Post on 20-Apr-2018
-me
▪ Not a L33t H4x0r
▪ Old
▪ Loudmouth Security Punk who talks $hit
▪ Tells lies (professionally)
▪ Is called all sorts of bad words.. That I will likely say throughout this talk
▪ Cant code well
▪ I’ve done PenTesting and security work for the last 14+yrs
▪ Has a bunch of certs
▪ Helped create PTES
▪ Worked for Sprint, KPMG and others in InfoSec
▪ My opinions are my own (but also my companies)
▪ And…
What the F*ck is this talk about?
Corporate Surveillance
Business Profiling
Personnel Profiling
Work 2.0
Individual Surveillance
Social Profile
Doxin Like a boss
Gettin’ all up in it
24x7
Show Me
Onsite
Watching an entire company isn’t feasible so lets boil it down
▪ Employees
▪ Partners
▪ Competitors
▪ Adversaries
▪ Trustees
▪ Financials
▪ Sensitive Info Leakage
▪ Electronic Threat surface
▪ Social Threat surface
▪ Corporate communications
▪ Key relationships and individuals of influence
▪ Corporate events
▪ Manipulation points or general shadiness =)
• Collusion
• Relationship strengths
• Relationship Age
• Com. Patterns
• Raw Intel leakage
• Tone
• Timing
• Key Terms
• Interaction Clients
• Web Apps used
• Type of hardware
• Physical Locations
• Carriers
• Names
• Aliases
• Emails
• IM
• Screen names
• Social Landscape
Who What
Why How
Simon Says…
If you are going to drink the ocean, you may as well have a straw
▪ Manipulations points
▪ Interests/ Habits
▪ Leverage areas
▪ Points of similarity
▪ Date Specific events (wedding,bday, etc)
▪ Religion
▪ Race
▪ Creed
▪ Affiliations
▪ Clubs / Hobbies
▪ Haunts
▪ Personal Relationships
▪ Business Relationships
▪ Photos
▪ Family Heritage
▪ Socioeconomic class
▪ Affinities
▪ Travel schedules & Physical movement patterns
Mapping relationships (this is an entire talk by itself, so I’ll go fast)
▪ The ideas are simple – Find yow who you are
– Who you know
– Why you know them
– Then do magic and build your relationship profile.
▪ We want to use them like a Vuln scanner – Get all of the info that is relevant to target ocmpany
– Find all People
– Target a few
– Find the gaps
– Exploit them ▪ *ex. Social Net vs IRL
And TONS of people are trying to use them to figure out how a person is connected to a company or another human
Finding the MASSES SalesForce Apps
http://appexchange.salesforce.com/category/intelligence
There are TONs more, but remember you can “Roll your own”
Underlying Maps (Geo and some data)
▪ Map Data with API access – ESRI
– UMAPPER
– ArcGIS
– Bing Maps
– Openscales
– Yandex (with facial recognition)
– MapQuest
– OpenStreetMap
Overlay and analysis
▪ Flickr
▪ Banjo
▪ Tripit
▪ 4square
▪ (everything u can get for free or “find free” api keys on github)
▪ Mo da bettah
NodeXL (omfgwtfBBQ awesome) http://nodexl.codeplex.com/
Now to pick a target using the Relationship paths identified
Yep… the big maps will now get to smaller maps =)
Snoopy
Snoopy (because “Eye of Saron and Big Brother” were taken) since its distributed sniffing and tracking network for wireless attack.
Figure out who u wanna go after yet?
If information is power, you now have a BIG ASS ARMY! Let’s get em some weapons!
We Know who we want, so let’s take down the easy ones first
▪ Phishing
▪ External compromise
▪ Onsite Attack
▪ Creating spys & Intel leaks
▪ Corporate manipulation
▪ Creating Shell companies and potential partners
▪ Just get in… U have a whole con to learn how to do that.
How do you get all this $h1T near the person you REALLY want?
▪ Compromise the badge system
▪ Compromise the camera systems
▪ Find out where their boxxen is and OWN IT
▪ Bug all the things
▪ Make sure to own all of their closest relationships in the office and business
▪ Once ya get all that you think you want…. Stay in… you can never have too much root =)
Automate finding stuff
▪ Whip up some python (or whatever u write in) to import your nessus scan of the ports u are going after and open them all in a tab in the browser…remember.. LOOK at the results. Don’t just assume u know whats on the port
▪ Try logging ALL the banners in the scan and then pasre for the google dorks u would use if it was external
▪ Update frequently for new manuals u download =)
I WANNA SEE
▪ LOOK at anything that is running a website *allports* people rarely change defaults.
http://www.exoticliability.com/profiles/blog/show?id=3125850%3ABlogPost%3A15590&commentId=3125850%3AComment%3A18834
meterpreter > run smartlocker [*] Found WINLOGON at PID:644 [*] Migrating from PID:2532 [*] Migrated to WINLOGON PID: 644 successfully [*] System has currently been idle for 12 seconds [*] Current Idletime: 12 seconds [*] Current Idletime: 42 seconds [*] Current Idletime: 73 seconds [*] Starting the keystroke sniffer... [*] Keystrokes being saved in to /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt [*] Recording [*] They logged back in! Money time! [*] Stopping keystroke sniffer... meterpreter > background msf > cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt [*] exec: cat /home/user/.msf3/logs/scripts/smartlocker/10.0.0.155_20101101.2157.txt design4life$uper12#07#76!
If u get impatient be smart =)
Also… don’t forget the obvious stuff
▪ Search for “password”
▪ Make password lists based on profiles
▪ Search for “keepass” and LOOk at all XML * edit config to unhide and decrypt too =)
▪ Batch updates to send keylogger traffic to you
▪ .purple = Pidgin shit
▪ Watch their MAIL! xfce4-mailwatch,Gwatch..etc
▪ If the AV fu is strong… don’t be embarrassed to use hardware. U HAVE to see it all.
Wireless Data drive / podslurping
GSM Cracked, Cloned, spoofed
RFID Cloning / Attacking Wireless SD Cards
BarCode Attacks
Transponder Cloning, trunk code rolling, bluetooth car jacking
RealID, Verichip, Wireless ID Theft
Mobile Computers, iPad, eReaders, UltraPortables. Let’s not go there…
Bluetooth Hijacking, Rogue pairing, Interception, sniffing, Cloning
Autonet In car internet. WiFi, 3g/4g, LTE, VoIP
Wireless headset Eavesdropping
Cordless Keyboard / Mouse sniffing
GPS Hacking and Forgery +OnStar
2.4ghz, 5.8ghz, x10 Wireless security systems
DECT Hacks
HID, RFID, Proxcard Badge system Hacking
http://www.youtube.com/watch?v=f3zUOZcewtA
----- THIS is an AWESOME listening device. Go watch the ccc talk on the Thingpwner Speaker: Ang Cui, Michael Costello EventID: 5400 Event: 29th Chaos Communication Congress (29c3) by the Chaos Computer Club [CCC]
Get the KIES to the kingdom @cron_ talk at HackMiami http://mcaf.ee/pt5sy Yum
Use a GOOD Cellphone bugging kit www.mobistealth.com www.flexispy.com
More cellphone bugging
▪ USRP (Software defined Radio Platform) – Set up a cell tower (OpenBTS), identify as the relevant cell provider, either
transmit stronger, or cause other towers to drop the targets…
– Associated targets still get connectivity (cell + data), just through YOU
– Push updates?
– OsmocomBB, aeroprobe, etc..