The Open Source Intelligence Framework


Open Source Intelligence (OSINT) is defined as intelligence collected from publicly available sources. In the intelligence community, the term "open" refers to overt, publicly available sources; it is not related to open-source software or public intelligence. This form of gathering and analysis of information is crucial to understand for both cyber and physical security professionals. Today I want to look at some concepts and tools used in OSINT. I'd have to write a book to cover it all so I'll touch on some basics. First, being able to gain all the knowledge on a target or organization without having the daunting task of penetrating networks and finding vulnerabilities in the machines to then exploit those machines could prove to be priceless. Using OSINT and Social Engineering tactics such as NLP and Pretexting can literally give you any information desired. Mix in lock picking, disguise and stealth; soon you're on the way to a road less traveled in the cyber security field. I mention Cyber Security because with The Internet of Things and billions of devices online there are countless exploits and vulnerabilities. Companies hire technical auditors called Pentesters or Ethical Hackers to find vulnerabilities within their intranet and networks, however this only covers the technical aspect not the physical. Let's say for instance I was contracted to find the network vulnerabilities of the corporation. They are well secured with Web Application Firewalls, Mod_Security on their Apache servers to prevent SQL Injects, Reverse Proxies Load Balancers and it's just something on this given day I don't feel like spending my time on or getting the team together so what do I do? Well using OSINT I join their LinkedIn group and find out they hire a Third Party overnight Security. I also find out that there is overnight construction tasked with the new building add on set to complete next year BINGO! Now when I get to the gate I already know the names and details of the security team, their bosses, the construction crew and the foreman. "Hey sorry I'm not in the company truck today my wife is expecting any minute now, we're having a boy I'm so excited! So I'll need to be able to leave whenever. Mr. Smith (the construction foreman) is aware and they should be right behind me." This situation could of gone a million ways, I could of just used stealth and jumped the wall in a construction outfit disguise that matches the logo and design of the crew doing the work(which I found using OSINT). I could of called the Security Officer at the entrance gate on his cell phone with a spoofed number from his wife's cell phone all obtained online using OSINT told him I was a Doctor and she is critical condition and we need you to come to the hospital to sign off on surgery. Unethical, yes but you gotta be able to have the balls to do what needs to be done and a corporation like this should have protocols in place for any situation. Plus who knows once he leaves the entrance gate and finds out his wife is alive it might be the best day of his life! The point is I needed access to not only set up a router for a Man in The Middle attack(as Plan B) but because I know OSINT is greater than IT I just want to stick to my roots and dumpster dive(Plan A). Not only do I find their financial reports from last quarter. I also find the names of their internal staff, routers, ISP and other information that I'll use to eventually exploit their internal network. At the end of the day information like this can fetch a pretty penny to competitors or on the black market so don't call yourself a security professional if you only conduct audits behind a screen, you're far from it.

Some basic technical skills are needed however to understand the concepts of foot printing and finger printing. If a simple ancestry.com search can find your mother's maiden name, your social media profile lists your favorite things, your birthday and your children's name one can probably deduce your credit card PIN, and passwords without having to spend days using a brute force attack. Instead an attacker with this information could use a dictionary type attack giving the program being used clues and phrases that suit a specific target. These are all examples of using OSINT information that is readily available and in Open Sight. For the interest of time I'll now bullet point a list of tools and resources and you can take it from there.


Remember if your attack targets in the right area, is executed properly a simple punch can be deadly. This is the power of OSINT!



*Search Engines and Social Media: Sometimes a simple Google or Facebook search can give you all the information you need to hijack a company mixer and gain further intel.

*The Social Engineering Framework: Provides an outstanding collection of modern concepts and books and is really a one stop shop for all the tools you need.

*Shodan: The Worlds first search engine that lets you find anything connected to the internet. Instead of searching for words or people you can basically search IP tables. This is an amazing resource but be warned you may be tempted by the dark side once you go there.

*Video: The basics of Locking Picking DEFCon 13

*Google Dorking: Inputting Commands into your search to reap its benefits

*Dradis Framework: Provides a centralized repository of info that you can use and share

*Maltego: Focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining.

*Tineye: Reverse Image lookup that crawls the web to find all online locations of an image



We covered a lot in this one article and I know there is a ton of things missing but I hope this can provide you with a starting point and give you an understanding into the power Open Source Intelligence and how it impacts security in all aspects. Feel free to comment or contact me with any questions or if you have something to add.



How to open locks with a Nut-wrench old school technique


                       -SODAGHAR 1/18/16

Hotspot Hotwar

The sad fact is that most end users keep their Wi-Fi on at all times. With most devices the standard operation is to auto connect, or connect when the request is asked of it. I noticed a strange occurrence in my area; in which there are 8 xfinity hotspots within a block radius. I know COMCAST provides these to their users for the ability to connect when abroad. However seeing more than 2 in a given area seemed odd. Having curiosity I began to investigate. Before I connected I did some footprinting and noticed these 8 seemingly innocent hotspots all shared the same MAC ADDRESSES of only 3 ACCESS POINTS. One of the more odd facts is that two of the three AP's had routers which belong to AT&T. With certain tools I was able to pinpoint with precise detail the location and physical address of said Access Points. These 8 "xfinity" hotspots are all coming from the exact location and sharing the same MAC ADDRESSES of the 3 AP's there in.
  The security risk happens when a device connects. Immediately the device is flooded with packets which hold PAYLOADS linking to APPSFLYER.COM. These payloads are designed to to change the device DNS, backdoor the device and use it as a slave/botnet for PAY PER CLICK and other AD REVENUE AFFILIATE PROGRAMS as shown in this snippet of the payload

00f0  20 42 75 69 6c 64 2f 4a  5a 4f 35 34 4b 29 0d 0a    Build/J ZO54K)..
0100  48 6f 73 74 3a 20 74 72  61 63 6b 2e 61 70 70 73   Host: tr ack.apps
0110  66 6c 79 65 72 2e 63 6f  6d 0d 0a 41 63 63 65 70   flyer.co m..Accep
0120  74 2d 45 6e 63 6f 64 69  6e 67 3a 20 67 7a 69 70   t-Encodi ng: gzip ...


 Further investigations shows of my DEVICE and ANY NETWORK I connected to; after receiving the PAYLOAD, would have it's DNS changed and credentials spoofed to serve the benefit of those generating ad revenue. In the simplest of terms what this means is; if the infected device or network was go to https://ICANN.org the traffic is rerouted and web traffic is then falsely represented generating ad and pay per click revenue for affiliates.

 Additionally the "xfinity" hotspot login page is SSL STRIPPED and a XSRF meaning it is an illusion of the actual site and anyone who enters their login info would have it and all data on the device compromised.
//this is know as Drive by Pharming and confirmed through use of the Metasploit Framework//

 I don't blame these low level, affiliate, PPC criminals for this operation, heck I haven't even told proper authorities of these actions with the hard evidence I have. Most people with newer, faster phones wouldn't notice these payloads being unleashed upon their system. The broadcast strength is so powerful these 8 "xfinity" hotspots stretch for about 1 kilometer so even driving by, having Wi-Fi on within a few seconds you'll have connected, received the payloads and by the time you've gone up the block the signal drops and none the wiser. Even if you take certain basic security measures within system settings there is still risk.

 These routers are sending out ARP and WoL packets that will trick a less secure device into connecting as soon as it enters its sphere of influence. Now, by the time we're home we've ingested megabytes of payloads, trojans and any other types of Malware from operations like this or by any malicious person/s.

These payloads, Cross Site Scripting and SSL exploits reach all the way to the top through allowance and negligence. Corporations, ISPs and even ICANN from a top down approach are all responsible for web crawlers, botnets and fake internet traffic.

 Only through education of threats and being aware of the technology around us we can be more secure in not just our own lives but of those around us.

Summary:
*Keep Wi-Fi off
*Be cautious of any open networks
*Be security minded
*Be Aware

//

Below you will find a link to my google drive which has the full packet captures for you to analyze of this specific event. Any and all intel will be used and taken with adoration.

PACKET WARS


                                                                                                             -SODAGHAR 11/20/15

Guccifer Arrested




RT: Guccifer, the infamous Romanian hacker who accessed emails of celebrities and top US officials, will be extradited to the United States, after losing a case in his home country’s top court.


Reuters reports that Lehel will come to the US under an 18-month extradition order, following a request made by the US authorities. Details of the extradition have not been made public, however.

Marcel Lehel, a 42-year-old hacker better known by his pseudonym “Guccifer,” achieved notoriety when he released an email with images of paintings by former President George W. Bush, including a self-portrait in a bathtub. He also hacked and published emails from celebrities Leonardo DiCaprio, Steve Martin and Mariel Hemingway.Also released were emails between former Secretary of State Colin Powell and Corina Cretu, a Romanian member of European Parliament, prompting Powell to deny that the two had had an affair.

Perhaps most notably, Lehel was also the first source to uncover Hillary Clinton’s improper use of a private email account while she was Secretary of State, which the FBI is investigating as a potential danger to national security.

In March 2013, the hacker released to RT and several other news outlets the four memos that had been sent to Clinton from her former political adviser Sidney Blumenthal. The memos contain information regarding the September 11, 2012 attacks on the US diplomatic mission in Benghazi, Libya, as well as the January 2013 hostage crisis in In Amenas, Algeria.

Lehel was indicted by the Department of Justice in 2014 on charges of wire fraud, unauthorized access to a protected computer, cyberstalking, aggravated identity theft and obstruction of justice.

In 2014 a Romanian court sentenced to four years in jail for hacking into the accounts of the country’s public figures “with the aim of getting… confidential data” as well as violating his parole. He is serving three years on top of that for other hacking-related offenses. After his extradition to the US, Lehel will return to Romania to serve out his sentences there.

The Romanian national, who goes by the pseudonym “Small Fume” in addition to Guccifer, is an unemployed taxi driver and paint salesman, and he says that he accessed the emails by using social engineering methods that included guessing the answers to security questions to access various accounts.

"I don't oppose. I go there to United States to fight. I know what I did and this is okay with me," Guccifer said in February to The Smoking Gun, where he published many of the documents he found.

Prosecutors have said that Lehel has a “compulsive need to be famous,” according to The Register.

'Anonymous Conservative' Google Bar SQL Exploit

'Anonymous Conservative' has defaced the main page of the Official Iowa Caucus website using a Google Bar SQL Inject Vulnerability within The Google Toolbar Application. The group provides this message...

"The recent endorsement of Donald Trump by Sarah Palin is the final straw for our organization, The Anonymous Conservative. Every good Conservative knows that Sarah Palin is a national embarrassment and she represents everything that is wrong with America. She has failed at everything she has attempted since quitting her office as governor half way through her term. Her Anti-American, Anti-Family, Anti-Common-Sense stances have made her the laughing stock of American politics.
 Yet, even though Donald Trump has himself reached lower than a snake in the grass with his lies about his views on religion, abortion, health care, and Hillary Clinton, he has crawled lower. Trump has already alienated the black vote, the Hispanic vote, and a high enough percentage of the women vote to make it mathematically impossible for the GOP to win with him in 2016, but now he has let the devil back in the door by seeking and accepting the endorsement of Sara Palin.
We the people will not stand in silence. We, THE ANONYMOUS CONSERVATIVE, have hacked and taken over the front page of the Iowa Caucus site in hopes to reveal the truth
."



Now let's get to the fun stuff, the actual coding of the attack...

'http://2016iowacaucus.com/wp-admin/admin-ajax.php'

What the Code Injections are allowing the attacker/s to do is obtain escalated privilege on the front page that will probably be there for some time. The 'firstchild' syntax within the script allows whatever the "Admin" wants to appear first. This is a simple attack and why you should always Mod Sec and Black/White List your servers if you run an organization.

'function proceedWithGoogleBarInject() {
    clearTranslateInjects();
    var e;
    var theBody = document.body;
    if (theBody != null) {
        e = document.createElement("div");
        e.id = "google_translate_element";
        e = document.createElement("script");
        e.innerHTML = "function googleTranslateElementInit(){ new google.translate.TranslateElement({ pageLanguage: '" + translateFrom + "', includedLanguages: '" + translateTo + "' }); }";
        theBody.insertBefore(e, theBody.firstChild);
        e = document.createElement("script");
        e.src = "https://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit&tl=" + translateTo + "&sl=" + translateFrom + "&hl=" + translateFrom;
        theBody.insertBefore(e, theBody.firstChild)'

Again using another Vulnerability this time it's an exploit within the Microsoft Translator Hub

'function proceedWithMicrosoftInject() {
    clearTranslateInjects();
    var e;
    var theBody = document.body;
    if (theBody != null) {
        e = document.createElement("div");
        e.id = "MicrosoftTranslatorWidget";
        e.style.cssText = "display:none!important;visibility:hidden;";
        theBody.insertBefore(e, theBody.firstChild);
        e = document.createElement("script");
        e.type = "text/javascript";
        e.innerHTML = "setTimeout(function(){{var s=document.createElement('script');s.type='text/javascript';s.charset='UTF-8';s.src=((location && location.href && location.href.indexOf('https') == 0)?'https://ssl.microsofttranslator.com':'http://www.microsofttranslator.com')+'/ajax/v3/WidgetV3.ashx?siteData=ueOIGRSKkd965FeEGM5JtQ**&ctf=True&ui=true&settings=auto&from=';var p=document.getElementsByTagName('head')[0]||document.documentElement;p.insertBefore(s,p.firstChild); }},0);setTimeout(function(){ Microsoft.Translator.Widget.Translate(null,'en');},5000);";
        theBody.insertBefore(e, theBody.firstChild);
        if (didMStranslate) {} else {
            didMStranslate = true




 Never trust that which takes one political choice or ideal over another
                                                                                                            -SODAGHAR 1/25/16