #DEMO

    View Slide

  12. PROFILES
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 12!

    View Slide

  13. Profiles
    What
    •  social media profiles, public or private

    Why
    •  user enumeration + no anti-automation + in-
    band password reset = win
    •  LOW to PWNED, AppSec style.
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 13!

    View Slide

  14. Profiles
    How
    •  [recon-ng] > search -profiles
    – recon/companies-profiles/bing_linkedin
    – recon/profiles-profiles/linkedin_crawl
    – *recon/profiles-contacts/linkedin
    – recon/profiles-profiles/profiler
    – recon/contacts-profiles/facebook_directory
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 14!
    #DEMO

    View Slide

  15. BREACHES
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 15!

    View Slide

  16. Breaches
    What
    •  username and password sets
    •  breach details

    Why
    •  password reuse
    •  pattern analysis
    •  areas of weakness
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 16!

    View Slide

  17. Breaches
    How
    •  [recon-ng] > search -credentials
    – recon/domains-credentials/pwnedlist*
    – recon/contacts-credentials/hibp_breach
    – recon/contacts-credentials/hibp_paste
    •  https://www.privacyrights.org/data-breach
    – /data-breach-asc?title=
    •  https://zeltser.com/was-company-hacked/
    •  search
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 17!

    View Slide

  18. TECHNOLOGIES
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 18!

    View Slide

  19. Technologies
    What
    •  client and server-side technologies
    •  outdated software

    Why
    •  facilitates other attack vectors
    •  direct exploitation of the infrastructure
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 19!

    View Slide

  20. Technologies
    How
    •  http://builtwith.com/
    •  job openings
    – usually on the home page
    – 3rd party job sites
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 20!

    View Slide

  21. VULNERABILITIES
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 21!

    View Slide

  22. Vulnerabilities
    What
    •  exploitable vulnerabilities
    •  source code leaks in news groups, forums, etc.
    •  searchable bugs

    Why
    •  no/low effort vulnerability discovery
    •  quick wins
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 22!

    View Slide

  23. Dynamic Vulnerabilities
    How
    •  online vulnerability scanners
    –  PunkSPIDER - https://www.punkspider.org/
    –  ASafaWeb - https://asafaweb.com/
    •  vulnerability disclosure sites
    –  XSSposed - https://www.xssposed.org/
    –  Zone-H - http://zone-h.org/
    •  [recon-ng] > search -vulnerabilities
    –  recon/domains-vulnerabilities/punkspider
    –  recon/domains-vulnerabilities/xssposed
    •  Target App must be public facing!
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 23!

    View Slide

  24. Static Vulnerabilities
    How
    •  Gitrob - https://github.com/michenriksen/gitrob
    •  searchcode - https://searchcode.com/
    •  advanced searching with Github and/or Google
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 24!

    View Slide

  25. Github Dorking
    •  2 approaches
    – use Github advanced search
    – use Google with site:github.com
    •  Github search forces you to include keywords.
    – path:.ssh/id_rsa BEGIN
    •  Google “site” makes it harder to focus on a
    target.
    – inurl:secret_token filetype:rb site:github.com
    – inurl:secret_token filetype:rb site:github.com
    inurl:lockitron/selfstarter
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 25!

    View Slide

  26. Github Dorking
    •  “Goo-git” Dorks
    – Allows for searching more than just Github.
    Bitbucket, etc.
    – Results not as reliable as searching directly.
    •  [recon-ng] > search github
    – recon/companies-multi/github_miner
    – recon/profiles-repositories/github_repos
    – recon/repositories-vulnerabilities/github_dorks
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 26!

    View Slide

  27. SENSITIVE INFORMATION
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 27!

    View Slide

  28. Sensitive Information
    What
    •  debugging information
    •  development notes
    •  out-of-band configuration storage

    Why
    •  learn about apps in private repos
    •  credentials & secret keys
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 28!

    View Slide

  29. Sensitive Information
    How
    •  Pastes
    •  Gists
    – Devs treat them like pastes.
    – Github doesn’t currently allow organizational Gists.
    – Grab the Gists of the organization’s developers.
    – Search for keywords, or just browse.
    •  [recon-ng] > search gist
    – recon/repositories-vulnerabilities/gists_search
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 29!

    View Slide

  30. GOOGLE HACKING DATABASE
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 30!

    View Slide

  31. Google Dorking
    •  leads to credentials, source code snippets,
    contact info, vulnerabilities, files, etc.
    •  lots of dork sources
    – GHDB
    – Anonymous SQLi Google dorks
    – Goo-git dorks
    – custom dorks (appsec specific)
    •  also, BHDB
    – http://www.bishopfox.com/download/876/
    •  [recon-ng] > search ghdb
    – recon/domains-vulnerabilities/ghdb
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 31!
    #DEMO

    View Slide

  32. Final Thoughts
    •  Nothing shown today requires pay-for API
    access. It’s all free.
    •  Please help me build out the lists of dorks and
    keywords.
    •  Shout out to the guys at Offensive Security for
    maintaining and providing access to the GHDB.
    •  Recon-ng as a Service (RAAS)
    •  #PWAPT | 5-6 November, 2015 | Charlotte, NC
    http://appsec.rocks
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 32!

    View Slide


  33. Tim Tomes
    @lanmaster53
    [email protected]
    http://www.lanmaster53.com
    https://nvisium.com
    OSINT for AppSec: Recon-ng and Beyond - Tim Tomes 2015 ! 33!

    View Slide