RECON VILLAGE - From Breach to Bust

Video thumbnail (Frame 0) Video thumbnail (Frame 2701) Video thumbnail (Frame 5355) Video thumbnail (Frame 6133) Video thumbnail (Frame 7799) Video thumbnail (Frame 9035) Video thumbnail (Frame 10369) Video thumbnail (Frame 11482) Video thumbnail (Frame 14456) Video thumbnail (Frame 18881) Video thumbnail (Frame 20077) Video thumbnail (Frame 20857) Video thumbnail (Frame 24373) Video thumbnail (Frame 26103) Video thumbnail (Frame 27442) Video thumbnail (Frame 28302) Video thumbnail (Frame 29371) Video thumbnail (Frame 31521) Video thumbnail (Frame 33588) Video thumbnail (Frame 35212) Video thumbnail (Frame 36818) Video thumbnail (Frame 39771) Video thumbnail (Frame 40661) Video thumbnail (Frame 42239) Video thumbnail (Frame 42981) Video thumbnail (Frame 45727) Video thumbnail (Frame 47976) Video thumbnail (Frame 49408) Video thumbnail (Frame 52668) Video thumbnail (Frame 53670) Video thumbnail (Frame 54374)
Video in TIB AV-Portal: RECON VILLAGE - From Breach to Bust

Formal Metadata

Title
RECON VILLAGE - From Breach to Bust
Subtitle
A short story of graphing and grey data
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Degree (graph theory) Data management Presentation of a group Graph (mathematics) Multiplication sign Operator (mathematics) Computer hardware Information systems Convex hull Computer-assisted translation Information security
Execution unit Multiplication Information Multiplication sign Graph (mathematics) Mereology Cartesian coordinate system Twitter Degree (graph theory) Term (mathematics) Graph (mathematics) Self-organization Quicksort Game theory
Category of being Sensitivity analysis Graph (mathematics) Information Demo (music) Shared memory Videoconferencing Self-organization Right angle Quicksort Cartesian coordinate system
Type theory Slide rule Information Code Transformation (genetics) Energy level Right angle Quicksort Cartesian coordinate system Row (database) Number
User interface Service (economics) Functional (mathematics) Information Demo (music) 1 (number) Set (mathematics) Cartesian coordinate system Twitter Different (Kate Ryan album) Hill differential equation Right angle Quicksort Traffic reporting
Web page Greatest element Information Direction (geometry) Function (mathematics) IP address Leak System call Number Term (mathematics) Function (mathematics) Single-precision floating-point format Videoconferencing output Website Right angle Quicksort output Associative property Address space Personal identification number (Denmark)
Web page Aliasing Slide rule Server (computing) Service (economics) Link (knot theory) Code Multiplication sign Drop (liquid) IP address Metadata Number Cross-correlation Term (mathematics) Different (Kate Ryan album) Computer configuration Single-precision floating-point format Differential equation Scripting language Curve Execution unit Multiplication Graph (mathematics) Information Mapping Shared memory Graph theory Type theory Search engine (computing) Blog Radio-frequency identification Order (biology) Website Right angle Quicksort Intercept theorem Resultant Library (computing)
Execution unit Graph (mathematics) Information Demo (music) Graph (mathematics) Multiplication sign Graph (mathematics) Sheaf (mathematics) Gene cluster Set (mathematics) Twitter Facebook Software Different (Kate Ryan album) output Energy level Right angle Circle Data structure Traffic reporting Family
Digital photography Graph (mathematics) Information Term (mathematics) Screensaver Right angle Pattern language Shape (magazine) Office suite Mereology Connected space Twitter
Group action Graph (mathematics) Information Term (mathematics) 1 (number) Motion capture Right angle System call Number
Type theory Graph (mathematics) Information Multiplication sign Infinite conjugacy class property Videoconferencing Right angle Table (information) System call Number
Number
Greatest element Graph (mathematics) Link (knot theory) Personal digital assistant 1 (number) Right angle Quicksort System call Number
Domain name Email Email Information State of matter Direction (geometry) Number Different (Kate Ryan album) Password Self-organization Right angle Address space Personal identification number (Denmark) Position operator
Multiplication sign File format 1 (number) Database IP address Web 2.0 Type theory Internetworking Profil (magazine) Energy level Address space Domain name Pairwise comparison Execution unit Standard deviation Email Information Electronic mailing list Core dump Menu (computing) Subject indexing Software Query language Statement (computer science) Self-organization Website Right angle Freeware
Domain name Metropolitan area network Meta element Slide rule Email Standard deviation Meta element Myspace Inheritance (object-oriented programming) Multiplication sign Field (computer science) Process (computing) Profil (magazine) Term (mathematics) Right angle Differential equation Quicksort Address space
Domain name Multiplication Dot product Server (computing) Information Block (periodic table) Letterpress printing IP address Term (mathematics) Different (Kate Ryan album) Infinite conjugacy class property Chief information officer Website Hill differential equation Right angle
Process (computing) Software Personal digital assistant Internetworking Self-organization Energy level Right angle Spacetime Neuroinformatik
Web page Email Block (periodic table) Multiplication sign IP address Bookmark (World Wide Web) Neuroinformatik Mathematics Software Internetworking Right angle Quicksort Office suite
Email Greatest element Process (computing) Information Demo (music) Block (periodic table) Ferry Corsten Normal (geometry) Right angle IP address Address space
Web page Facebook Email Information Password Website Configuration space Right angle Address space Twitter
Aliasing Link (knot theory) Multiplication sign Source code Information privacy Number Neuroinformatik Facebook Internetworking Cuboid Physical law Information Office suite Relief Address space Computing platform Execution unit Email Myspace Information Sine Interior (topology) Bit Inclusion map Right angle Quicksort Service-oriented architecture
Email Bit rate Confidence interval Interior (topology)
okay so I have to delight today of introducing our keynote speaker Andrew Macpherson were delighted to have him here he's the operations manager over at Catawba with a degree in information systems and apparently an uncanny knowledge of cat memes so I don't know how many were going to see today he's now been with potato before since 2007 so in over a decade he's managed to and I will read this from here he's got a decade of graphing arguing and tea making skills and we are absolutely delighted to have him here aside from LT going he's also got keen interest in hardware and security so I will now invite Andrew up hopefully everything's going to technically get connected and work for his presentation breach to bust okay hi everyone welcome to the first talk of the day I'm surprised it's grateful very early for Vegas time at least 12 o'clock I'm quite impressed the village has like a 12 o'clock first lot that's more my kind of style to to be at that time okay so my talk is called from
Beach to bust a short story of graphing and gray data so we look at some like breach data and like some great things in terms of how we how use it within multi go or within any sort of graphing application and what we can do with it from there so I'll do a little bit of like Who I am and multi go then we'll look at some common OS in tools and I know some of them are being presented here later then we look at graphing so like how we make sense of relationships with layout and sizing and things and then we look at some of the OS in tools without the OS part or like using grey data okay is that better and then I've got a nice example of the breach data and how we'll use it to kind of find something based on like one of the organization's while the microphone is skewed yeah and they will look at like what I think of recent in the future when we're going to do it okay I mean yeah that's that's right right near my pace that's okay can everyone hear me no maybe okay I'm just gonna switch to this one minute can everyone hear me now okay this one better okay unfortunately now you have to hear the whole talk at the back okay so it's not
my name is Andrew Macpherson and remark on Twitter I benefit over about 10 or 11 years so I have an information science degree I spend a lot of time on flights as you can see there I've sold the game 2048 the only thing on my phone a lot of times generally I talk too fast I'll try fix that also last year my hair was white my friends are terrible so they called me Malfoy for a long time they don't even have that leather coat and then a part of this thing called shame Connie okay so just a little
disclaimer at the beginning like this is not a sponsor talk right I know they'd like as petrova we do give some licenses for the prizes but like weird this is not related to that then some of the information that we have like it might show details about individuals who work like an organization but I just be reasonable human beings like don't go and say like oh we're gonna find it or tweet at them or share that or go and look it up and I think that's quite important part of like always saying like as soon as you get sensitive data on someone like it might be cool to show your friends but like it's not really that cool to be like here's everything about a person without the consent and everything and this is not gonna be a pain to talk like so I'm gonna use more TV a lot but I've also been there for like 11 years any sort of problem that I see I try and solve with multigo so someone's like where should I eat I'm like I've got a graph for this so I'll be using the tool but like I'll talk about like hey we can do this in many different ways and actually some of the talk later use some of the stuff that I'm talking about then I do have some demos so if that works good that would be great okay so if you know what
multi-car is you've got our website there's a ton of tutorials and videos but basically it's an application that
looks like this right you can drag in like any sort of information you can change it to whatever you want and then have the ability to run like a set piece of code it's like a very small thing that takes one type of information to another right that's the key concept of
it you just hear it for example and just have kept the MX records and then I could take that piece of information and these are just MX records but it could be anything that could be someone's name or an ID number anything else and then I can take those to another level right so we're just graphing stuff out and I need to one of those small what we call transformations is like a small piece of code or small application that we can integrate with okay so I have this slide
so I talk slower and they're pretty slow
so if we look at like always st. and some of the stuff that we do is one thing that I find really interesting is that if I talk to someone who does this they've got like a whole tool set of tools right if you need to get like historical Twitter data there's like six or seven different reports that you can go to different applications that you can use and every one that I speak to you has like a ton of different ones right back if I speak to someone they'll be like have you heard of this tool I'll be like no that's weird they're right because there's like thousands of them so some of the ones that people use commonly I mean things like the harvester recon ng have a been poned Intel technique so that that web interface skiptrace and some of these are being used later today as the tool demos but basically like all of these have a function where you can use the tool to get some sort of information right so these are what I call single
layer tools and basically what you do is you provide some sort of input like whether it's email address or username IP address whatever kind of stuff that they've got and then they'll go and mine it or do whatever so here's just an example of recon ng so this actually I stole from a video but it's from booking.com and it just looked for like host names email addresses and then it generated this output right so it's a single layer up it's like one page and it says here's all your stuff that you've got or or they can just produce the output on the command line or any other way that you do it and these tools are really good like we need these tools we need more of them but I'm going to talk about like where we go from using something on a single layer or what I call single layer tools
so if we look at something like that's on a single layer so anytime we can click through something like it's a page and say for example this is just an example that I did earlier but let's say that you could look up a VIN number like you can go to the DMV website and you can say I put in someone's name and I get that VIN number of a car right of their engine so that makes sense people write a tool they say ok I go from this piece of information to the other that's fantastic that helps but unless we can pivot on that information then we're going to start losing stuff so here I'm just got an example so the top left is antarcticine that's me I'm good I can go from like my name to a phone number my name's a social security number like maybe there's a site that leaks said something that I've used to get that but what I can do in the second example is I've said ok take the things at the bottom and now I've run it again I said ok well I've got a VIN number show me show me the people associated with it and with that it just points back to me which is how it should write there shouldn't be other people associate with my social security number or with my number or anything like that so that's that's really nice for me I mean it trying to make sense here but as soon as I go to these people who are obviously bad so that's bad jimick Patterson it's like me but very bad and here I can see ok today's social security number and a VIN number but as soon as in the second step I say ok well let me see who else has these social security numbers then I get or if there's another person he's sharing it but there's two other people with a call and obviously that's something you want to look at that's bad in terms of this kind of data so you kind of think of it like a phone book so if I've got a phone book I can be like ok I go through the phone book and I say here's Andrew and here is the telephone number right and I can call him that's fantastic it serves its purpose but as soon as I want to find out like who else has the same number that I do like I have to go through the whole phone book right and that's a pain like we need to be able to have a way to say ok if I can go from one direction then I want to be able to pivot back to go in another direction for that
okay so I'm gonna do a little bit of like cropping and the graph theory but of course my slides are done with multi go but like there's tons of stuff that's available right there's like d3 and Kaffee and stuff and especially like the hard work that the Google Chrome team put into JavaScript like those JavaScript libraries now are fast and they are options that you can have in terms of graphing different stuff so obviously since I've worked at pit server for 11 years like there's no way I can even see a graph that's not multigo and these two basic things that I'm going to talk about yet so the first is like if we look at orders so a lot of the time you want to say okay we're only gonna find good stuff after like a certain amount of order so basically the number of orders is bigger than 2 and if you look at the first one then we have like fast single order links so in example I gave is like let's say you've got five individuals or five aliases or five names that you need to look up right what you can do you can just be like okay i go to google i put in the names credit whatever search engine you use and i go through the results right i write them all down i put them in an excel sheet that's awesome you'll have it for one person then you go to the next person the next person and now you've got these but now you don't have any correlation between them all right maybe I'll say okay well actually I've seen the same person's name on one page but what you'd like to do is you'd like to say okay I've got five different people show me all the results so that I can see like hey these five people three of them are mentioned on the same website maybe different pages but now I can say like hey this is probably some way that they're all connecting on even if it's not public so I can look it like the metadata around it essentially to be able to do that and then also like the things that do the first sort of stuff are those single layer tools stuff that like let you quickly do take one type of information to another so here at the top what I've done is these just we use something called bolt with and you can go and look at what's in the page in terms of relationships it just shows you like Google Analytics and things because what I want you to find in this example was that I can see okay does anyone share the same Google Analytics code right because then I know like oh they're all probably connected to the same account this is something that's useful for me but I'm not going to go to every single page like I'm going to run a script or I'm gonna run an application and over here I've taken three different websites so just put it up on absurd zero today and NSA gov right and I just said show me these relationships go through the pages get that out and here it's got those different results okay but now because I can pivot on it I can get to a second order this is where it becomes more useful so over here you can see that there's a couple of different sites like for pets over comm is one of our blogs and then for the others I could see other sites owned by that bank and now I can see like for any Sado curve there's a whole bunch of different sites and some of these are okay like some of these are the sites that I expect so that one seems like aimed at NSA or intercept or army but there's a whole bunch of other sites that I don't know about that now I can link up because I can do this correlation so just say from one step to another and then from there I can go on alright and then we're going to looking at like how we can graph these together
so if we look at a basic drop like the big important thing is to say we go in the smallest smallest step so we can right so here at the top is we've got a bunch of IP addresses and we said what's running on these ports right - ran in map or whatever we got the ports back and then we can see our there's a bunch of stuff that's running on port 80 like that's useful for sure but actually what you want to do is you want to say I want to break that down into smaller steps so here in the in the bottom drop what I've done is I've said okay I've got all the same IP addresses and now I've taken them to the port and the service so now I have the ability to see okay I can see that correlation on like a second order and I can see that is yeah I can see that there's multiple things running say for example Apache on 80 or something on 80 81 but here because I've broken it down in the different steps I now can see that sort of information that's available okay then obviously
like dropping gets much further so this is just a tweet that I saw online from something called phishing AI or phishing AR account and they just like tracked all the different things that were involved in our iOS MDM attack and actually they found something else they said like hey using graphing and using the ability to go from one small piece of information for another and keep them connected they could find like another piece of infrastructure that wasn't included in the original report so that's kind of where you're going to start using this in terms of that then
there's just three sections that we'll talk about in graphing and then I promise there's a good demo to end just stay for that right set your alarm it'll be okay so the first thing is that there's different layouts so that's how stuff is laid out right and this actually makes sense so when I look at other graphing tools a lot of the time they just have like a fixed layout and it's usually this one at the bottom right but what you want to do is you want to have these layouts so the first one is just called hierarchical you just go from one step to another so if you're doing like a very structured investigation or something on network level like that makes sense to use right but if you're using it on people you're not going to use that layer then the second one that I've got is called the circular right because it makes things in a circle very clear with these names so this one is basically all the things that are connected are in that big circle in the middle and if they're not connected to each other then they're further outside right so I can quickly say hey these things in the middle these can't that's what I'm looking for right and then the last one is called organic so what that does is it just put stuff as close together as they are related which is super useful if you're looking at like social networks or something like that because I can say well ok I've got let's say my account on whatever Facebook Twitter any of your social networks I can say show me all my friends and I can get all my friends are right everyone that I know and then I can say show me all of their friends and because they're connected on organic so they're placed on the grow up how close they are together I'll see like different clusters I see things like oh all the work people know each other and some of them know me so that will be a cluster or all the people who are family members all the people who are from the same town so that you can kind of use to say okay cool we can we can look at that and actually we did a an investigation a while ago if someone was like doing something ridiculous like selling meth on Facebook and they've become friends with all the people that they were selling to you right which if you're gonna do this don't become friends with them all right just like a 101 on that but they found like okay so we looked at the graph and we looked at these relationships and obviously there were like a lot of people who are like friends or family like a cluster that you could see and then they were just like one huge cluster of everyone that didn't know anyone else in the graph was further away and then only connected to the the target that we're looking at and of course like if you figure out that some of those people were buying like the rest of them were probably buying as well right you need the different layouts to be like we can figure out where to go from here
then the next thing is sizing so because we are people that are really good at being able to spot like patterns and stuff we want to use as much in terms of the layouts and the sizing that allow us to identify this stuff so we say for example here we'll say okay well show me things that are important on the ground so many things have got lots of connections coming in right stuff I want to see but if I look at this one over here this makes sense because if I just said okay only the amount of nodes connecting to this that's what I want to size on right you don't want to do that so this person over here just says there's two things they come into one other piece of information okay so we're not going to make that the same as something with these two things that come into one piece of information but ifs if it pops that's what's called a Bois de st. because here you have something like oh there's someone that has a typo in their name and they both come to the same whatever piece of information then I don't care that much about that but I care if I've got to like completely discrete parts that go to one piece of information right but then I'm saying hey lots of stuff is pointing to this so yeah we can look it like you want to change the size in the shape based on what information you've
got then the last thing is collecting or grouping so this is really important in terms of if I'm looking at information so if you look at that first graph like that's great for a screen saver like you're at the office you need to look important like have this right there's like just Twitter photos this is oh oh
that's just like a mace in terms of a graph because there's so much information on that graph and most of it you probably don't care about or need so the second one like we've we've collected it slightly more so we've said okay well here are all the ones that are connected and here are just things like where people have a million followers that aren't connected to the group so that makes no sense and then the last one I've just made it like much smaller and this is easier to do so I just got three accounts here and I say because I put these in collections I can quickly see the groups that I want so this is like oh this 23 between all three of these accounts there's 200 between these two and here I can see the outside like I don't have these 3,000 extra nodes filling up my graph and in terms of that ok so just going to show you a demo of
this quickly so what it did is coming for dear far and South Africa and I said hey do you mind if I get some capture data from a phone that just says like you in and did a pick up of a phone you got all the call data and then I went to just like view the call data and I'm only going to look at like outgoing numbers so one number called another number right that's all the data that I took from it so I can illustrate like why we'd want to do graphing in terms of that okay so
don't worry about what I'm doing there's probably a video tutorial of some kind on this okay so I can say import graph
the table I'm just gonna select it so let me just
show you it looks something like this
yeah okay so just as number day time call type and I can see okay this is the information that's available right so someone just pulled it off a phone no
that picked up so I'm gonna take the first one and I'm just gonna put it into my graph here okay I just look at it it just says cool we're gonna go from the
number that you've got to any of the things that you've caught say next I'm just gonna put it in here okay and this is fine like this is totally what I expect there's a number in the middle it called a bunch of numbers right and actually I mean Excel will be amazing at this you don't need a dropping tool for this okay but now what I want to do is I
want to take like from multiple different phones that were captured in the same investigation so I could say
okay I'm gonna take two two nine here all right just say next I'm gonna do the exact same thing okay so the same thing
just going from the number to whatever is in the name column which is a number
and I'm just gonna put it on this same graph okay now because I've done that I
can now look at my graph and I can start
exploring it so in this case I'm gonna switch the layout right because this makes a lot more sense to me and if I start looking at this data I can see okay here's two people well let's look at the bottom here so here's two people who have made calls and obviously they've got one shade number right it's I could probably do this as well so if you need that there's probably some ways that they can figure that out right so just say okay if I've got these two calls there's a link between them maybe that's how they communicate but if you look at the graph at the top so if I use this over here you'll see that there's this number over here and there's another number on this side right and these two numbers have called different numbers and because we've got all the data from those phones as well I can see that in the middle in the middle over here there's one number that's called or that's been called by three different ones so I can see that the relationship between this node and this node is actually through another number okay so now I start getting that data and if I size it then I can see like hey these are the connecting nodes that we spoke about earlier so this is where you kind of use that sort of stuff okay so
now we're going to get into the more exciting stuff now that we did the job okay so we look at some of the origin data obviously there's a ton of different stuff that you can get to and if you look at something like have I been poned like I'm in tons of these it's great every couple of weeks I get one of those emails that says like there's more breach data with your information in but data breaches happen
a lot right so like South Africa had a phenomenal one where like 60 million were our ID numbers like Social Security numbers got leaked including people's names where their work addresses just basically everything on everyone in South Africa right and then obviously the reddit one happened last week the week before so when they do happen people are usually like okay we can do a basic audit of the data like almost right away you see something like you know when Ashley Madison came out everyone was like oh state.gov is in there so people say okay well what we can do is we take our organization we look at anyone who has this domain and we see if it's ended right because either we want to laugh at them or we need to actually protect our stuff and we can look at like how people look at how weak the passwords are and if it's positive use and things like that but generally they only start from like a domain or an email address that they really know so there's like a ton of work done on this but they almost always go in the direction that the data was intended for so you log in and looked you up and sees if your password is
right and then secondly like if we're looking at this kind of stuff like everyone is like oh you know like where would you find them like they're everywhere right you can go like so here's one of the sites that I'm not going to say I went to but say that there was a site that looked like this and you can just download it like all of these different breaches they're there in their own formats and like either it cost something about 20 dollars or it's free right depending on how old something is I pay you can download the snapshot DB I mean tons of the stuff is like X like it's on the open web it's not even like hidden away anyway and it usually contains super useful information especially if you're doing or is st. on like organizations and not just people like we'll look at the example that you just know but also unlike on a network or an infrastructure level on these organizations because I can start looking them up so using the things like post name last name IP addresses like either in sign up or the one that you used Mesa just synched to other users email addresses so like your standard list of things will be in everyone and they've obviously more specific for each breach that happens right so we can get these on the internet and I think that
we should start using them a lot more so the one thing is they do need a lot of fixing like a lot of the time they're quite difficult because it come in different formats and they're all different databases and you've got to have all that stuff and then they're really good for like the way that they were intended but you've still got to go and fix some stuff to say okay I've got a domain I need to get to the various profiles because previously they wouldn't have indexed the domain so you need to make a new column you've got to get it index it's quite it's quite a pain to do then the things like IP addresses they've got the actual IP address written out so you've got to go and convert it to a long otherwise you can't search a big duck like it just takes too long so if you want to desserts like anything like any of the last really big ones or bigger ones like if you did they the IP addresses like that you could do the like statement like you could go home make food come back from lunch that query will still be running right and if we're looking at data like we need it really quick like we need that stuff to come back so we can use it so we can validate things that we've already got so here for example like you need to convert it to long so you can just do a quick in comparison or long comparison so I so I
actually asked these people I hate should I put your name in the slides do you want to be known for it but they haven't got back to me so for now I'm gonna say they are friends that I have that have the data and they wrote some transforms for me just so that I can query it because obviously they've had to go and do all this hard work and they've got tons of the different breaches that I can use so the first sort of stuff is usually a little bit interesting like I take my email address I can see or one of them I can see like oh it was in Dropbox and linkedin myspace and things like that and usually I can attack where the stuff like what a forward manner so I say email to the profiles or domain to the profile IP addressed to the profiles and and then I can start looking at that and then of course people like or if I am looking at this data like let's say we've got Ashley Madison or we've got the the LinkedIn data so we'll say okay well people shouldn't use their work email address right that would be insane like why would you register on LinkedIn with your work email address because what if you need a new job but of course that does happen and we find it like all the time so but actually if we're trying to target people who like so for example we'll look at like the CIA or FBI like if you registered with your FBI or CIA email address on MySpace or like Dropbox like that's pretty bad right that's a bad idea like even on like Ashley Madison like you're sitting at work you're like I'm gonna use my work in legit that would be insane right so of the like ten people who are in there who have done that like those are not the people I want in sergeant or maybe they are the people I want to talk about right because they've done that from work but actually I want to say well I don't care about them I want to find out like the other people that are there so how do I find out like okay if you work at the CIA like how I possibly find out that you're in these dance if you didn't register with your CIA email address right because what I want is I want like oh you you're at Yahoo and then I can be like okay you probably are there anymore you're at gmail and then I can email you that and so we can look at like how we can go and explore that kind of data in
terms of it so now we want to say okay well if we can look at a second order we can correlate this data breach with external data so I can do like the standard or a same stuff and then I can say what I've got this to enrich that data another like meta or the less use field or super super important because I can start looking for interesting stuff in there so I'm just going to do example
on the Ashley Madison one so firstly
like I know I keep talking about multi go but like it's really good for footprinting so to show you an example like so we're going to start with like let's say we're targeting the CIA so hopefully this works right if you're
using the tool you say I put in a domain CIA dot right and I can say things like okay I want to find all the DNA's so
this would be the same as using like in there's other tools right I'm just it's just brought into this but you could do you do with anything so say just show me all the DNA's and you get like a bunch of different information that comes out so the name servers are an echo my but I can see some of the websites I can see that they've got real a two or three whatever this stuff is right so I've got a lot of this and then I can say okay well I take all of this and I looked at it in terms of an IP address and they can see I paid rest on a block but basically I can put print this stuff and actually with the way that we do it you don't even need to know what you're doing in terms of a footprint right so one of the things that you can do is like because we're automating all the stuff obviously we also look at some of that so I say I've got a domain here and I say cio.com and now instead of having to go through all of that or show you like everyone here I could just say I run this thing called a footprint no-one and it just
automates this thing so look like I don't have to touch the computer and then it will go through this process and then eventually I'll have the kind of basic level network stuff for this organization right so in this case of the CIA because what I wanted to do is I want to say well if I can figure out all of the network space then I can start saying well all is the network space anywhere else on the Internet and then I can start saying well if I can figure out where they come from are they in any of these breaches so that I can start using this so the one way that I can do
it so yeah look we just did a footprint like here's the picture over here there's that one and eight 81 everyone
remember that okay because it should be this one I guess so this one over here is 1 9 881 once you know all right so this is I mean this is the date like
we're not making this up so then what I
can do is I can say ok awesome if I've got this network block like this is the network this is where the CIA comes from I can go look on things like Wikipedia which is my favorite right because I can say from this network block what pages have been edited ok and the CIA loves to edit my favorite of all time this page called lightsaber combat right so I just imagine like they're there at the office being like can't believe someone made a change from our page again and then they're going back and editing that page and of course if they're not locked in like it logs the email the IP address right if they are logged in it has you name but if they're just gonna edit a page like they we get their IP address so here already we said okay we use some OS and stuff we've got the cia's network we've got the IP addresses and now I can see like if anyway in those net blocks they've edited a Wikipedia page I know that's how they get onto the Internet right because if you work they like they're not like oh just go browse the internet from your computer it's fine like it has to go through like some sort of devices like some IP address that's checking that you're not like stealing all the data maybe one hour works making sure that you're not like doing anything but because I have that I know that those particular IP addresses have access to the Internet and I have access to the inside Network right there's people who work they are using it to edit the lightsaber combat page it's very important work that they do over there okay so if I've got that I also know about the people right so if someone edits like every single lightsaber related page then I would run a lightsaber related phishing campaign right or I'd be like hey Jon you really need to stop editing that page it's getting weird okay so if we go
from there so here we've found that particular NIT block and you can say from that NIT block we can get like I'm just gonna pick on one IP address just to kind of show this stuff so we've got this IP address over here at the bottom and we say that's to see IX nerd did obviously there's lots but this is one of them and here I can see like all the stuff that it's edited right so there's like intelligence things I'm like okay it looks right for my target this is the kind of information that we're using and now we can start exploring okay if we've got that exit node can we go into the breach data because remember like if they logged into se medicine like it logged their IP address so they're sure they're not using CR a.com as the email address on the account but they are using that IP address cuz they're using it from work like if he's editing lightsaber combat at work like he's probably doing a lot of stuff that's not work-related okay so I've hidden I have actually we have actually hidden the names and I'm not gonna be able to do the demo live because then everyone will see it and it'll be weird but you could go and look it up if you understand the steps and it's still a relatively simple process we're just linking like small pieces of data okay so I got to see our exit node then I find like one account but there's a lot but I pick one account that says okay this is an account that was in these data breaches right that comes from that IP address so to come from that IP address you got to work at the CIA then we find like okay well that account I can say well what email address did you use and now of course I have like a gmail account right so I have so many works there and I have their private email address and now I can say okay well like you can do better back to normal augustin stuff be like wait and we find this gmail address
right and then there's like a CV so here he works at the CIA and he has a particular like he has it in there that he's been a since 2011 I don't know if he's still there well I'll talk about it just now okay and then it gets like
really bad so here's a github account writing he house like this portfolio website and in the portfolio website he uploaded his config and his configure that's this thing called Gmail dot ini and in the Gmail design I it has a password for his email address right then also you can find like a Twitter account that he says he's a typical techie so I know that the technical person a problem I don't know really look at this but then also like there's you know there's a Facebook account as well so you're going like have it up all this information like you normally do and you say like hey all we did was we found out that you're in it at a Wikipedia page and now we use because we can use like external data or data that we have that maybe isn't traditionally or recent like now we have a lot more information about the people or what I'm
having of course like for this a contact this could just be a honeypot right like they I don't know how they would have added it but they could have set this up to be like hey check this out like and see if people start trying to email from there or something else no but of course that
data does link to each other okay so that's an example of how we use that sort of stuff and then I just want to finish with like what I think that always cinch in the future so obviously we have like a ton of gdpr stuff like everyone in the room probably has heard about it right it's a little bit of a pain it is really good for users right because we have privacy on the internet because everyone is going to get like sued or something if they store my information but of course it does make mean that like if we're an investigator like that information is becoming more and more scarce like we're way past like the golden era of orison now so remember like when myspace was around people were like hey fill in your details also put where you work and how much money you make like if I go and tell someone like oh I saw your facebook but you didn't in your bat box put where your current salary is like people I'm a lunatic okay but obviously like back then we could say cool we got an email address we found an account and it's got tons of data and it's open so it's becoming like a lot more difficult and especially we look at things like you know like my mom knows about gdpr that she can barely turn on the computer and she's like hey have you heard about this thing I was like yeah it's over now but because of that like obviously there's there's no more like you know the things that we took for granted before like we could search from platforms like Facebook or LinkedIn or Amazon or whatever we could search for email addresses and telephone numbers and go directly to accounts like now we have to either use holes that are still open for the time being but like they will be closed and then we have to say okay well we go from like aliases or something else small piece of information to try and get to these accounts things that aren't concrete really that we had before right then obviously like who is is basically gone I don't know what's happening with it I think they're still debating so now I can't even see the varies to try and say like all these people registered with the same fake name like that makes good sense to me and then also like the historical information is also probably going to go I guess because they're storing all that information on people and no one gave their consent so now we're going to
start like I bought at least in my opinion like we're gonna start seeing stuff move to more like underground sources so we really have stuff where there's like paid for api's where you can pull that information from people you have that but like now it's just going to move further into that thing right so we have this whole policy clash with availability because I say I need to get that information and it's in this data breach can I have it in the office and everyone I'll be like there's no way you're allowed to keep a data breach in the office so you'll have to go through a third-party data broker to say I can go from this information to that particular one so I think that that's probably where it's going to go through and we're gonna see stuff being like okay we've got different sources that we
have to use so we're gonna start seeing more smaller pieces of less concrete data to get to it and we're gonna rely a lot more on our correlations and like the confidence rating that we have and obviously were gonna do like a lot more graphing stuff to say like hey we can take all these small pieces and link them like on other small pieces until we get to something that we can find so using like the breach data various people api's or other new polls that we can find in the meantime while they do okay so that was
me if you have any questions you can either tweet me your email is a picture of a small girl with a machine gun that does yeah so that was it thank you very much [Applause]
Feedback