The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.

Home Explore FACEBOOK OSINT - conference.hitb.org

View in Fullscreen

FACEBOOK OSINT ITS FASTER THAN SPEED DATING Keith Lee Jonathan Werrett 17 October 2013 | HITB2013KUL Thursday, 17 October 13

Like this book? You can publish your book online for free in a few minutes!

http://anyflip.com/sbtw/tfqj/

Download PDF

Related Publications

Discover the best professional documents and content resources in AnyFlip Document Base.

Published by , 2016-02-05 02:54:03

FACEBOOK OSINT - conference.hitb.org

Pages:

1 - 42

FACEBOOK OSINT ITS FASTER THAN SPEED DATING Keith Lee Jonathan Werrett 17 October 2013 | HITB2013KUL Thursday, 17 October 13

FACEBOOK OSINT

ITS FASTER THAN SPEED DATING

17 October 2013 | HITB2013KUL
Keith Lee
Jonathan Werrett

Thursday, 17 October 13

INTRODUCTION 2

Keith Lee

Security Analyst, SpiderLabs, Singapore
[email protected]
http://github.com/milo2012/osintstalker
@keith55

Jonathan Werrett

Managing Consultant, SpiderLabs, Hong Kong
[email protected]
@werrett

Thursday, 17 October 13

AGENDA

‣ Background / Motivation
‣ Introduction to GeoStalker and FBStalker tools
‣ Problem they solves
‣ GeoStalker in-depth
‣ FBStalker in-depth
‣ What you can do to protect yourself

3

Thursday, 17 October 13

MOTIVATION

Spend our days on “Penetration tests”
Web apps and networks
Day-in day-out

4

Thursday, 17 October 13

MOTIVATION

Spend our days on “Penetration tests”
Web apps and networks
Day-in day-out

4

Thursday, 17 October 13

BUT WAIT

Some times we get a real pentest
Set specific targets

Gain access any way you can
...

5

Thursday, 17 October 13

BUT WAIT

Some times we get a real pentest

Set specific targets

Gain access any way you can

...
Red team, Physical Security, Phishing

Open Source Intelligence

5

Thursday, 17 October 13

OSINT Google Geocoded Wigle.net Network
Maps Lat / Lon Wireless DB Names
Premise Photos MAC
Details Addresses

Physical Twitter
Address

Instagram Places
Visited

Whois / Company Company
IP Allocations Domains Name

Checkins No. checkins
together

Photos

LinkedIn Facebook No.
comments
Target Friends
Profiles

Education Age of
friendship
Background

Likes Tagged No. tags
w/ ppl
Previous
Jobs Visited

6

Thursday, 17 October 13

GEOSTALKER FBSTALKER

Takes Takes

‣ Location (address or coordinates) ‣ Facebook profile user

Retrieves location data from Uses Graph Search to reverse

‣ Wigle.net (Wireless DB) ‣ Friends
‣ Instagram ‣ Likes
‣ Twitter ‣ Check-ins
‣ Foursquare ‣ Comments
‣ Flickr

Provides Provides

‣ Wireless access points near-by ‣ Social engineering targets
‣ Photos taken at that location ‣ Associates of those targets
‣ Social media accounts of people who’ve ‣ Times online
‣ Interests, commonly visited places
visited

7

Thursday, 17 October 13

EXAMPLE OBJECTIVES

Entry Points

Google Photos
Maps
Geocode Twitter, Facilities
Lat / Lon Instagram,
Premise 4sq, Flickr
Recon? Google
Search
Staff

Phishing LinkedIn, Staff Interests
Targets? Facebook Twitter, Associates
Instagram,
Physical Geocode 4sq, Flickr
Address Lat / Lon

8

Thursday, 17 October 13

EXAMPLES FROM ENGAGEMENTS

9

Thursday, 17 October 13

EXAMPLES FROM ENGAGEMENTS

FB Apps

‣ Indicate phishing target uses mac
‣ Ditch our Windows based payloads for OSX

9

Thursday, 17 October 13

EXAMPLES FROM ENGAGEMENTS

FB Apps

‣ Indicate phishing target uses mac
‣ Ditch our Windows based payloads for OSX

FB Friends

‣ Identify targets wife
‣ Wife runs Pilates studio
‣ Spear phish wife based on Pilates

9

Thursday, 17 October 13

EXAMPLES FROM ENGAGEMENTS 9

FB Apps

‣ Indicate phishing target uses mac
‣ Ditch our Windows based payloads for OSX

FB Friends

‣ Identify targets wife
‣ Wife runs Pilates studio
‣ Spear phish wife based on Pilates

Instagram Photos

‣ Client was a power utility
‣ Staff target found via on photos from facilities

Thursday, 17 October 13

GEOSTALKER - INTRO

Requires

‣ Address
‣ Latitude / Longitude Coordinates

Queries sources Provides

‣ Wigle.net (Wireless DB) ‣ Wireless devices
‣ Instagram
‣ Twitter ‣ Photos
‣ Foursquare
‣ Flickr ‣ Social network accounts

‣ Searches social network
accounts for ‘like’ names

10

Thursday, 17 October 13

GEOSTALKER - APPLICATION FLOW

Google Search Instagram Youtube Linkedin Facebook Google+

UserID

Wigle.net Flickr Twitter Instagram Foursquare

Geolocation
Data Source

geoStalker

11

Thursday, 17 October 13

DEMO

GEOSTALKER

12

Thursday, 17 October 13

GEOSTALKER - INPUT

13

Thursday, 17 October 13

GEOSTALKER - RUNNING

14

Thursday, 17 October 13

GEOSTALKER - RUNNING

15

Thursday, 17 October 13

GEOSTALKER - RUNNING

16

Thursday, 17 October 13

GEOSTALKER - RUNNING

17

Thursday, 17 October 13

GEOSTALKER - FOURSQUARE

18

Thursday, 17 October 13

GEOSTALKER - INSTAGRAM

19

Thursday, 17 October 13

GEOSTALKER - FLICKR

20

Thursday, 17 October 13

GEOSTALKER - HTML OUTPUT

21

Thursday, 17 October 13

GEOSTALKER - MALTEGO EXPORT

22

Thursday, 17 October 13

GEOSTALKER - LIMITATIONS

Single threaded
Query by GPS location or address only

23

Thursday, 17 October 13

GEOSTALKER - FUTURE VERSIONS

Multithreaded - Run faster!
Extend Maltego Mgtx export
Allow to disable specific datasource

24

Thursday, 17 October 13

FBSTAKLER - INTRO

Requires

‣ Profile Name

Graph Search to find Provides

‣ Friends ‣ Reverse engineered friend list
‣ Likes ‣ Strength of associations
‣ Check-ins ‣ Regular posting time
‣ Comments
(wake time?)

25

Thursday, 17 October 13

FBSTALKER - LOCKDOWN VS NON-LOCKDOWN

Lockdown Profile

‣ Unable to see the list of friends
‣ Reverse engineer the list of friends from likes and tags

Open Profile

‣ Analyze all friends of target and determine how two individuals are
connected or know each other.

‣ Work place
‣ School
‣ Common interests
‣ Common friends
‣ Places that two individuals like

26

Thursday, 17 October 13

FACEBOOK GRAPH KEYWORDS

UNDERSTAND HOW 2 INDIVIDUALS ARE CONNECTED / RELATED

Pages that Friend Photos that Friend
X and Y likes X and Y likes

Pages that Friend X and Y likes

Books liked by Sports liked by
Friend X and Y Friend X and Y

Places Friend X Places Friend X
and Y likes and Y worked at

Music that Friend Facebook Graph Movies like by
X and Y likes Friend X and Y

Favorite interests of Movies Friend X Places Friend X
Friend X and Y and Y likes and Y been to

Photos that Friend X Groups that Friend X Restaurants that
and Y are tagged in and Y are in Friend X and Y likes

TV shows liked by Cafes that Friend
Friend X and Y X and Y likes

Games that Friend
X and Y plays

217

Thursday, 17 October 13

FBSTALKER - GRAPH SEARCH EXAMPLE

28

Thursday, 17 October 13

FBSTALKER - GRAPH SEARCH EXAMPLE

29

Thursday, 17 October 13

DEMO

FBSTALKER

30

Thursday, 17 October 13

FBSTALKER - INPUT

31

Thursday, 17 October 13

FBSTALKER - RUNNING

32

Thursday, 17 October 13

FBSTALKER - MALTEGO EXPORT

33

Thursday, 17 October 13

FBSTALKER - PROBLEMS

Facebook Graph API is limited
PhantomJS had some issues with Facebook site

Had to use Chromedriver
Single threaded

34

Thursday, 17 October 13

FBSTALKER - FUTURE WORK

‣ Runs 100% headless
‣ Monitor changes / activities of user’s FB profile.
‣ Allow name as input instead of userid
‣ Point system for Association strength

‣ Photo Tags

‣ Check-ins

‣ Comments

‣ Post / Photo Likes

35

Thursday, 17 October 13

HOW TO PROTECT YOURSELF

Turn off ‘location’ setting in social networking apps

Tighten Facebook privacy settings

36

Thursday, 17 October 13

http://github.com/milo2012/osintstalker

[email protected] [email protected]
@keith55 @werrett

Thursday, 17 October 13

Click to View FlipBook Version