facebook osint - hack in the box security -...
TRANSCRIPT
FACEBOOK OSINTITS FASTER THAN SPEED DATING
Keith LeeJonathan Werrett
17 October 2013 | HITB2013KUL
Thursday, 17 October 13
Managing Consultant, SpiderLabs, Hong [email protected]@werrett
Jonathan Werrett
Security Analyst, SpiderLabs, [email protected]://github.com/milo2012/osintstalker@keith55
Keith Lee
INTRODUCTION
2
Thursday, 17 October 13
AGENDA‣ Background / Motivation
‣ Introduction to GeoStalker and FBStalker tools
‣ Problem they solves
‣ GeoStalker in-depth
‣ FBStalker in-depth
‣ What you can do to protect yourself
3
Thursday, 17 October 13
MOTIVATIONSpend our days on “Penetration tests”
Web apps and networks
Day-in day-out
4
Thursday, 17 October 13
MOTIVATIONSpend our days on “Penetration tests”
Web apps and networks
Day-in day-out
4
Thursday, 17 October 13
Some times we get a real pentest
Set specific targets
Gain access any way you can
...
5
BUT WAIT
Thursday, 17 October 13
Some times we get a real pentest
Set specific targets
Gain access any way you can
...
5
Red team, Physical Security, PhishingOpen Source Intelligence
BUT WAIT
Thursday, 17 October 13
CompanyName
Physical Address
Google Maps
GeocodedLat / Lon
Wigle.netWireless DB
NetworkNames
MACAddresses
Premise Details
CompanyDomains
Whois /IP Allocations
Facebook TargetProfiles
Friends
Age of friendship
No. checkinstogether
No. comments
No. tags
Checkins
PlacesVisited
Photos
Tagged w/ ppl
BackgroundEducation
VisitedPrevious Jobs
Likes
Photos
OSINT
6
Thursday, 17 October 13
GEOSTALKERTakes‣ Location (address or coordinates)
Retrieves location data from‣ Wigle.net (Wireless DB)
‣ Foursquare
‣ Flickr
Provides‣ Wireless access points near-by
‣ Photos taken at that location
‣ Social media accounts of people who’ve visited
7
FBSTALKERTakes‣ Facebook profile user
Uses Graph Search to reverse‣ Friends
‣ Likes
‣ Check-ins
‣ Comments
Provides‣ Social engineering targets
‣ Associates of those targets
‣ Times online
‣ Interests, commonly visited places
Thursday, 17 October 13
PhishingTargets?
LinkedIn,Facebook
PhysicalAddress
GeocodeLat / Lon
Twitter, Instagram,4sq, Flickr
Staff
Interests
Associates
EXAMPLE OBJECTIVES
8
PremiseRecon?
GoogleSearch
GoogleMaps
GeocodeLat / Lon
Twitter, Instagram,4sq, Flickr
Staff
Photos
Entry Points
Facilities
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
9
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps ‣ Indicate phishing target uses mac‣ Ditch our Windows based payloads for OSX
9
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps ‣ Indicate phishing target uses mac‣ Ditch our Windows based payloads for OSX
9
FB Friends ‣ Identify targets wife ‣ Wife runs Pilates studio‣ Spear phish wife based on Pilates
Thursday, 17 October 13
EXAMPLES FROM ENGAGEMENTS
FB Apps ‣ Indicate phishing target uses mac‣ Ditch our Windows based payloads for OSX
9
FB Friends ‣ Identify targets wife ‣ Wife runs Pilates studio‣ Spear phish wife based on Pilates
Instagram Photos‣ Client was a power utility‣ Staff target found via on photos from facilities
Thursday, 17 October 13
GEOSTALKER - INTRO
10
Queries sources‣ Wigle.net (Wireless DB)
‣ Foursquare
‣ Flickr
Provides‣ Wireless devices
‣ Photos
‣ Social network accounts
‣ Searches social network accounts for ‘like’ names
Requires‣ Address
‣ Latitude / Longitude Coordinates
Thursday, 17 October 13
geoStalker
GeolocationData Source
FlickrWigle.net
UserID
Youtube Google+Instagram FacebookLinkedinGoogle Search
Twitter FoursquareInstagram
GEOSTALKER - APPLICATION FLOW
11
Thursday, 17 October 13
DEMOGEOSTALKER
12
Thursday, 17 October 13
GEOSTALKER - INPUT
13
Thursday, 17 October 13
GEOSTALKER - RUNNING
14
Thursday, 17 October 13
GEOSTALKER - RUNNING
15
Thursday, 17 October 13
GEOSTALKER - RUNNING
16
Thursday, 17 October 13
GEOSTALKER - RUNNING
17
Thursday, 17 October 13
GEOSTALKER - FOURSQUARE
18
Thursday, 17 October 13
GEOSTALKER - INSTAGRAM
19
Thursday, 17 October 13
GEOSTALKER - FLICKR
20
Thursday, 17 October 13
GEOSTALKER - HTML OUTPUT
21
Thursday, 17 October 13
GEOSTALKER - MALTEGO EXPORT
22
Thursday, 17 October 13
GEOSTALKER - LIMITATIONS
Single threaded
Query by GPS location or address only
23
Thursday, 17 October 13
GEOSTALKER - FUTURE VERSIONS
Multithreaded - Run faster!
Extend Maltego Mgtx export
Allow to disable specific datasource
24
Thursday, 17 October 13
FBSTAKLER - INTRORequires‣ Profile Name
25
Graph Search to find‣ Friends
‣ Likes
‣ Check-ins
‣ Comments
Provides‣ Reverse engineered friend list
‣ Strength of associations
‣ Regular posting time
(wake time?)
Thursday, 17 October 13
FBSTALKER - LOCKDOWN VS NON-LOCKDOWN Lockdown Profile
‣ Unable to see the list of friends
‣ Reverse engineer the list of friends from likes and tags
Open Profile‣ Analyze all friends of target and determine how two individuals are
connected or know each other.‣ Work place
‣ School
‣ Common interests
‣ Common friends
‣ Places that two individuals like
26
Thursday, 17 October 13
Facebook Graph
Places Friend Xand Y been to
Places Friend Xand Y likes
Movies Friend Xand Y likes
Places Friend Xand Y worked at
Pages that Friend X and Y likes
Music that FriendX and Y likes
Movies like byFriend X and Y
Groups that Friend Xand Y are in
Restaurants thatFriend X and Y likes
Cafes that FriendX and Y likes
Photos that Friend Xand Y are tagged in
TV shows liked byFriend X and Y
Books liked byFriend X and Y
Sports liked byFriend X and Y
Photos that FriendX and Y likes
Games that FriendX and Y plays
Pages that FriendX and Y likes
Favorite interests ofFriend X and Y
FACEBOOK GRAPH KEYWORDSUNDERSTAND HOW 2 INDIVIDUALS ARE CONNECTED / RELATED
271
Thursday, 17 October 13
FBSTALKER - GRAPH SEARCH EXAMPLE
28
Thursday, 17 October 13
FBSTALKER - GRAPH SEARCH EXAMPLE
29
Thursday, 17 October 13
DEMOFBSTALKER
30
Thursday, 17 October 13
FBSTALKER - INPUT
31
Thursday, 17 October 13
FBSTALKER - RUNNING
32
Thursday, 17 October 13
FBSTALKER - MALTEGO EXPORT
33
Thursday, 17 October 13
FBSTALKER - PROBLEMS
Facebook Graph API is limited
PhantomJS had some issues with Facebook site
Had to use Chromedriver
Single threaded
34
Thursday, 17 October 13
FBSTALKER - FUTURE WORK‣ Runs 100% headless
‣ Monitor changes / activities of user’s FB profile.
‣ Allow name as input instead of userid
‣ Point system for Association strength‣ Photo Tags
‣ Check-ins
‣ Comments
‣ Post / Photo Likes
35
Thursday, 17 October 13
HOW TO PROTECT YOURSELFTurn off ‘location’ setting in social networking apps
Tighten Facebook privacy settings
36
Thursday, 17 October 13
http://github.com/milo2012/osintstalker
[email protected]@keith55
[email protected]@werrett
Thursday, 17 October 13