Passive Recon: Let's Get Creepy!

go for it all right have fun all right thank you everyone for coming um just so you know the context um someone had been unable to speak at about 9:00 so we said hey you know we have a talk ready to go um we're happy to jump in and talk about something fun so my name my name is phip heartley and this is my boss gab Blanc over here than in the courn so for those of you who attend the Issa meetings in Charleston I apologize it's going to be a repeat it's the same talk we just gave that's why it was ready to go so um what we're going to be talking about today is passive

reconnaissance in the context of doing um red team and blue team engagements so just so you know a little bit more about us um we don't have a who Ami slide there's plenty of information about us online um we uh work on a red team uh for the dod we work at as spr War Charleston um so we're continuously doing these sorts of engagements I've been fortunate enough to be able to be doing this for the last year or so um DA has been doing this much longer than have which is e present here um today we're going to be talking about passive Recon which is a a component of Open Source intelligence gathering kind of a

mapping and reconnaissance portion of the assessment where you're finding a little bit about your target organization um and that's pretty much it um black lard Security Group um we're just a group of guys like talking about security um basic disclaimer this is not being given on behalf or in association with spay War our opinions are our own um this is a no way way associated with the Navy or any of the work we do so if it blows it's our

fault what got relax you got funny as LS all right we're going to try not to go over the last time it took about an hour and 15 minutes so we're to go real quickly I mean we're not Reen in the wheel here it's I'm sorry I can't uh standing on the shoulders Giants there's thousands and thousands of talks on slides share if you look up social engineering and O so we're not really deviated Too Much from the truth uh we're just going to talk like Phil said about passive stuff doing o without actually sending any packets at your target Network right so uh it's about the principles really we follow a methodology that we stick very closely

to we don't really care about tools we're pretty agnostic about tools and flavors of operating system and that kind of thing it doesn't matter it's just methodology right um they're not intended to be comprehensive this is not you know follow all these steps and you will be a leite was same dude this is just some things that we do okay and every customer provides a new challenge to don't think this necessarily applies to all you will have to deviate back and forth deping how you do things so we wanted talk about terminology we're going to talk about methodology objectives uh Baseline case study we got one of those I think we got two of those

uh risk and mitigations and then we're going to sum it all up we're going to talk about some mitigations at the end so let's talk about some terminology right vulnerability assessment to us at least from what you know we kind of gather is that vulnerability assessment to a lot of people means running retina is that kind of where everybody's at with one assessment on your retina scan click a button it does things uh pent test uh a lot of folks aren't too far off from the retina clicking the button thing they show up on a thing and click some buttons and then say I pen tested you and hit report at the end um unfortunately it kind of brings the bar

down a lot lower for doing real pen testing right so uh we have a little bit different definition of that um and it kind of goes into full scope righted team engagement so we're talking physical uh social human engineering type stuff uh of course over the wire all that good stuff so to us a full scull bread team is doing anything and everything um that you can do and have the authority to do to obtain your objective next slide so what I mean what do you look to effect when um you're looking to assess an organization right yeah kind of depends on the organization but really there's some basic categories it's IP right that help that happens a lot in

business that does happen in the dod as well I'm sure everybody's familiar with the situation where uh the Chinese got our joint stri fighter plans that we spent billions of dollars making right so they save a lot of money by just throwing some dudes from Tang Jem University at it right uh Trade Secrets that's a big end for us we we look at Phi a lot that's actually pretty good info you can get more money for that now right on the black market than you can pii yeah the the the articles that I've read apparently um selling the PS cool kids call it PS where you actually get someone's um get enough information about an individual including their

medical information to counterfeit uh insurance documents and you can use those insurance documents to go offer your Healthcare so for 1,000 bucks that's what your Phi is worth which sounds super interesting cuz credit cards are like 50 cents dollar $5 if they're super clean so Health information's bringing in a lot of money so that's why we're going to see more and more people going after it yeah it's good business on the side and uh Phi is was really really disgustingly wide open um his medical communities really are terrible about securing their stuff that's kind of they been left alone and just heal people to do things and we're not really so concerned about stuff but

it's pretty bad so merges and Acquisitions that's a big one we don't deal with too much in the Dy right but obviously in the business world that's a big deal right who's buying who and for how much money and all that good stuff a lot a lot of money can be made doing our corpy esage right troop movements that's a big in for us obviously in the military uh who's going to be where and why and how many um numbers that's good stuff right Logistics so those are some things you look to effect on Target and diplomatic cables is a big one right so uh the whole Benghazi Shenanigans with what's her face um I mean people knew that was

going down long before it happened uh those diplomatic cables your end objective your TX execution obtain your objectives report on it because nothing matters unless you report on it right you did absolutely nothing unless you reported on it and it madees sense so that's the most important piece so how but how do you get there how do you get to that end go how do you start and that's what we're going to talk about today all right so again what would be most uh would impact the Mion the most right personally business organization uh we talked a little bit about a couple of these future earnings findes faith in customers is huge for banking right any

ever do banking stuff uh they have like a threshold set where if they get so much money stolen right and it and it would cost more to do public uh reparations if you will uh and and fix that Public Image um than it would be to let that money go they kind of have insurance for that they just let that money get stolen uh lives you can affect lives you can definitely do that you can kill people over the interwebs anybody heard of drones uh anybody heard of Iran um so political stability CIA likes to doing that stuff right political stability uh making things organ orchestrating events to happen in a certain way that you want them to happen

uh you can do that over at the interwebs so Force projection uh diplomacy negotiation right all big big bigs to uh to go after classifi materials that's a good one but that kind of is just easy to get right we I mean that's that's a the good point about that though is physical right you just walk out of a building with a bunch of Phi and sell it on the internets right or your Chelsea Manning or what's that guy from that one place Lou Allen and stuff um what we got next objective and okay so again our objective is to gather organize read that slide uh Target identification right exploitation post exploitation right it's all really

about a PO post exploitation right I mean getting shell inside somewhere is relatively the easy part nowadays right it's usually uh just stupid user tricks you can say that right but we don't care like if you're one of those people that said that wasn't leak you didn't get in from the outside you didn't do all this cool hacker stuff from ctfs who gives a crap right um it's about getting to your target objective obtaining what you're after uh and that's it if you use an email fish and it's good oldfashioned macros inside Excel and that gets you in who cares right it doesn't have to be some leite oday don't give a crap right we typically go

uh into our engagements planning on not using any exploits right code based exploits um then we we typically don't uh we haven't used any so far and we've been pretty successful I think the last exploit true exp I used was son RPC remember that one port 111 on Unix boxes RPC at so I use that like 2007 was the last time had to actually use XO that was CU it was time sensitive thing I like oh shoot so it's all about po exploitation and we'll get to that that's way down the road in future talks but all of this is to get there so doing that we're going to work backwards right so we want

to get here we want to do an attack right it's probably going to spear fish be whatever to get inside or physical so let's move backwards pass the brain part and let's start with gy info so I said we're not too worried about tools right of course you got to you got to do tools right you're a carpenter you're trying to build something you got to use tools in your tool boox to make that happen so we're going to talk a little bit about some of those uh use them if you want or don't use them or do whatever it doesn't really matter but whatever those tools are you use those to you know get to

your end objective so we it talks about Facebook graphs foca all kinds of cool stuff uh and in the middle you take all that stuff you do all this tool stuff and all this tool stuff just to G data give me all the infos so I can use that to learn about my target right get to this end goild um so out of all these tools you get raw data right you get something back you ask for something you get something binary right you get something done you take all that raw data and the most important piece is tur it into actionable intelligence where's the intel guy where's the right there everybody look at it so actable

intelligence right it's all about if you're going to make a decision a Commander's decision right give me something actionable don't just tell me stuff right if you're hackers if you do this don't just say stuff I have all these things I can do all this stuff nobody cares right you need to make a decision you need to make actionable intelligence to make a decision on to go after a specific objective and that's where we get to this end goal and hopefully we'll get that today if I if I hurry up next slide is this you this is me here okay so we talked a little bit about different ways of coming out an organization methodology today's just

going to be about passive Recon again we're not sending any package to the organization this is what we can find out about the organization without them even knowing about it um so when I first joined gab's team literally the first day he's like we have an assessment here's the target go do stuff and I was like all right so like G said one of the first things you want to do is a little bit about your target who they are how do they make make money where their critical resources are and what's going to do the most damage right so this is and O is overwhelming when you first look at it right there's a million sources of

information there's tons of information about everyone and every company out there but the game's point where are the resources what's critical how do they make money how can I hurt them and what sort of V do I need to formulate an attack to do right so when I first went out there I was just grabbing everything I could right I had no Focus didn't really have an intelligence product in mind right so you always want to have something in mind that you're working towards that you're Gathering data for otherwise you end up in a wormhole in the weeds without anything to do with a bunch of data you're not sure what to do with so

um one of the first things we do when we have a targets we want to gather a nice thick Baseline worth of data about this organization um and this is just what we talked about who they are who might work there products and services culture how they talk who they speak to right these are all all good things we want to learn about the company because if we don't know that we're not going to know how to attack them we're not going to know how to affect operations so in this case you're going to use categories of tools to bring back raw data to create your Baseline um some of the things to keep in mind as you're creating the Baseline

are here key Partnerships uh leaderships physical Network footprint mission statement and purpose right and then you have categories of tools that can get you there again it's not about the tools to tell you the truth most of the the the the juiciest things that we find are just from manual searches just I bleeding manual grunt work right at Google um and you stumble across some pretty amazing stuff um we've listed some tools uh Within These individual categories which are super helpful but don't discount manual grunt work um also wanted to point out some of those tools that are asri um are not necessarily passive depending on how you use them right so right now during the Recon we

don't want to visit the website we don't want to call them we don't want to give them any indication at all that we're actually targeting them so for example a tool like uh foca right fol is an amazing tool you harvest a bunch of documents you throw it into foca foca cranks on the documents and starts spitting out emails names file paths computers OS software installed software versions installed but if you run fol out of the box and just give it a website and click go it'll actually Harvest all the documents from the website itself so hundreds and hundreds of documents will be pulled down from that website when you click the button so if they're watching them noce another

way to use it is to get the documents using alternate means then drag them and drop them in the FOC and let us do its work so my point is just be careful about the tools um I made the mistake of learning the hard way hey great tool let's go get stuff and just totally blasting an organization with a bunch of automation which is not good so um tools are great just make sure you know what they do I learned that the hard way so again bringing our Baseline um all right next slide you're back so just as a lead into gab slide um a lot of what we just talked about you can do over the wire um what gab

going to talk about actually what gab done a lot of is passive physical accom right so what can I do what can I learn by um interacting with the physical infrastructure right so there's passive reconnaissance getting information from an organization without sending a packet there's also passive reconnaissance you can do in the physical world so that's what Gabe's going to talk about before we jump back into some of the the wire stuff okay so Phil just talked about this slide no I didn't give leading man so everything so everything Phil said remember it's passive right all these things that we talked about doing so far we talk about tools don't touch your target right zero packets so you can do

Focus you can do all that stuff we talked about so far without touching the Target and all that stuff so we're going to talk about passive Recon to uh physical how can you do that you say cuz your physical body is in your target area how do you do that sure uh it depends on what the target is right but say it's like a bank right can you just walk into that bank as a person I'm a new customer grab stuff sure you can it's passive you're not interacting with a human right cuz social engineering is really human engineering right that's what we call it because you're interacting with a human being trying to create a certain scenario or a certain

thing to happen right so if you don't do that you're doing it passiv so yes you can Recon routes right smoking area who smokes in here anybody okay who can pretend to smoke so so you got to pretend to smoke smoking a is huge um if you ever end up doing a physical engagement the first place you should look is a smoking area there's always one or two or five um and they're usually right outside the front door like where we work it's right ins outside the door like you can't even get out with the people in the smoking area um so that's a good area to look the gym can you passively go to the

gym and grab stuff sure uh so what I'm talking about is scoping out people across the street or whatever scoping out where the gym is uh some places you may have an area here where they work and run across the streets to the gym they're walk across the streets to the gym you're scoping them out you walk in uh they go do the thing start working out and they leave their badge sitting under the thing right they may lock it uh they don't lock it or if they do lock it you got these or you got a shim right for a little turny turns uh so then you just take a picture of that badge you

take it back with your software and make a badge right all passive you didn't interact with the humid at all so local eateries there's usually always one of those right uh after hours hot spots what happens to after hours hotpots dig Mau right every time sh drink if you work on Bay where dig major right the street what happens talking about work alcohol drink yeah oh you the last one that doesn't count you're cheated you're cheated right so yeah people start drinking right what happens when you start drinking loose lips sink ships Michael so people bther BL right so that's one of the best jobs right you're getting paid to do pass a Recon and

you're just sitting there having a few drinks people Jibber jabbering over here and you're write notes down right definitely happens happens all the time parking lot people leave their badges hanging up they leave stuff in their car you just Sho in the car you know you steal whatever they got in there take pictures of it that happened right was that big va8 thing that happened remember that 5 billion was it 5 billion 5 trillion a googlex amount it was a lot of money just stole a out of car thank you passive I mean it's active you grab something but you didn't interact with a human okay so next uh establishing your Baseline what do you need okay this is just a short

list we're talking about what you need not all the cool ways bang stuff uh you know think of a James Bond movie right he goes and sees q q just giv him a few Gadget he doesn't load him up with all the stuff he says here's a couple things here's your watch that shoots lasers and all that stuff right so this is the things that you kind of need right camera that kind of goes in hand on hand nowaday kind of easy get them on your phone right but it used to be where we had to you know hide them somehow like a little green meanie remember those a book and you kind of carve it out put a

camera in there uh you need a monocular I'm going to talk about that in a second uh remember depth perception and your peripheral vision that's why I say monocular not binocular right so you can see okay out this side we'll talk about that a little more next one you need a proper bag you need a space pen you need waterproof notebook and you need Street smarts and optional is a tire um and I don't mean walk around nude although that's a that's an option but I'm going to talk about that in the next slide so what you need to do with the things that you need to have uh camera be natural use cover right don't act

like a Japanese tourist where you're out there taking pictures you know asking people to pose with their secret documents and stuff right be natural use a camera make a little hiby thing if you can like I said so one of the things like I said with a book is you cut out the book you put your camera in there you you're just sitting there taking notes or whatever cing pictures uh the monocular I said remember depth perception of peripheral uh camera right keep your surroundings available hi Ryan Fortress uh and so what would you do to knock your for you're asking are you doing spying across the street yeah that's part of it but also like if you're in a

in a building right and there's somebody over there and they're putting their password in or they're doing a little Cipher you're sitting down you can secretly do it you know in a little Cube and nobody can see you check out what that code is and put it in on password so proper bag uh I'm biased about proper bag for really is important get yourself a Max Edition or 511 Max edition.com um bonus code Gabe we get you no discount uh I'll give you my address if you want to buy me something uh so yeah but you got to have a proper bag I mean you can't I mean if you're dude you got to have a m right

bring a mer that you can't have all this stuff all over place right bag you can get in and out with your gear steal documents do whatever you got to do right it's got to look natural right think about that bad space pen why did I say space pen because you can write any kind of conditions right whether it's hot cold rainy whatever upside down waterproof notebook C pen learn sniper infantry techniques I have on there uh I am a prior infantry guy in the Marine Corps um so there are some techniques you can take from the Infantry uh anybody heard intersecting Field of Fire right that guy has the Intel so that applies to cameras too

right when people set up security they have cameras overlapping field of camera vision right so when you're using your waterproof notebook again need to be able to write any clim place right so make sure that you're taking notes of an area right you draw a picture here's my building here's my cameras intercepting fields of vision uh guards are over here I mean all that stuff right you want to take that layout basically take a snapshot of that as if you would with a camera but if you didn't have a camera right so that's what you want to walk with notebook for and many other reasons so what I my sniper that goes into the camera thing

and goes into the into the monocular thing right there's techniques you can learn uh jle after this but there's techniques you can learn where uh you need to be able to get good at seeing something for a short period of time and remembering that so that's a sniper thing where you up and down see stuff and remember it right so you don't want to look at something and try to memorize where something was happening and just sit there look at think you might be doing recon got it right don't do that so just want to walk by so a scenario this and I've done this in real life at at a place where they uh

had a lot of things and it was very a thing so once we got inside right the every single door inside had a little Cipher lock on right ready to put a code in to get inside so you don't sit there walk by and do this number right and then go in the bathroom you walk by like this and you capture the code as they putting it in and you walk into the bathroom and write that code down and then you usually doing this at the end of the day right four you know 16,700 everybody's leaving you hang out in the bathroom that's everybody's important as the smoking areas right I'm not kidding hang out in

the bathroom take a dooky dke for a while uh wait till everybody's gone come back out Halls are cleared put your code in right so Street smarts optional attire this uh may be a sensitive topic but uh if you have on your team available to you uh an attractive female um and you're doing passive reconnaissance it should be no secret that they can typically get no offense ladies they can typically get more information than a guy could right would you rather have this eliciting information from you or would you rather have Sally Jones for example so just keep that in mind we have done that we have had people on our teams females that were Intel CI

background and they would do that kind of stuff uh so keep that in mind as you're doing passive reconnaissance there was a female winner of the deathcon CTF this year oh yeah yeah totally like closest competitor was like 200 points away like she totally blew away the competition it was pretty amazing she's not a tax a if you no she doesn't even do it for a living she's like oh this looks interesting I'll try it there was just articles from RSA about the dudes with the thing kind of like with the thing we oh yeah so they um the couple of researchers um used a um very attractive female um Facebook profile to literally um elicit information from the company

so much to the point that they sent her laptop Network log on badge just here you're hired just totally schooled them with this super attractive female Facebook person that they interacted with over the wi but she didn't exist it was didn't exist it was two guys um probably a lot like us um created her um there's also a great talk um from the there's a a gentleman his name's um his name is um Jordan Harbinger he owns a company called um art of Chun gave a talk at derbycon 2012 he literally um set out as a personal project to socially engineer people who list themselves um as part of the top secret clearance groups on LinkedIn have you

all seen this it's awesome like people yeah I've got clearance I'm here come come get me so that he he said he uh art of charm basically teaches uh he only takes male clients and literally teaches them uh charm techniques you know how to listen information for people um how to go on dates things like that so so um I think he literally teaches James Bond types what to do in the situation so um he had a Matchmaker that worked for him full time who created Facebook profiles specifically for the targets he was after so we research his Target find out what they

like

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e e