With my focus at the moment on network forensics and malware I decided to get a RaspberryPI and see how it works as a HoneyPot. The first one I’ve installed is Kippo and this post is about how to get Kippo running on the RaspberryPI.

Kippo is a low interactive SSH honeypot that allows you to capture SSH based attacks and see what those evil hackers are up to. I’m not going to bore you with a long explaination of Kippo because well it’s early and I’ve not had much coffee, instead you can click HERE and go have a read yourself.

The following instructions aren’t the product of my own mind, rather they have been taken from Leon van der Eijk (or @lvdeijk for short) awesome BSides London Kippo Workshop crib sheet.

So to start with you need the following (or close to):

1. RaspberryPI (kinda obvious but..I have the model B)
2. SD Card (I bought a 32GB SanDisk SDHC card, because I want to install other stuff on it)
3. Physical network connection for your RaspberryPI (to download stuff)
4. A home router/firewall that you can do port forwarding on.
5. Coffee (or beverage of your choice)

So first off we need to install some of the dependencies to get Kippo running. SSH onto your RaspberryPI and as the pi user run the following command:

sudo apt-get install subversion python-twisted python-mysqldb mysql-server apache2

The mysql-server and apache2 packages are so we can log Kippo to MySQL and run the kippo-graph website (nice pretty pictures). If you don’t want that functionality just don’t install them (but I would if I were you).

NOTE: Remember the MySQL password you enter during the install as you will need that later.

So now we need to get a copy of Kippo, we are going to use SVN for this:

svn checkout http://kippo.googlecode.com/svn/trunk/ kippo-read-only

Now your choice for installation is your own, by default this command will download Kippo into /home/pi/kippo-read-only.

Now if you installed MySQL as I suggested we need to do some database magic. Basically we are going to create a new database called Kippo and then assign a user and password for Kippo to use. So here we go:

First log into MySQL:

mysql -h localhost -u root -p

You should be prompted to enter your password (now you did remember it didn’t you).

Once logged in you need to create your database:

create database kippo;

And then assign the necessary rights:

GRANT ALL ON kippo.* TO 'kippo'@'localhost' IDENTIFIED BY 'Kippo-DB-pass';

NOTE: The password for the kippo user within the kippo database is ‘Kippo-DB-pass’ you can change it if you want.

You can now exit from MySQL using:

exit (tricky I know)

OK still with me? Right now we need to populate the database ‘kippo’, browse to this folder location:

/kippo-read-only/doc/sql

Within this folder you should find a file called mysql.sql now we need to load that into the database:

mysql -u kippo -p
use kippo;
source mysql.sql;

If that worked without errors you should now have a populated database, you can check by typing this within the MySQL prompt:

show tables;

If that returns some tables, one should be called TTY (I think, like I said it’s early) then we are all good and you can type:

exit

To exit out. We now need to create a kippo.cfg file, don’t panic it’s easy. From the root of the /kippo-read-only folder type this:

cp kippo.cfg.dst kippo.cfg

Now we need to edit the kippo.cfg file with the database details. Using your favourite command line editor (nano is installed so I used that). Navigate the file and find the [database_mysql] section (should all be commented out), un-comment all the fields (including the [database_mysql] one) and modify the values so it looks something like this:

[database_mysql]
host = localhost
database = kippo
username = kippo
password = Kippo-DB-pass

So we are nearly there. Now kippo uses port 2222 to run its honeypot on, in order to send evil hackers to that port you need to use your home router (which hopefully can do port forwarding) to send all traffic for port 22 to 2222. I’m not going to explain how to do this because everyone’s router is different. So go ahead and configure that port forwarding ready for when we start kippo.

If by chance you have put your honeypot directly on the internet you need to the following additional steps:

sudo apt-get install iptables
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
sudo iptables-save > /etc/iptables.rules

Port forwarding all sorted? Good now we need to change the default port for your ssh server to something a little “higher”. Use this command to change the listening port for the sshd to 65534:

sudo sed -i 's:Port 22:Port 65534:g' /etc/ssh/sshd_config

And then restart your ssh service (you will get kicked off):

sudo /etc/init.d/ssh restart

Back with me? Cool right so essentially you now have a working a Kippo honeypot (hopefully). You can actually at this point start it up. Again it’s a simple process from your /kippo-read-only folder run the following command:

sudo ./start.sh

You can check it’s loaded properly by looking in the /kippo-read-only/log/kippo.log file which should show it starting up properly and you can then run this command to check:

sudo netstat -antp | grep 2222

Which should return an entry saying port 2222 is listening a python process is running.

NOTE: The kippo.log file will also contain all the connection information and any commands that are run. The root password for the Kippo honeypot is ‘123456‘ you can change this by editing the /kippo-read-only/data/userdb.txt file and restarting kippo.

Now we are going to finish this off by installing the kippo-graph application that gives you lots of pretty pictures.

So lets install the extra bits we need:

sudo apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd
sudo /etc/init.d/apache2 restart

That should have hopefully installed all the necessary php components you need to run kippo-graph, now let’s get kippo-graph:

wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.4.tar
sudo mv kippo-graph-0.7.4.tar /var/www
cd /var/www
sudo tar xvf kippo-graph-0.7.4.tar --no-same-permissions
cd kippo-graph
sudo chmod 777 generated-graphs

Before you open the website you need to edit the /var/www/config.php file with your database properties from earlier, I can’t remember where exactly but its not a big file. Once you’ve done that you are ready to browse to:

http://<raspberrypi_ipaddress>/kippo-graph/index.php

That should be it, once you have some data you can populate the graphs and “see” what the evil hackers are up to.

So I’m hoping that this has all worked and you now have a small discrete, energy-efficient honeypot running on your home network. Mine has been running since last night and I’ve had 4 connections to port 22 but no login attempts so far (thought evil hackers didn’t sleep).

Give me a shout if something doesn’t work and I will try my best to help you out.

One of the challenges to is to find the malicious content within a PDF file that is provided to you in a pcap file. Normally I would just reach for Network Miner and rebuild the file(s) that way but I wanted to see if I could write some code myself.

The goal of my code was simple, parse through a pcap file, identify a PDF and then rebuild the file so that if a tool such as exiftool or file was used that it would correctly be identified as a PDF and that you could open the PDF and view the content (if you wanted to).

I follow a certain process when I’m carving up pcap files, it’s not rocket science really just common sense. First off find the packets you are interested in, I tend to use a mix of Wireshark and Scapy for this and then look for something you can use to filter down to the packets you want before getting into the nitty gritty of carving them up.

For this piece of code I need to find some way of identifying a PDF file in a pcap file and as most PDF files will appear in a pcap file as part of an HTTP conversation, I parse each packet and if the packet has a Raw layer (a raw layer in Scapy is essentially the payload of a packet) then I look for this ‘Content-Type: application/pdf’. If this is matched then I store the TCP ACK number as a variable for use later.

Now once I have the ACK number I then need to find all the packets that relate to this in order to get the whole file. Now it turns out the ACK is the same for all the packets that the PDF download is in (something I didn’t realise until I started this) so it’s a simple case of using the following code to find all the packets I’m after:

for p in pkts:
if p.haslayer(TCP) and p.haslayer(Raw) and (p.getlayer(TCP).ack == int(ack) or p.getlayer(TCP).seq == int(ack)):
raw = p.getlayer(Raw).load
cfile.append(raw)


If either the TCP ACK or SEQ match our stored ACK variable we get the Raw layer and store it into a python list. This means that we now have (hopefully) all the packets that make up the PDF stored nicely away and because it’s a TCP conversation they should all be in the right order.

Now that we have all the packets we write those out to a temporary file, it’s a temporary file because if you were to open it in a text editor you would see all the HTTP headers at the top and the bottom, which means if you ran file against it, then you would get back a file type of “data” and not “PDF” (which is what we are after).

So we then have to do some python magic (well I think it’s magic), to slice the rubbish out. Now this is the part that took me the longest to figure out. If you have ever looked at a PDF file in a text editor (I wouldn’t blame you if you haven’t), you would notice that they start with “%PDF-” and end with “%%EOF” so finding the start of a PDF file is easy, the problem is that a PDF file can have multiple %%EOF towards the end of the file and I kept cutting at the wrong point.

To fix this I came up with a bit of a long-winded way of carving the temporary file up (see the code below):

# Open the temp file, cut the HTTP headers out and then save it again as a PDF
total_lines = ''
firstcut = ''
secondcut = ''
final_cut = ''

f = open(tmpfile, 'r').readlines()

total_lines = len(f)

for x, line in enumerate(f):
if start in line:
firstcut = int(x)

for y, line in enumerate(f):
if end in line:
secondcut = int(y) + 1

f = f[firstcut:]

if int(total_lines) - int(secondcut) != 0:
final_cut = int(total_lines) - int(secondcut)
f = f[:-final_cut]
outfile2.writelines(f)
outfile2.close()
else:
outfile2.writelines(f)
outfile2.close()

If you read Python awesome, if you don’t here’s what happens.

First off I open the temporary file and count the number of lines, I look for the variable I declared at the start of the code as start (which is this: start = str(‘%PDF-’)), if that’s matched it stores the line number as the variable firstcut

I then need to find the last cut, I look for the variable end (which is this: end = str(‘%%EOF’)) now remember I said a PDF can have multiple EOF statements, well I get round that because Python overrides the variable secondcut each time it’s matched so the last line with EOF is always the one used. I also add a +1 to the line number because for the next chunk of code if I didn’t I would actually cut the final %%EOF file the file (I know this because I did it, before realising what was happening).

So we now do a simple little IF statement to make sure that there is something at the end of the file to cut (sometimes there isn’t on the pcap files I’ve used/made) and if there is we slice the bad HTTP headers out before saving the file. If there isn’t anything to cut then we just save the file.

Hopefully that makes sense to non-python people (I can but hope).

I’ve tested this on a number of different pcap files that have PDF downloads in them and it works, I can open and view the PDF and if I run file or exitfool against it then it appears as a normal PDF. I’m sure there are some cases when it won’t work 100% but if you find something that doesn’t let me know so I can try to fix it.

The code can be found here: https://github.com/catalyst256/PDFHunter (in my ever-growing GitHub repo). Oh and I’ve added this function into my sniffMyPackets transform pack.

Enjoy!

So this video covers some of the new features I’ve added into sniffMyPackets since it’s release. The video is a few weeks old so actually I’ve added more since then but..

Anyway enjoy:

Let me know if you have any comments/suggestions etc.

Adam

So I’ve been busy working on new transforms for my Maltego pcap analysis package and things are moving along nicely. Part of my process is making notes on things I think would be cool to see and then working my way through the list.

Over the weekend I added “Tor Traffic” to my list, I know most of the traffic is encrypted so wasn’t sure if I could get an end result from it but figure it was worth a look.

Anyway I ‘ve thrown together some Scapy/Python code (soon to be a transform if it’s right) that I think will highlight Tor traffic in a pcap file. Now this is just a work in progress so let me know if I’ve miles off the mark (so to speak).

I created a pcap file by stopping the Tor service on my copy of Backtrack and then starting it again while capturing some packets. I’ve also tested it on another pcap file from the internet with some Tor bot traffic and the results are similar.

Looking through the pcap file I noticed some “strange” entries during the SSL handshake that lead me to my PoC code (no I didn’t Google first to see if it already existed).

During the SSL handshake the “Client Hello” packet includes a Server Name record which in a “normal” handshake might be similar to http://www.google.com however with a Tor SSL handshake its something like “http://www.wth7pbtqsw6.com“, which if you ping doesn’t actually exist.

The other thing to note is that the SSL server name doesn’t have a corresponding DNS query, in fact for all the packets in the pcap file there are no DNS queries/responses which is another way to narrow down possible Tor traffic.

The sniffMyPackets transform can be found HERE:

So basically my python code reads a pcap file and looks for any TCP packet with a payload, that has http://www.xxxxxx in it. It then pulls out the key information (src ip, dst ip, sport, dport and www. value). and just displays it as neat little lines.

The code is below:

#!/usr/bin/env python

for x in pkts:
if x.haslayer(TCP) and x.haslayer(Raw):
if 'www.' in x.getlayer(Raw).load:
for s in re.finditer('www.\w*.\w*', str(x)):
dnsrec = s.group()
srcip = x.getlayer(IP).src
dstip = x.getlayer(IP).dst
sport = x.getlayer(TCP).sport
dport = x.getlayer(TCP).dport
ipaddr = srcip, dstip, sport, dport, dnsrec
print ipaddr

If I run this against my pcap file I get these results:

root@bt:~# ./lookfortor.py /root/pcaps/tor-startup.pcap
src: 192.168.1.66 dst: 89.160.29.195 sport: 40651 dport: 9001 dnsrec: http://www.qqsuvxwbs.com
src: 89.160.29.195 dst: 192.168.1.66 sport: 9001 dport: 40651 dnsrec: http://www.vlkkj3kgxh56ibujher.net0
src: 192.168.1.66 dst: 86.59.119.83 sport: 48459 dport: 443 dnsrec: http://www.buukx57zhxo2ujugeevlveb.com
src: 86.59.119.83 dst: 192.168.1.66 sport: 443 dport: 48459 dnsrec: http://www.yhlkhxjmzg3.net0
src: 192.168.1.66 dst: 38.229.70.42 sport: 44829 dport: 443 dnsrec: http://www.wth7pbtqsw6.com
src: 38.229.70.42 dst: 192.168.1.66 sport: 443 dport: 44829 dnsrec: http://www.uvk2wwbbvwpqpkux.net0
root@bt:~#

What you will notice is that the reply packet has a different dnsrec which always has a 0 (zero) on the end..

I’ve tested this on a few pcap files and the results look consistent. Let me know what you think.

I don’t work in InfoSec, I don’t have a full-time job where I poke holes in systems, or look at IDS logs and pcap files all day long (would be nice but..) but what I do have is a passion for InfoSec and a desire to give back to the community. I’ve never met 98% of the people who read this blog, but over the last 15 months a lot of you have inspired me to push myself harder and further than I thought possible so this is my way to pay some of that back..

I give you sniffMyPackets, Maltego transforms (based on the Canari Framework) for analysing pcap files..

I decided to write these transforms after the Cyber Security Challenge published a cipher challenge that centered around a pcap file, that and my interest in packets meant this seems liked a good way to mix the two (no I haven’t cracked the cipher challenge).

Now this is a BETA now “beta” means different things to different people so this is my definition:

1. I’m not a developer/coder, I’ve been writing stuff in Python for less than a year. The transforms in this package work and while not perfect they are functioning. I’ve tested them against as many different pcaps as I feel is necessary to make sure they work properly.

2. This is a BETA, so things like error handling are missing from some transforms, I will get around to it but I’m learning as I go so bear with me.

3. This is by no means a finished product, I will continue to add transforms as I go and if you want anything specific let me know and I will add it (or you can add it yourself), but please send me a pcap file if you can.

4. If (more likely when) you find a problem log it as an issue on the github.com site, the same if you think of something that will improve the package.

5. I don’t have a full license of Maltego so I’ve only tested with the community edition within Backtrack (unless someone wants to donate a license..).

6. I’ve only tested this on Backtrack, for 2 reasons.. 1) I don’t own a Mac Book, 2) Windows doesn’t play nicely with Scapy and lets face it, it’s not the best platform for pcap analysis.

I think that’s about it in terms of “BETA”. I’ve written a lot of transforms using Scapy (yes yes I love Scapy) but as people often say, “Use the best tool for the job” so some of them use tshark which has been cool because I’ve learnt a lot more about both tools. Writing python code with Scapy isn’t hard (even for me), but making them “appear” nicely in Maltego has been challenging at times and I’m not 100% happy with the way the entities link, but like I said it’s a BETA…

I’ve created a wiki that lists the entities and transforms available and I will update them as I go, you can find the wiki here: https://github.com/catalyst256/sniffMyPackets/wiki

If you want to have a play with the transforms you can go here: https://github.com/catalyst256/sniffMyPackets

I also did a short video about the transforms (some of which have changed now) but you can find it here:

So have a play, let me know what you think (good or bad) and I will let you know about updates (new transforms etc etc) when I write them. I may even create a new twitter account so I don’t annoy people with updates all the time.

Now before I go any further a special mention needs to go the Cyber Security Challenge team that organised the weekend and made sure we all got to where we were suppose to be. A massive amount of time and effort went into the event (which was awesome) and I mean imagine trying to organise us lot (the phrase “herding cats” comes to mind).

The Masterclass was to take place on Saturday and was a full on day of Cyber Security goodness, the challenges were put together by HP & Cassidian CyberSecurity UK and you know it’s not going to be easy. Both challenges were team based so each of us had been assigned to a team for the day making 8 teams ready to battle it out (so that’s 5 to a team just in-case you were wondering).

There were 3 main prizes to be won for the event:

1. Cyber Security Challenge Winner
2. Cyber Security Challenge Runner-up
3. Cyber Security Challenge Winning Team

Early on Saturday morning the contestants were photographed so that the assessors could spot the trouble makers easily (and the fact a lot of contestants were called Steve) and then we all hopped onto a bus for the journey to HP labs. On arrival we signed in, surrendered our mobile phones (no Google…) and started the much needed intake of coffee (well in my case anyway).

Now I’m not going to give you a minute by minute account of the day, just the important parts.

We all took a seat in the main auditorium and received our briefing for the day, in the morning 4 teams would take part in the technical challenge put together by Cassidian, and the other 4 teams would take part in a policy challenge created by HP. Then in the afternoon we would swap, sounds straight forward doesn’t it..

Now I would like to mention at this point when we were sitting in the auditorium, standing behind us were a rather large amount of assessors, these were the men and woman that would be judging us as a team and as individuals to determine who the winners would be. They came from a range of different companies and government bodies and all gave up their weekends to help out (thank you) on the day and to give us grief during the presentations (in a nice way of course).

My team named “Caterham” (they were all car names) had the technical challenge first, which was a realistic APT (advanced persistent threat) scenario based around a company that sold management systems to Formula 1 teams and they believed they had been compromised. It was our job to determine if they had, to what extent and give a presentation on our findings.

If you want to read a bit more about both challenges, you can find it here: http://www.computerweekly.com/news/2240179290/Aspirant-UK-cyber-security-champions-prepare-for-battle-in-Bristol

Now I suck at Malware/Forensics (but not for much longer, it’s next on my list) so I wasn’t looking forward to it, luckily as a team we worked well together and the skills I was lacking in that area, were complimented by others in my team and I was able to contribute in other areas (no I didn’t fetch tea and coffee for everyone). Needless to say 1 hour 45 minutes to search for a threat on a medium size network isn’t long and we managed to find the stolen data with about 20 seconds left (cutting it close to say the least).

Now the environment we used wasn’t just a bunch of VM’s, the techs at Cassidian spent a lot of time and effort building a self contained environment that they actually infected themselves over a period of time to give us a realistic APT to investigate and this was alongside they normal day job (big thank you guys).

After some lunch we moved onto the Policy Challenge created by HP, which was more around determining risk based on a given network layout and with a budget of 1.5 million to “solve” the issues we believed existed. Again we had 2 hours to prepare a presentation and then 9 minutes to present to some more assessors who asked us questions, one of which was James Lyne who if you ever met before will know him asking you technical questions isn’t going to be fun (although I still stand my statement that buying zero day attack protection, won’t protect you from zero day attacks because after all they are called zero day for a reason).

That was the end of the day, we all assembled again for the final briefing in the auditorium were the technical lead for Cassidian gave us a run down on how to find the APT (to much groaning and forehead slapping by the contestants). We all then received a certificate to show our attendance and then HP provided a goodie bag on our way out and we hopped back on the bus.

At this point the assessors all got together and plotted our fate, sorry I mean worked out who the winners were, which believe me couldn’t have been easy or fun (unless you like that sort of thing).

Now Saturday evening was an informal dinner, the previous years winner gave a brief talk about what to expect if we won, and then the group of 40 contestants with enough hardware and skills to take over a small countries IT infrastructure were let loose for the evening. Fear not the hotel wireless network wasn’t abused (I don’t think) but I believe that they attempted a Denial of Service attack on the hotel bar that went on to 06:30 am.

On Sunday the Masterclass lunch and prize ceremony was planned. We all had team feedback sessions booked and I think it’s really important to mention that the Cyber Security Challenge team really do want honest feedback and they take that feedback and use it to help shape the next events on what we tell them is good/bad.

After the feedback session we had a couple of hours to kill before lunch, then at 12 noon we all assembled nervously waiting to find out who the winners would be. A lot of the sponsors were there so it was a good opportunity for people to mingle and network. At 1 pm lunch was called and we all took at seats ready for some food and prizes.

Now they make you wait till the last 15 minutes of the lunch to find out the winners so there were a few nervous faces during the 2 hours. The first winners to be announced was the overall Team Winner, and the name that got called was “Caterham“.. oh wait that’s my team.. needless to say the team were very surprised and pleased and we all got some cool prizes (including a SANS course…).

The Cyber Security Challenge Runner-up was Steve Jarvis (a member on our team) and the overall Cyber Security Challenge Winner was Stephen Miller.

Now one of the things that makes the Cyber Security Challenge truly awesome is that all of the contestants won prizes, the price pool donated by sponsors was around £90K and is all designed to enable people to progress a career in Cyber Security so no one goes away empty handed.

The highlights for me were:

I had awesome fun and learnt some new stuff
Met some cool people and put some names to faces (by the way English teachers can be evil..)
Won some prizes (which is really just an added bonus)

A special shout out needs to go to Dan Summers (@Dantiumpro), if it wasn’t for him I would have never heard about the Cyber Security Challenges and wouldn’t have made it to the Masterclass and also a big thank you for bigging me up to a certain gentleman on my table (I was going to say pimping me out but..).

The next round of challenges are available soon, so if you want to be at a Masterclass next year, and are looking for a way into Cyber Security then go to https://cybersecuritychallenge.org.uk and sign up TODAY.

First an important piece of information (it does relate to this post). There is a saying I like to use:

“Nothing is impossible, you are only limited by your imagination”

Now remember that for later and carry on reading…

So I’ve been a bit quiet so far this year in terms of posts, there is no real reason for this (other than being busy) but I never intended to use this blog as a means for posting “junk” and I know you guys are all busy so don’t want to waste your time.

Last year as you may remember was all about the OSCP and I found myself wondering what to do next, then like a shovel in the face it hit me. I’ve struggled to work out what area of InfoSec I want to “specialise” in, there are loads of awesome coders, pen testers, exploit hunters and malware analysts already providing advice and code for people and I don’t want to replicate work for the sake of trying to make myself look good.

The other important factor for me is that I have to be “interested” in what I’m learning otherwise I get bored and side tracked by other things (look at the monkey over there…). Open Source Intelligence, is something that I enjoy and really does interest me, hunting for information that is hidden online just waiting to be found, tie that in with a “hacker” mindset from doing my OSCP and to me that’s a receipe for epic fun (and mischief).

EoF.. (End of Fluffy)

Now where do you start?? So I am going to assume you’ve all used Maltego, if you haven’t hang your head in shame and go look HERE (). Back? Good, so I’ve played around with Maltego before (just the community edition) and it’s cool.. but for me it could be cooler so I started looking at how to write your own transforms and entities and then I found Sploitego (never heard of it.. seriously..)

So if you’ve not seen Sploitego before, I suggest the following:

Sploitego is written using the Canari Framework (http://www.canariproject.com/) which was created by Nadeem Douba (really nice bloke) and the real reason for this post. Canari is python based (which I’m trying to learn) and is essentially awesome. It lets anyone create local Maltego transforms, and takes all the hassle of learning XML (well at least understanding it) away and just lets you focus on the code.

Yesterday I finished my finished Canari framework package. It’s a re-work of the Netscaler Cookie Decrypter I wrote last year, now available in Maltego. It’s not perfect (neither is my coding ability) but it works and I will add some more functionality to it soon. I even now have a github.com account which you can find HERE .

So what does all this mean?? Remember the saying from early??

“Nothing is impossible, you are only limited by your imagination”

Combine that with Canari, Maltego and my own personal “out of box” imagination and rest assured there will be a lot more transform packages appearing soon. My goal is to enhance Maltego with OSINT tools, Wifi tools, basically anything I can think that would help build a profile of someone or something within Maltego. There are no limits, no information is irrelevant as long as there is context to it..

Go try Canari (or Sploitego) for yourself, drop by the forums on the site and say “Hi”.

Me I’m off to buy a copy of Maltego and start my new adventure.

So for this tasking I was not looking at infrastructure but at a person (not in a creepy stalker way either), I was provided with the following information:

• Full Name
• City
• State

I was also given a list of objectives of what information was required and the “rules” of the game. There was only one rule, all the information had to be obtained from “free” sources, as in no paying for information on the numerous websites that offer detailed reports on people. Now I assumed tracking people would be a lot more difficult that hunting down infrastructure, I live in the UK and the few times I’ve looked the amount of personal information available online isn’t great unless you want to pay for it, however my target was in the USA so it was virgin territory for me.

So for the first 30 minutes or so it seemed like I needed more information about my target, but then it slowly started coming together. I’m not going to bore you with the details but in the end I think I spent a couple of hours looking around and ended up with a 6 page written report to submit. Some of the information I retrieved was as follows:

• Targets home address, property details and telephone number
• Targets current employer, LinkedIn profile, and a list of his connections (not obtained from his LinkedIn profile)
• Targets work email address (well 2 addresses actually)
• Targets age
• Targets high school

Then it got a bit more interesting/fun, using the initial information supplied to me, as well as his age and where he went to High School I was able to map he details to a list of possible relatives. From this I was able to locate his immediate family (including some of their current address details), Facebook profiles, photos, and various other bits of info.

So this is the actual point of this post, OSint is originally a military term which according to Wikipedia is defined as:

OSINT is defined by both the U.S. Director of National Intelligence and the U.S. Department of Defense (DoD), as “produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.”

Outside of the military the only people I know of that engage in this type of activity is hackers/security professionals and private investigators (I’m sure there is more than that) and the purpose is different for each one.

However the thing that interested me the most was the amount of “private” data that is available online for free. In a world of terrorism, organised crime, online attacks and fraud can we really be this casual about letting this sort of information be so free and easy to collect?

Lets expand on my OSint tasking, if I wanted to go further with my investigation what else could I have done?

So I know my targets home address and work address, using this information I could plot the mostly likely method and possibly route that the target would take to work. If it’s a 2 hour drive to work, then maybe a train? Which is quicker, cheaper what are the current petrol prices in the area?

Does Google Street View give me an idea of the car he might be driving?

Does his house have wireless? Well wigle.net could help with that and then I could park outside his house and try and compromise his wireless network.

If he does have wireless can I obtain any information from places such as shodanhq.com? Is his wireless route vulnerable to attack? How much could a individual do from a computer half way around the world?

If I was intent on gathering as much information as possible then the paid reports available would provide much more information and to anyone willing to pay the $30 it might cost.

OSint is something that I’m going to be spending a lot more time on this year, in a weird (non creepy) way I enjoy the possibilities to see what you can find, which is only limited by your imagination and your patience. Watching the threads of information joining together to form a web of information is intriguing and scary at the same time.

So stay tuned for more..

So since I finished my OSCP course I been spending my time attempting to learn how to code in Python and working on my network forensic skills (which suck currently).

To this end I’ve been reading the book “Violent Python” which is actually ideal for me, the examples are both practical and the code works (always a bonus but not always a sure thing). Currently I’m working through the chapter on Network Traffic Analysis which involves lots of work to do with packet captures and Scapy (my two favourite things).

The one issue I’ve come across is the lack of websites where you can download pcap files that contain malware, attacks etc. etc. I know you can download some pcap files from the web or make them yourself, but I’m lazy and would rather have one place to go.

So to that end I’ve created a cunning plan… I’ve decided to build a pcap repository, available for all on the internet. It will be free to use and will eventually allow people to upload pcap files themselves (my web skills suck so might take a while). I have no idea if this idea will work or not but its my way of giving something back to the community.

I’m currently searching for a hosting provider that will allow me plenty of bandwidth and storage space (just in case this idea takes off). All being well I will have a new domain all sorted before Christmas and then the real work will begin.

Long term some of the features that will be available will be:

Ability to upload pcap files
Ability to download pcap files (wouldn’t be much good otherwise)
Search facility
Maybe even the ability to view contents of pcap files on-line

This being a community project I would help that people out there will help, whether it be suggestions, beta testing, donation of pcap files or some web development work (you don’t have to if you don’t want to though).

Well that’s my crazy idea for the year sorted, let me know what you think and I will post updates as I go.

I’ve signed up for a few of these but only submitted a couple due to the others falling right in the middle of OSCP time (which was more fun..). Now my aim for taking part was never to win, its just that I like doing these sorts of challenges and in the UK there is a distinct lack of CTF type things for a wannabe like me to take part in (more on that in later posts).

For both the challenges I submitted I scored OK, not 1st but not last either and like I said it was fun and I got to learn a few new things. Needless to say I was a bit surprised when I got an email inviting me to a special SANS Netwars event organised by Cyber Security Challenge UK, but as it had the word “Netwars” in it who am I to turn it down..

I arrived at the event this morning, with 29 other contestants, all various ages and background all of us with one thing in common, we all have a passion for InfoSec. The 8 highest scorers of the day would get a place on a “Masterclass” event in March 2013.

For those that don’t know what SANS Netwars is all about I suggest Google (we’ve talked about this before). Netwars events are “open book” which mean you can take whatever tools you want (Backtrack, Backbox etc. etc.) and the aim is simple, score points.

The actual Netwars was scheduled to run for 2 hours and you have to progress through 5 levels, the first 2 levels are achieved by using a bootable ISO image provided by SANS, level 1 is done as a normal user, level 2 is done with root priveleges. Both level 1 and 2 are more about forensics, things like “look at this pcap file and sha1 hash the IP address that made a DNS request to…” or “crack the password for root by using this backup file of the /etc folder”.

Now I like forensics but I suck at it, although I managed to get enough points for each level I did struggle with somethings, but I was surprised with some of the answers I managed to work out and a lot of that I think was due to doing the OSCP course. Level 3 is where (for me) the fun should start, attacking machines in a DMZ environment and finding the necessary “flags”, unfortunately by the time I got to level 3 I had about 20 minutes left so didn’t manage to score any points.

Just for information, level 4 is pivoting from the DMZ network to the “intranet” (again something I would have enjoyed and am well practiced at) and level 5 was “King of the castle” where you get to defend against other hackers.

The good and the bad:

Good
1. It was fun, by now you should guess that I love this kind of thing and would rather be doing offensive than defensive security.
2. SANS organised and ran the event incredibly well, the instructor/guide James Lyne was funny, helpful and helped make the event great, although playing Gangham style was a bit of a distraction (and it’s stuck in my head still).
3. See point 1

Bad
1. It wasn’t long enough, yes I know it was free and I should be grateful but, like I said I love this kind of thing so it would have been nice to see how far I could have got with a few more hours.

On top of this I got to meet a few people, spread the word about B-Sides London, drink nice coffee and I think I managed to avoid the TV cameras for most of the day, although there are some photo’s of me somewhere…

Now SANS very nicely have said they will email everyone their scorecards from the event which once I have I will post, but in the mean time here’s a screenshot at the scoreboard at the end of the day…

So I’m through to the Masterclass in March, I have no idea what that means or involves but once I do I will let you know. Between now and then I have some areas I need to focus on to improve my skills but as we all know its a never ending process really.