Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Botconf 2019 OSINT 101

ninoseki
May 06, 2020
610

Botconf 2019 OSINT 101

OSINT 101 section from Botconf 2019 workshop

ninoseki

May 06, 2020
Tweet

Transcript

  1. Good Friends With Bad Habits • Attackers are good friends

    with bad habits. ◦ Reusing infrastructures ▪ Same IP, same domain ◦ Reusing components ▪ Same software, same HTML, same tracker ◦ Reusing SSL certificates ◦ Reusing SSH keys • Reusing something increases a possibility of tracking. ◦ Let’s say it's a fingerprint of an attacker. ◦ You can track him down based on his fingerprint.
  2. Search Engines • IPv4(v6) search engines: ◦ Censys ◦ Shodan

    ◦ Onyphey ◦ BinaryEdge • Search engines for IP, domain, URL, hash, etc. ◦ RiskIQ Community / PassiveTotal ◦ DomainTools ◦ VirusTotal ◦ SecurityTrails ◦ urlscan.io ◦ crt.sh
  3. Shodan 101 • Shodan crawls the entire Internet at least

    once a month. • Search query syntax: ◦ filtername:value ◦ Logical operators: ▪ +, - ◦ Query examples: ▪ country:FR ▪ country:FR +port:80 • You can scan a host manually. (If you are a paid user)
  4. Censys 101 • Censys scans IPv4, popular websites and certificates.

    ◦ Censys performs all IPv4 scan at least once a week and scan popular websites daily. ◦ Censys monitors certificates in near real time with leveraging Certificate Transparency. • Search query syntax: ◦ filtername:value ◦ Logical operators: ▪ AND, OR, NOT ◦ Query examples: ▪ location.country_code:FR ▪ location.country_code:FR AND ports:80
  5. Onyphe 101 • Onyphe crawls the Internet at least once

    a month. • Other unique features: ◦ Paste sites lookup, dark web crawling, historical records to search, etc. • Search query syntax: ◦ filtername:value ◦ Query examples: ▪ country:FR ▪ country:FR port:80 ▪ Functions: • -wildcard, -hourago, -dayago, -weekago, -monthago ◦ country:FR port:80 -wildcard:hostname,*ovh* -monthago:6
  6. BinaryEdge 101 • BinaryEdge crawls the entire Internet at least

    once a month. • Other unique features: ◦ DHT(Distributed Hash Table) activity, data leaks, risk score, honeypots data, etc. • Search query syntax: ◦ filtername:value ◦ Logical operators: ▪ AND, OR, NOT ◦ Query examples: ▪ country:FR ▪ country:FR AND port:80
  7. RiskIQ 101 • RiskIQ provides search functions for Passive DNS,

    components, trackers, WHOIS, certificates and cookies. ◦ Components mean server-side / client side technologies (e.g. Nginx, jQuery, etc.) ◦ Trackers mean analytics trackers (e.g. Google Analytics)
  8. VirusTotal 101 • VirusTotal data (which can be used outside

    of the paid wall) ◦ Passive DNS ◦ Detection data ▪ IP, domain, URL and hash ◦ Sandbox data
  9. urlscan.io 101 • urlscan.io provides scan and search functions for

    websites. ◦ urlscan.io data include manual submissions and automatic-submissions. ▪ Automatic-submissions: • urlscan.io scans URLs from OpenPhish, PhishTank, URLhaus, etc. with auto. ◦ You can use ElasticSearch syntax to search. ▪ domain:kuronekoyamao.com ▪ domain:jppost-*.top AND page.country:FR ◦ Be careful with the limitations. ▪ urlscan.io scans a website via rotating European VPN exit IPs. ▪ Default UA equals to the latest Google Chrome Stable on Mac OS X.