1 / 45

FOCA 2.5

FOCA 2.5. Chema Alonso. What’s a FOCA?. FOCA on Linux?. FOCA + Wine. Previously on FOCA…. FOCA 0.X. FOCA: File types supported. Office documents: Open Office documents. MS Office documents. PDF Documents. XMP. EPS Documents. Graphic documents. EXIFF. XMP.

habib
Download Presentation

FOCA 2.5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FOCA 2.5 Chema Alonso

  2. What’s a FOCA?

  3. FOCA on Linux?

  4. FOCA + Wine

  5. Previously on FOCA….

  6. FOCA 0.X

  7. FOCA: File types supported • Office documents: • Open Office documents. • MS Office documents. • PDF Documents. • XMP. • EPS Documents. • Graphic documents. • EXIFF. • XMP. • Adobe Indesign, SVG, SVGZ (NEW)

  8. What can be found? • Users: • Creators. • Modifiers . • Users in paths. • C:\Documents and settings\jfoo\myfile • /home/johnnyf • Operating systems. • Printers. • Local and remote. • Paths. • Local and remote. • Network info. • Shared Printers. • Shared Folders. • ACLS. • Internal Servers. • NetBIOS Name. • Domain Name. • IP Address. • Database structures. • Table names. • Colum names. • Devices info. • Mobiles. • Photo cameras. • Private Info. • Personal data. • History of use. • Software versions.

  9. Pictureswith GPS info..

  10. Demo: Single files

  11. Sample: FBI.gov Total: 4841 files

  12. Are theycleaned?

  13. FOCA 1 v. RC3 • Fingerprinting Organizations with Collected Archives • Search for documents in Google and Bing • Automatic file downloading • Capable of extracting Metadata, hidden info and lost data • Cluster information • Analyzes the info to fingerprint the network.

  14. Sample: Printer info found in odf files returned by Google

  15. Types of Engineers

  16. DNS Prediction

  17. Google Sets Prediction

  18. Demo: Mda.mil

  19. FOCA 2.0

  20. What’s new in FOCA 2.5? • Network Discovery • Recursivealgorithm • InformationGathering • SwRecognition • DNS Cache Snooping • ReportingTool

  21. FOCA 2.5: Exalead

  22. PTR Scannig

  23. Bing IP

  24. FOCA 2.5 & Shodan

  25. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc • http -> Web server • GET Banner HTTP • domain.com is a domain • Search NS, MX, SPF records for domain.com • sub.domain.com is a subdomain • Search NS, MX, SPF records for sub.domain.com • Try allthe non verified servers onall new domains • server01.domain.com • server01.sub.domain.com • Apple1.sub.domain.com is a hostname • Try DNS Prediction (apple1) onalldomains • Try Google Sets(apple1) onalldomains

  26. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 11) Resolve IP Address 12) GetCertificate in https://IP 13) Searchfordomainnames in it 14) Get HTTP Banner of http://IP 15) Use Bing Ip:IPtofindalldomainssharingit 16) Repeatforevery new domain 17) Connecttotheinternal NS (1 orall) 18) Perform a PTR Scansearchingforinternal servers 19) Forevery new IP discovered try Bing IP recursively 20) ~chema-> chemaisprobably a user

  27. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 21) / , /~chema/ and /~chema/dir/ are paths 22) Try directorylisting in allthepaths 23) Searchfor PUT, DELETE, TRACE methods in everypath 24) Fingerprint software from 404 error messages 25) Fingerprint software fromapplication error messages 26) Try commonnamesonalldomains (dictionary) 27) Try Zone Transfer onall NS 28) Searchforany URL indexedby web enginesrelatedtothehostname 29) Downloadthe file 30) Extractthemetadata, hiddeninfo and lost data 31) Sortallthisinformationand presentitnicely 32) Forevery new IP/URL startoveragain

  28. FOCA 2.5 URL Analysis

  29. FOCA 2.5 URL Analysis

  30. Demo: fbi.gov whitehouse.gov

  31. CustomizableSearch

  32. FOCA + Spidering

  33. FOCA + Spidering

  34. DNS Cache Snooping

  35. DNS Cache Snooping

  36. DNS Cache Snooping • DNS Cache Snooping + Evilgrade • DNS Cache Snooping + AV bypassing

  37. FOCA Reporting Module

  38. FOCA Reporting Module

  39. Demo: DNS Cache Snooping

  40. FOCA Online http://www.informatica64.com/FOCA

  41. Cleaning documents • OOMetaExtractor http://www.codeplex.org/oometaextractor

  42. IIS MetaShield Protector http://www.metashieldprotector.com

  43. Questionsat Q&A room 113 • Chema Alonso • chema@informatica64.com • http://www.informatica64.com • http://www.elladodelmal.com • http://twitter.com/chemaalonso • Workingon FOCA: • Chema Alonso • Alejandro Martín • Francisco Oca • Manuel Fernández «The Sur» • Daniel Romero • Enrique Rando • Pedro Laguna • SpecialThanksto: John Matherly [Shodan]

More Related