Skiptracer: OSINT for broke ass hackers

so this is my talk just kidding all right so this is our final talk and after this we have an after-party with an open bar so please stick around we also have we're gonna have a bunch of announcements and Prize winners and raffle winners and whatnot we're just gonna pick from the list of names who of people who pre-registered some if you don't pre-register sorry all right so I'd like to introduce our last but not least speaker whoa yeah the and the a list of will list there you go I'll sent alright today's talk is gonna be about open source intelligence with a framework that I wrote with a couple friends so well good this out of the way

used to be in the info check out cast I got a job a couple months ago so I'm official so I work for a telecom company doing red team and pen testing we're looking for people that that want to get a job there that can do that type of stuff so if you're interested come see me after the talk yeah a Mexico LX on on Twitter github it used to be pornhub and then I found that somebody actually has that that has some weird fetish with milfs and chicks with hair so that's no longer me I run an old website ill mod org password recovery site what's my pass com pentesting wiki Church of O'Dea

org my personal site where I do like stuff with Arduino Raspberry Pi cetera and then I used to run track somebody calm which was kind of like the basis for this program it was all web-based and I decided to make a Galka man line and stop paying for the domain so open source intelligence is basically anything that you can collect from any publicly source data without paying for it a lot of times most of this information is behind a paywall or it's behind some api that you got to pay for usage so I'm trying to work it with scraping stuff that comes from all these free sites I'm not a lawyer I looked into a

little about web scraping there is some gray areas with it so use that your own discretion most of these sites I don't think they'll go after you because most of them don't have the data legally anyhow so it should be good originally a lot of the tools used originally was multigo you would use that transforms and all that stuff it was proprietary software it comes free with Kali for the Community Edition they have a paid version I have no idea what it cost because I didn't want to pay for it a lot of money but yeah it's it's pretty good at visualizing a lot of data resources people have made transforms to do everything from like looking up

passwords from data breaches old emails all that stuff so it's it is really good with the resources but again I'm cheap another good good source is recon ng command line tool it uses a lot of api's a lot of the api's are paid such as LinkedIn and stuff like that so again it's good if you can get some of the free stuff out of it but some of the paid versions are not that great and so I'm this tool basically is Google everybody notice ID at Google a lot of times you can Google dork and get a lot of information and cross-reference whatever information that you can get from it and then and then go deeper in

your search why is scraping and better than api's it's cheap I don't have to pay for some some company for a thousand hits on their API or some pay wall that's $19.99 a month there's no limitations basically what we try to do to get around it originally we were doing proxying and changing the the headers to avoid them to stop us they're getting a little better at at stopping some stuff I just had to update some stuff this week but we're still getting around all of it and it's getting all the results that we want so basically we just want the information we don't want to look at a bunch of ads and crap and [ __ ] so

the original idea for the site was track somebody calm it was basically a JavaScript based site where you would go to the different the different pages you can look up stuff by screen name email I P address name phone etc it would basically pop up as a window you would put in the information and it would just pop up different tabs with all those different sites so instead of doing that a lot of the the browsers like Chrome and Internet Explorer Firefox they started blocking websites from popping up a billion tabs so it only really worked if you let your guard down and nobody really wants to do that with all the spam and crap so that I let this

domain expire last year it's probably a month before I came up with this idea and I still kicking myself because somebody took it and I think they're asking like five grand for it now I do have a legacy version on on ill mod org fort slash bookmarked HTML which is basically the same thing you click the buttons up top and you just look up the query I also have a license plate lookup on there where it will look up just the VIN information and the car information you won't get the person's information or their address because DMV gets a little pissed when you're tapping into that but these also are bookmarklets that you can that you can drag up on

like Firefox drag them up to your toolbar and you can click them right from your toolbar and do it from there you don't have to do it from the page so basically you would click on it you put in the information who it is all that and then it would open up all these tabs with the different information you go through you scrape it that manually is a pain in the ass so what what I wanted to do with the program is basically have the same idea hit all these websites and then pull the information that I wanted from there and although not all the different crap with the fake say sites that are trying to click you to their

paywall site pretending that they're scanning for all this information so basically I tried to pick out most of the good say and get the ones that were not popping up a whole bunch of captures all that stuff so I found that Python works well with beautifulsoup to pull the information we're using beautifulsoup and scraping json so basically what it does is it goes to the site the codes a little crazy we tried over the summer time before Def Con we tried to update it to Python 3 and that was just a [ __ ] show so we backtracked a little bit and and went back to Python 2.7 for a little while until we can get all the stuff working

I'm not the greatest coder I can make [ __ ] work but like my codes a mess this is just something I made all the companies now they're using buzzwords you know machine learning all this other [ __ ] it's just if statements that's all it's doing so there's nothing fancy about like machine learning and all this blinky box it but so basically our concept is uh yeah it's in the cloud and AI and all that so basically what the site does is it's scraping it connects to the site gathers the HTML and then it just parses all that information with beautifulsoup and just gets the needle in the haystack pretty much it it just

and then it just produces it on the screen for you we're adding abilities to output to excel word right now it's just doing JSON output which you can pretty much feed into a lot of [ __ ] [Music] so basically skip-tracer this is what it is it's a it's a command-line Python script what it does is it has a bunch of different sections that you can do with phone license plate domains IP addresses and gives you all the choices and all the return information from it this example here is the phone reverse phone if you notice it's a kevin mitnick's number which he has on his card so I guess it's safe enough to to look up

without him crying about it but it hits a couple sites who called 401 info true people search an advanced background checks and truth finder and then it just displays all that information on there with the phone a lot of times it's tied in to your personal information you'll get stuff like your current address if you notice at the bottom his date of birth is at the bottom so it basically pulls all that stuff up and cross-references it and we don't do all the heavy lifting we're just pulling all this all this stuff from the sites and and just displaying it for you and doing a quicker time this is the email one had a little issues with this recently hacked

emails which was a breach database they went down because the gdpr they didn't want to get screwed about putting out people's personal information if they don't know what part of the continent are well part of the world they're in so they basically bow down how about been poned is still up because they're not really showing the the actual passwords and stuff like that and who is mine which was a reverse DNS it just basically looked if that email had registered a domain it would put up put up those domains so that was further your digital trail to find out who someone was or if they had some sort of website that you can get some more

information from username recon it goes through know'm and name check and it basically checks all these sites to see if there's accounts on there and a lot of times I'm putting these different sites on there because there is different information from some of them some of them will say there's a valid account here and one here but it it's not exactly exact so I try to get as much data as possible for people to go with and then they can they can do their leg --look from there just basically compile it in one spot username our first name and last name basically some of the sites go through and ask you where the person's from so

if they have a common name it helps get it down to like if you know the zip code maybe where they're at or the state or the town it will pull up anybody with that name in that area it's gonna look if it's male or female it's gonna look at their age some of them just asked if they're over 30 some asked the age range so you could basically broaden it down to get everything down and if you look at it still there's a lot of information that that still pulls up if you look at Kevin's in for me again it's uh it's shown his date of birth his phone numbers some emails that he that he's used and you'll see some

mixed information like that Gandhi net email was was some privacy email that was on one of his websites so that got scooped up into some sort of database and it's it's in there now and then the one of the other ones I this is one that we just added it's it's uh it was in there before but it was just given us issues we're gonna add a second site because this one's a little weird about the the timing on it it's basically when you when you hit up the the the plate number and the state sometimes it returned it says no Return info sometimes it does as you see it gives out the event information the make and

model and where the car was built and stuff like that I've used it like one or two times I had a client of mine that was a liquor store and basically somebody had stolen from there and they didn't know what type of car it was but they did have the plate on camera so we figured out what type of car gave that information up so some some of that stuff's cool like I said it's happening DMV is a different story and the last one that we have that I just started to add was the domain stuff we're using stuff like certificate transparency to pull up the subdomains from for websites and stuff like that so in the demo I'll

go through it hopefully the Internet's not going to screw up on here but we're gonna try yeah so let's see if this let me know if you guys see this I tried to like make it as big as possible so one of the hoops is off-screen again damn it alright so basically what you do you would start it up with uh with Python you would call it Python skip-tracer about PI it comes up with a menu we tried to model it after like kind of like a Metasploit menu or something like that where it's it's just got the the menus and you go through the the different questions and stuff on there so the first one I want to do hopefully

if it works will do the phone one first you know I know Kevin this number works so we'll try that so basically it's gonna ask you what phone number you want you put it in there and then it's gonna go through the different sites and pull up that information scrape that information for you so this one you have the option to to go through all of them at one time or you can do them singly for each site and see what see what information is on there like who called is pretty good because it tells you the carrier for it when the the phone may have been registered or the number at may have been registered it gave their

general information and stuff like that and as you see there's different sites that you can run it through the best one usually is advanced background checks and if they go to a paywall it's gonna suck because they're the ones that give out most of the information that's on there like you'll get there you'll get their addresses you'll get relatives you'll get their date of birth pretty much anything about that person a lot of times you're going to get some some different information rolled in there because people like to use kevin's number for like filling out credit cards and stuff like that so so you will see some some other stuff that's kind of kind of spammed in there

all right and what you can do too is basically when you put in the target as you see up top his numbers still up in the top so it's not gonna ask you again it's a if I want to go to true people search it's not gonna ask me for that number again number six you could reset the target it will ask you for a new phone number and then you can go and and get stuff like that seven the option seven will bring you back to the the previous screen so right now we're gonna test out email see if that works well I guess we'll do just LinkedIn right now and this uses a

trick that's not a lot of people know about but there is a URL that will pop up that if you add the email to the to that URL and you're signing in too late LinkedIn you'll get their information from their LinkedIn profile the only issue with that right now I have I have my my LinkedIn username and password logged in there but if you hit this using your own your own profile and not like some some other profile like Kevin will get a notification that I looked at his profile and he probably thinks I'm stalking him now but uh but yeah it goes through a whole bunch of stuff like you'll you know you won't get results I

don't think he has a myspace anymore and yeah he's been a few times so so the have I been poned is pretty good because it goes through all the different uh all the different data breaches that that Troy hunt gets so if you're lucky enough to find some of this and Kevin hasn't changed I think it was like Mitnick six six six or something was his password if he hasn't changed it on some other site you might be able to log into his old profiles or whatever and do what you need to do to mess with them yeah well I mean people are still using it I guess and now that aim is dead I don't think

there's a lot of people using it anymore yahoo messenger went down all those good ones so the next one we'll do is do screen name i'll just a condor is kind of common what do you have like a uh annoyed with a zero right yeah i can't type so it will show that there may be somebody might not be the actual noid but it will show that they have a password and maybe he's doing some arts and crafts on etsy and stuff like that I mean Nolan is pretty good with the actual that there was an actual account on their name check sometimes it will give you a false positive where it'll pull up there it will say that there's a

count there and you go to that account and there's it's a 404 but if you noticed it's a kind of a common name it may or may not be him but I've used this a lot to find like a bunch of old friends from like 20 years ago on IRC and start pulling them into my channel yeah so like that this one this one's good name check is good yeah name trucks is is good because it actually shows the actual URL instead of trying to go trying to figure out what the URL for the users are so it works pretty it works pretty well in that aspect

so well there's actually uh we'll see if he has a tinder profile now like I've I reset this and say just to you my name and then I don't have tender so it's gonna be some random dude but you can friend them if you want so yeah basically what that will do is it'll check tinder and that's basically their their profile picture I'll give you the URL for that it will give you the name that they put on there and whatever bio sometimes the bio is where they work sometimes if they go to college and it gives you their name if they didn't lie about it or some random age and then the final one was the domain one that I'm

still kind of working on but basically it uses the the xfr techniques to check the search from the site so if i wanted to check when we do fairfield ET you you gotta spell around oh yeah i can't type for [ __ ] yeah i don't know if it erase or wrapped around let's see what happens

yeah so yeah just didn't wrap around so basically if you were doing any recon on like someone's website it's gonna pull up all those subdomains for you automatically it's a lot easier than going to like say like dns dumpster which we're gonna add do you dns dumpster has an api but it's not paid so we want to add that on there and add that capability because sometimes there's stuff in like dns dumpsters that's not showing this way so you might get some weird sub domain that they forgot about or anybody forgot about and start your recon from there and that's most actually did we do the plate now we did do the plate this one is like hit or

miss sometimes like I said you know if we want to look up who has the plate hacker they live in Alabama and basically yeah it shows you know they've been number the making model so you can guess you know whatever whoever has the plate that you want and then you can figure out you know whose card is etc blah blah blah we are working on new newer stuff and more sites to add I started this before I started my job a few months ago so I haven't had time to really work on it as much as I want to but we just got all the stuff done this week to fix it basically the couple guys here I think

on the next slide actually yeah so we're working on more plug on plugins we're gonna work on API support for some of the sites that are free and we don't have to worry about paying for all that crap the output we're working on like I said there's JSON now docx we have working it's just we haven't uploaded it yet we want to we want to do some cool stuff with that also CSV Excel spreadsheets etc hopefully get around GDP are it's just basically I don't care about it so if it's pulling up information that I want scrum it's out there so yeah it's basically all these guys helped me out in the progress of getting this to work

should I couldn't figure out in in Python so it's like basically now it's mine but but yeah these guys help on a day to day when I have stupid questions about why something isn't working in the scraping etc but yeah we're also looking for other people if you're interested in helping out know Python or you know some sites that like you'd like to see that we can scrape that don't have the api's although all the the pop-ups and all that crap you know just hit me up on github it's there for now I know everybody's crying about github microsoft owns them now and they're moving over to other crap we're gonna be there for now until we like break off to

somewhere else when the codes finely polished we'll probably get it done under something else so but yeah other than that that's pretty much it I mean it's we went over a whole bunch of stuff and you got questions

well yeah I mean you can you can write the plug in right now we don't have like a bass plug-in where you just plug in the information and try to get all that stuff out we're probably gonna get an example one to make it a little bit easier because right now we kind of dumbed down the code a little bit because we went a little crazy with the the proxying and all that stuff and some people couldn't figure out so we're like okay let's tone it down a little bit will let people proxy it through tor or etc if they want to and let them do that and you know if they're not using that

that website too much are hitting it too much you're not going to come up with the CAPTCHAs and all that other stuff

yep yeah so we'll get some stuff like that with yeah yeah I mean shoda and Shonen does give the guy that runs the site is pretty nice you know if your student I think they give you a free account with a lot of stuff or I hit him up I said I ran a hackerspace and he's like here have an API key so he's pretty cool about it but yeah we will have that stuff an examples for people to work on stuff but again if you if you find some stuff or find any cool sites that that may have some some information that we can scrape easy enough it shouldn't be that hard to really add it into there I'm like I said

we're always we're always looking here and there for for new sites and trying to find the best ones that give the most information on like advanced background checks when it originally started that page we didn't realize if we scroll down all the way to the bottom of the page there was actually a JSON output so instead of scraping that stuff and parsing it with beautifulsoup you just grab the the JSON I think they're either they updated their site this week or they're on to us but they they try to screw with the JSON this week so it wasn't working up until last night we figured it out got it working but yeah it's it's it's staying ahead of them

hoping that they don't go to a paywall but for the most part you know most of these sites are pretty freeing and get all the information you'd be amazed at what you find old emails come up and pull up information on you and like maybe you you know before you were aware of security you know you may be filled out a credit card application that's in some crappy database that LexisNexis or somebody else bought and resold and resold and resold but it does pull up some some crazy stuff any other questions on anybody good good good all right yeah thank you everybody hope you enjoyed besides it's their fifth year that we're doing it one of the

co-founders and and co-organizers we tried to make this cooler and cooler each year biggest year so far it had over 200 people sign up compared to doubling our last year's event so but yeah stick around we're gonna have gonna have like a bunch of drinks food all that crap afterwards maybe some lightning toss maybe so but yeah thank you everybody [Applause]