The Open Source Intelligence Framework


Open Source Intelligence (OSINT) is defined as intelligence collected from publicly available sources. In the intelligence community, the term "open" refers to overt, publicly available sources; it is not related to open-source software or public intelligence. This form of gathering and analysis of information is crucial to understand for both cyber and physical security professionals. Today I want to look at some concepts and tools used in OSINT. I'd have to write a book to cover it all so I'll touch on some basics. First, being able to gain all the knowledge on a target or organization without having the daunting task of penetrating networks and finding vulnerabilities in the machines to then exploit those machines could prove to be priceless. Using OSINT and Social Engineering tactics such as NLP and Pretexting can literally give you any information desired. Mix in lock picking, disguise and stealth; soon you're on the way to a road less traveled in the cyber security field. I mention Cyber Security because with The Internet of Things and billions of devices online there are countless exploits and vulnerabilities. Companies hire technical auditors called Pentesters or Ethical Hackers to find vulnerabilities within their intranet and networks, however this only covers the technical aspect not the physical. Let's say for instance I was contracted to find the network vulnerabilities of the corporation. They are well secured with Web Application Firewalls, Mod_Security on their Apache servers to prevent SQL Injects, Reverse Proxies Load Balancers and it's just something on this given day I don't feel like spending my time on or getting the team together so what do I do? Well using OSINT I join their LinkedIn group and find out they hire a Third Party overnight Security. I also find out that there is overnight construction tasked with the new building add on set to complete next year BINGO! Now when I get to the gate I already know the names and details of the security team, their bosses, the construction crew and the foreman. "Hey sorry I'm not in the company truck today my wife is expecting any minute now, we're having a boy I'm so excited! So I'll need to be able to leave whenever. Mr. Smith (the construction foreman) is aware and they should be right behind me." This situation could of gone a million ways, I could of just used stealth and jumped the wall in a construction outfit disguise that matches the logo and design of the crew doing the work(which I found using OSINT). I could of called the Security Officer at the entrance gate on his cell phone with a spoofed number from his wife's cell phone all obtained online using OSINT told him I was a Doctor and she is critical condition and we need you to come to the hospital to sign off on surgery. Unethical, yes but you gotta be able to have the balls to do what needs to be done and a corporation like this should have protocols in place for any situation. Plus who knows once he leaves the entrance gate and finds out his wife is alive it might be the best day of his life! The point is I needed access to not only set up a router for a Man in The Middle attack(as Plan B) but because I know OSINT is greater than IT I just want to stick to my roots and dumpster dive(Plan A). Not only do I find their financial reports from last quarter. I also find the names of their internal staff, routers, ISP and other information that I'll use to eventually exploit their internal network. At the end of the day information like this can fetch a pretty penny to competitors or on the black market so don't call yourself a security professional if you only conduct audits behind a screen, you're far from it.

Some basic technical skills are needed however to understand the concepts of foot printing and finger printing. If a simple ancestry.com search can find your mother's maiden name, your social media profile lists your favorite things, your birthday and your children's name one can probably deduce your credit card PIN, and passwords without having to spend days using a brute force attack. Instead an attacker with this information could use a dictionary type attack giving the program being used clues and phrases that suit a specific target. These are all examples of using OSINT information that is readily available and in Open Sight. For the interest of time I'll now bullet point a list of tools and resources and you can take it from there.


Remember if your attack targets in the right area, is executed properly a simple punch can be deadly. This is the power of OSINT!



*Search Engines and Social Media: Sometimes a simple Google or Facebook search can give you all the information you need to hijack a company mixer and gain further intel.

*The Social Engineering Framework: Provides an outstanding collection of modern concepts and books and is really a one stop shop for all the tools you need.

*Shodan: The Worlds first search engine that lets you find anything connected to the internet. Instead of searching for words or people you can basically search IP tables. This is an amazing resource but be warned you may be tempted by the dark side once you go there.

*Video: The basics of Locking Picking DEFCon 13

*Google Dorking: Inputting Commands into your search to reap its benefits

*Dradis Framework: Provides a centralized repository of info that you can use and share

*Maltego: Focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.

*Tineye: Reverse Image lookup that crawls the web to find all online locations of an image



We covered a lot in this one article and I know there is a ton of things missing but I hope this can provide you with a starting point and give you an understanding into the power Open Source Intelligence and how it impacts security in all aspects. Feel free to comment or contact me with any questions or if you have something to add.



How to open locks with a Nut-wrench old school technique


                       -SODAGHAR 1/18/16

Hotspot Hotwar

The sad fact is that most end users keep their Wi-Fi on at all times. With most devices the standard operation is to auto connect, or connect when the request is asked of it. I noticed a strange occurrence in my area; in which there are 8 xfinity hotspots within a block radius. I know COMCAST provides these to their users for the ability to connect when abroad. However seeing more than 2 in a given area seemed odd. Having curiosity I began to investigate. Before I connected I did some footprinting and noticed these 8 seemingly innocent hotspots all shared the same MAC ADDRESSES of only 3 ACCESS POINTS. One of the more odd facts is that two of the three AP's had routers which belong to AT&T. With certain tools I was able to pinpoint with precise detail the location and physical address of said Access Points. These 8 "xfinity" hotspots are all coming from the exact location and sharing the same MAC ADDRESSES of the 3 AP's there in.
  The security risk happens when a device connects. Immediately the device is flooded with packets which hold PAYLOADS linking to APPSFLYER.COM. These payloads are designed to to change the device DNS, backdoor the device and use it as a slave/botnet for PAY PER CLICK and other AD REVENUE AFFILIATE PROGRAMS as shown in this snippet of the payload

00f0  20 42 75 69 6c 64 2f 4a  5a 4f 35 34 4b 29 0d 0a    Build/J ZO54K)..
0100  48 6f 73 74 3a 20 74 72  61 63 6b 2e 61 70 70 73   Host: tr ack.apps
0110  66 6c 79 65 72 2e 63 6f  6d 0d 0a 41 63 63 65 70   flyer.co m..Accep
0120  74 2d 45 6e 63 6f 64 69  6e 67 3a 20 67 7a 69 70   t-Encodi ng: gzip ...


 Further investigations shows of my DEVICE and ANY NETWORK I connected to; after receiving the PAYLOAD, would have it's DNS changed and credentials spoofed to serve the benefit of those generating ad revenue. In the simplest of terms what this means is; if the infected device or network was go to https://ICANN.org the traffic is rerouted and web traffic is then falsely represented generating ad and pay per click revenue for affiliates.

 Additionally the "xfinity" hotspot login page is SSL STRIPPED and a XSRF meaning it is an illusion of the actual site and anyone who enters their login info would have it and all data on the device compromised.
//this is know as Drive by Pharming and confirmed through use of the Metasploit Framework//

 I don't blame these low level, affiliate, PPC criminals for this operation, heck I haven't even told proper authorities of these actions with the hard evidence I have. Most people with newer, faster phones wouldn't notice these payloads being unleashed upon their system. The broadcast strength is so powerful these 8 "xfinity" hotspots stretch for about 1 kilometer so even driving by, having Wi-Fi on within a few seconds you'll have connected, received the payloads and by the time you've gone up the block the signal drops and none the wiser. Even if you take certain basic security measures within system settings there is still risk.

 These routers are sending out ARP and WoL packets that will trick a less secure device into connecting as soon as it enters its sphere of influence. Now, by the time we're home we've ingested megabytes of payloads, trojans and any other types of Malware from operations like this or by any malicious person/s.

These payloads, Cross Site Scripting and SSL exploits reach all the way to the top through allowance and negligence. Corporations, ISPs and even ICANN from a top down approach are all responsible for web crawlers, botnets and fake internet traffic.

 Only through education of threats and being aware of the technology around us we can be more secure in not just our own lives but of those around us.

Summary:
*Keep Wi-Fi off
*Be cautious of any open networks
*Be security minded
*Be Aware

//

Below you will find a link to my google drive which has the full packet captures for you to analyze of this specific event. Any and all intel will be used and taken with adoration.

PACKET WARS


                                                                                                             -SODAGHAR 11/20/15

Guccifer Arrested




RT: Guccifer, the infamous Romanian hacker who accessed emails of celebrities and top US officials, will be extradited to the United States, after losing a case in his home country’s top court.


Reuters reports that Lehel will come to the US under an 18-month extradition order, following a request made by the US authorities. Details of the extradition have not been made public, however.

Marcel Lehel, a 42-year-old hacker better known by his pseudonym “Guccifer,” achieved notoriety when he released an email with images of paintings by former President George W. Bush, including a self-portrait in a bathtub. He also hacked and published emails from celebrities Leonardo DiCaprio, Steve Martin and Mariel Hemingway.Also released were emails between former Secretary of State Colin Powell and Corina Cretu, a Romanian member of European Parliament, prompting Powell to deny that the two had had an affair.

Perhaps most notably, Lehel was also the first source to uncover Hillary Clinton’s improper use of a private email account while she was Secretary of State, which the FBI is investigating as a potential danger to national security.

In March 2013, the hacker released to RT and several other news outlets the four memos that had been sent to Clinton from her former political adviser Sidney Blumenthal. The memos contain information regarding the September 11, 2012 attacks on the US diplomatic mission in Benghazi, Libya, as well as the January 2013 hostage crisis in In Amenas, Algeria.

Lehel was indicted by the Department of Justice in 2014 on charges of wire fraud, unauthorized access to a protected computer, cyberstalking, aggravated identity theft and obstruction of justice.

In 2014 a Romanian court sentenced to four years in jail for hacking into the accounts of the country’s public figures “with the aim of getting… confidential data” as well as violating his parole. He is serving three years on top of that for other hacking-related offenses. After his extradition to the US, Lehel will return to Romania to serve out his sentences there.

The Romanian national, who goes by the pseudonym “Small Fume” in addition to Guccifer, is an unemployed taxi driver and paint salesman, and he says that he accessed the emails by using social engineering methods that included guessing the answers to security questions to access various accounts.

"I don't oppose. I go there to United States to fight. I know what I did and this is okay with me," Guccifer said in February to The Smoking Gun, where he published many of the documents he found.

Prosecutors have said that Lehel has a “compulsive need to be famous,” according to The Register.

'Anonymous Conservative' Google Bar SQL Exploit

'Anonymous Conservative' has defaced the main page of the Official Iowa Caucus website using a Google Bar SQL Inject Vulnerability within The Google Toolbar Application. The group provides this message...

"The recent endorsement of Donald Trump by Sarah Palin is the final straw for our organization, The Anonymous Conservative. Every good Conservative knows that Sarah Palin is a national embarrassment and she represents everything that is wrong with America. She has failed at everything she has attempted since quitting her office as governor half way through her term. Her Anti-American, Anti-Family, Anti-Common-Sense stances have made her the laughing stock of American politics.
 Yet, even though Donald Trump has himself reached lower than a snake in the grass with his lies about his views on religion, abortion, health care, and Hillary Clinton, he has crawled lower. Trump has already alienated the black vote, the Hispanic vote, and a high enough percentage of the women vote to make it mathematically impossible for the GOP to win with him in 2016, but now he has let the devil back in the door by seeking and accepting the endorsement of Sara Palin.
We the people will not stand in silence. We, THE ANONYMOUS CONSERVATIVE, have hacked and taken over the front page of the Iowa Caucus site in hopes to reveal the truth
."



Now let's get to the fun stuff, the actual coding of the attack...

'http://2016iowacaucus.com/wp-admin/admin-ajax.php'

What the Code Injections are allowing the attacker/s to do is obtain escalated privilege on the front page that will probably be there for some time. The 'firstchild' syntax within the script allows whatever the "Admin" wants to appear first. This is a simple attack and why you should always Mod Sec and Black/White List your servers if you run an organization.

'function proceedWithGoogleBarInject() {
    clearTranslateInjects();
    var e;
    var theBody = document.body;
    if (theBody != null) {
        e = document.createElement("div");
        e.id = "google_translate_element";
        e = document.createElement("script");
        e.innerHTML = "function googleTranslateElementInit(){ new google.translate.TranslateElement({ pageLanguage: '" + translateFrom + "', includedLanguages: '" + translateTo + "' }); }";
        theBody.insertBefore(e, theBody.firstChild);
        e = document.createElement("script");
        e.src = "https://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit&tl=" + translateTo + "&sl=" + translateFrom + "&hl=" + translateFrom;
        theBody.insertBefore(e, theBody.firstChild)'

Again using another Vulnerability this time it's an exploit within the Microsoft Translator Hub

'function proceedWithMicrosoftInject() {
    clearTranslateInjects();
    var e;
    var theBody = document.body;
    if (theBody != null) {
        e = document.createElement("div");
        e.id = "MicrosoftTranslatorWidget";
        e.style.cssText = "display:none!important;visibility:hidden;";
        theBody.insertBefore(e, theBody.firstChild);
        e = document.createElement("script");
        e.type = "text/javascript";
        e.innerHTML = "setTimeout(function(){{var s=document.createElement('script');s.type='text/javascript';s.charset='UTF-8';s.src=((location && location.href && location.href.indexOf('https') == 0)?'https://ssl.microsofttranslator.com':'http://www.microsofttranslator.com')+'/ajax/v3/WidgetV3.ashx?siteData=ueOIGRSKkd965FeEGM5JtQ**&ctf=True&ui=true&settings=auto&from=';var p=document.getElementsByTagName('head')[0]||document.documentElement;p.insertBefore(s,p.firstChild); }},0);setTimeout(function(){ Microsoft.Translator.Widget.Translate(null,'en');},5000);";
        theBody.insertBefore(e, theBody.firstChild);
        if (didMStranslate) {} else {
            didMStranslate = true




 Never trust that which takes one political choice or ideal over another
                                                                                                            -SODAGHAR 1/25/16

UK's War on Privacy



By Kurt Nimmo

The British government is pushing the Investigatory Powers Bill, or Snoopers’ Charter, that will effectively end internet privacy.

The proposed legislation targets popular chat and message services such as WhatsApp, iMessage and FaceTime, outlaws end-to-end encryption and will force Apple to rewrite its iOS from the ground up to accommodate surveillance by the state. It would also force tech companies to provide backdoors accessible to government.

Additionally, the law requires ISPs to keep records of all internet activity of its customers. The data would be available to the government for a year.

In 2015 the British home secretary Theresa May admitted that a 1983 telecom act permitted bulk retention of data by MI5 and the agency had done so since September 2001.

“The Crown did whatever the Crown felt necessary in the circumstances of the day to secure the state,” said Sir David Omand, the former director of the British surveillance agency GCHQ.

Oman and the British government argue the Investigatory Powers Bill will democratize the process of mass surveillance.

“2016 has to be the year of reconciliation, has to be the year through the medium of this new bill we end up with a social compact in which after extensive public debate we end up with a new democratic license to operate,” Sir David said. “It will be the first time, really, in 500 years that secret intelligence has been brought fully under the rule of law.”

The British push to further open the internet to mass surveillance is one step ahead of a similar effort in America. The Justice Department and the FBI are demanding Apple allow the government to bypass encryption on its devices in response to the San Bernardino terror case.

On Monday federal judge in New York ruled Apple does not have to unlock an iPhone in a drug probe. The ruling may ultimately influence the outcome of a battle waged by the Justice Department against the tech company in the San Bernardino case.

Apple Ordered to Hack Users

 A Federal Judge has ordered Apple to comply with the FBI in decrypting their own intellectual property in regards to the San Bernardino terrorism case.

“Apple has the exclusive technical means which would assist the government in completing its search, but has declined to provide that assistance voluntarily.” Said U.S Attorney Eileen Decker.

 Yes lets tell the world our own FBI is to incompetent to find other work arounds within Mobile Forensics such as Cloning and Over the Air techniques; instead lets force a company which prides itself on its users privacy to go against their own ethics. Apple CEO Tim Cook told the FBI to get lost in a Customer Letter released Tuesday. I want to personally thank Tim Cook for the appeal because anyone with a a clear understanding of Information Security knows that once you create a backdoor eventually we ALL obtain that backdoor. This is the nature of Cyberspace and this Gov't needs to step its game up if it wants to be relevant in defense because the next major wars will be Cyber Wars. This will also set a precedent for other Governments around the world to court order not just Apple but any company on their intellectual property.
Apple I really hope you stay the course, provide no quarter and continue to Fight The Good Fight. You will have the support of all privacy advocates such as myself and the Electronic Frontier Foundation

"EFF applauds Apple for standing up for real security and the rights of its customers. We have been fighting to protect encryption, and stop backdoors, for over 20 years. That's why EFF plans to file an amicus brief in support of Apple's position."

 Here is the statement release by Tim Cook, it couldn't of been said better....

"February 16, 2016A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.

All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.

Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.

For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.

The San Bernardino Case

We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.

When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The Threat to Data Security

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

A Dangerous Precedent

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect."


UPDATE* FBI already screwed up by resetting iCloud Password


 -SODAGHAR 2/17/16

Intelligence Chief: Spy using IoT


James Clapper the Director of National Intelligence told a Senate Panel Tuesday:

“In the future, intelligence services might use the [Internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,”

The Internet of Things (IoT) is the network of devices that communicate with each other and have networking capabilities like your smart phone controlling your smart appliances or new cars that are capable of WiFi access.


Samsung quickly made changes to its privacy policy when it told users their smart televisions will pick up audio and video and share that information. 

As you read this I’m sure for most of you there is no shock that a retired lieutenant general and director of the Defense Intellegince Agency such as James Clapper would say such things. 
Back in 2013 during the Edward Snowden revelations of Government Spying I wrote how the NSA collects Billions of Emails, Calls and other data on a daily basis. So yea, just like you there is no shock anymore on what Big Brother is capable of. 
All this data collection didn’t stop the horrible events in Paris nor did it stop the radicals in San Bernardino while we have the FBI Director James Comey begging for the end of encryption because they are to incompetent to crack the code. Is this a joke? We’ll keep our encryption, Thanks.  

This next decade will see the biggest advancement of technology ever witnessed by our species and we will literally be in the Age of Information where everything will be known. From self driving cars becoming a reality to cruise ships right now with robotic bartenders. Next year the first Robotic Kitchens will hit the market to cook for you. 


The United States has 260,000 robot factory workers. So while yuppies debate a minimum wage increase I wonder about the millions of jobs about be lost.

                                                                                                      -SODAGHAR 2/11/16