La nueva FOCA 2.7
-
Upload
eventos-creativos -
Category
Technology
-
view
1.455 -
download
0
Transcript of La nueva FOCA 2.7
![Page 1: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/1.jpg)
2.7.1 versionChema Alonso
![Page 2: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/2.jpg)
FOCA 0.X
![Page 3: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/3.jpg)
Metadata Risks
• “Secret” relationships– Government & companies– Companies & providers
• Piracy• Reputation• Social engineering attacks• Targeting Malware
![Page 4: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/4.jpg)
FOCA: File types supported
• Office documents:– Open Office documents.– MS Office documents.– PDF Documents.• XMP.
– EPS Documents.– Graphic documents.• EXIF.• XMP.
– Adobe Indesign, SVG, SVGZ
![Page 5: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/5.jpg)
What can be found? • Users:
– Creators.– Modifiers .– Users in paths.
• C:\Documents and settings\jfoo\myfile
• /home/johnnyf
• Operating systems.• Printers.
– Local and remote.• Paths.
– Local and remote.• Network info.
– Shared Printers.– Shared Folders.– ACLS.
• Internal Servers.– NetBIOS Name.– Domain Name.– IP Address.
• Database structures.– Table names.– Colum names.
• Devices info.– Mobiles.– Photo cameras.
• Private Info.– Personal data.
• History of use.• Software versions.
![Page 6: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/6.jpg)
Sample: FBI.gov
Total: 4841 files
![Page 7: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/7.jpg)
FOCA 1 v. RC3
• Fingerprinting Organizations with Collected Archives– Search for documents in Google and Bing– Automatic file downloading– Capable of extracting Metadata, hidden info and
lost data– Cluster information – Analyzes the info to fingerprint the network.
![Page 8: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/8.jpg)
![Page 9: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/9.jpg)
How may days to do the pentesting?
![Page 10: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/10.jpg)
Sometimes…a pentester needs to be a SuperHero
![Page 11: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/11.jpg)
FOCA 2.5
• Network Discovery• Recursive algorithm• Information Gathering• Sw Recognition• DNS Cache Snooping• Reporting Tool
![Page 12: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/12.jpg)
DNS Search Panel
![Page 13: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/13.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
1) http -> Web server 2) GET Banner HTTP3) domain.com is a domain4) Search NS, MX, SPF records for domain.com5) sub.domain.com is a subdomain6) Search NS, MX, SPF records for sub.domain.com7) Try all the non verified servers on all new domains
1) server01.domain.com2) server01.sub.domain.com
8) Apple1.sub.domain.com is a hostname9) Try DNS Prediction (apple1) on all domains10) Try Google Sets(apple1) on all domains
![Page 14: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/14.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
11) Resolve IP Address12) Get Certificate in https://IP13) Search for domain names in it14) Get HTTP Banner of http://IP15) Use Bing Ip:IP to find all domains sharing it16) Repeat for every new domain 17) Connect to the internal NS (1 or all)18) Perform a PTR Scan searching for internal servers19) For every new IP discovered try Bing IP recursively20) ~chema -> chema is probably a user
![Page 15: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/15.jpg)
Network Discovery Algorithmhttp://apple1.sub.domain.com/~chema/dir/fil.doc
21) / , /~chema/ and /~chema/dir/ are paths22) Try directory listing in all the paths23) Search for PUT, DELETE, TRACE methods in every path24) Fingerprint software from 404 error messages25) Fingerprint software from application error messages26) Try common names on all domains (dictionary)27) Try Zone Transfer on all NS28) Search for any URL indexed by web engines related to the hostname29) Download the file30) Extract the metadata, hidden info and lost data31) Sort all this information and present it nicely32) For every new IP/URL start over again
![Page 16: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/16.jpg)
![Page 17: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/17.jpg)
FOCA 2.5: Exalead
![Page 18: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/18.jpg)
Huge domains case
![Page 19: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/19.jpg)
Digital Certificates
![Page 20: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/20.jpg)
FOCA 2.5 & Shodan
![Page 21: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/21.jpg)
FOCA 2.5 URL Analysis
![Page 22: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/22.jpg)
.listing
![Page 23: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/23.jpg)
Unsecure Http Methods
![Page 24: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/24.jpg)
Search & Upload
![Page 25: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/25.jpg)
Searching for Server-Side Technologies
![Page 26: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/26.jpg)
Fuzzing options
![Page 27: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/27.jpg)
DNS Cache Snooping
![Page 28: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/28.jpg)
FOCA Reporting Module
![Page 29: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/29.jpg)
What’s newIn 2.7.1
![Page 30: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/30.jpg)
RDP & ICA Files Analysis
![Page 31: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/31.jpg)
Squid Proxies
![Page 32: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/32.jpg)
DNS Records
![Page 33: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/33.jpg)
Netrange Scan
![Page 34: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/34.jpg)
Parametrized URLs
![Page 35: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/35.jpg)
Easy Bugs search
![Page 36: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/36.jpg)
Task List
![Page 37: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/37.jpg)
Plugins
![Page 38: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/38.jpg)
Fear The FOCA
![Page 40: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/40.jpg)
Buy a FOCA T-Shirt
And be «Sexy» }:))
![Page 41: La nueva FOCA 2.7](https://reader033.fdocument.pub/reader033/viewer/2022061618/55b41982bb61eba4298b4748/html5/thumbnails/41.jpg)
Questions?- Chema Alonso
- [email protected] http://www.informatica64.com - http://www.elladodelmal.com - http://twitter.com/chemaalonso- http://www.forefront-es.com- http://www.seguridadapple.com - http://www.windowstecnico.com- http://www.puntocompartido.com
- Working on FOCA:- Chema Alonso- Alejandro Martín- Francisco Oca- Manuel Fernández «The Sur»- Daniel Romero- Enrique Rando- Pedro Laguna- Special Thanks to: John Matherly [Shodan]