Foca 2 5
This presentation is the property of its rightful owner.
Sponsored Links
1 / 45

FOCA 2.5 PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on
  • Presentation posted in: General

FOCA 2.5. Chema Alonso. What’s a FOCA?. FOCA on Linux?. FOCA + Wine. Previously on FOCA…. FOCA 0.X. FOCA: File types supported. Office documents: Open Office documents. MS Office documents. PDF Documents. XMP. EPS Documents. Graphic documents. EXIFF. XMP.

Download Presentation

FOCA 2.5

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


FOCA 2.5

Chema Alonso


What’s a FOCA?


FOCA on Linux?


FOCA + Wine


Previously on

FOCA….


FOCA 0.X


FOCA: File types supported

  • Office documents:

    • Open Office documents.

    • MS Office documents.

    • PDF Documents.

      • XMP.

    • EPS Documents.

    • Graphic documents.

      • EXIFF.

      • XMP.

    • Adobe Indesign, SVG, SVGZ (NEW)


What can be found?

  • Users:

    • Creators.

    • Modifiers .

    • Users in paths.

      • C:\Documents and settings\jfoo\myfile

      • /home/johnnyf

  • Operating systems.

  • Printers.

    • Local and remote.

  • Paths.

    • Local and remote.

  • Network info.

    • Shared Printers.

    • Shared Folders.

    • ACLS.

  • Internal Servers.

    • NetBIOS Name.

    • Domain Name.

    • IP Address.

  • Database structures.

    • Table names.

    • Colum names.

  • Devices info.

    • Mobiles.

    • Photo cameras.

  • Private Info.

    • Personal data.

  • History of use.

  • Software versions.


Pictureswith GPS info..


Demo:

Single files


Sample: FBI.gov

Total: 4841 files


Are theycleaned?


FOCA 1 v. RC3

  • Fingerprinting Organizations with Collected Archives

    • Search for documents in Google and Bing

    • Automatic file downloading

    • Capable of extracting Metadata, hidden info and lost data

    • Cluster information

    • Analyzes the info to fingerprint the network.


Sample: Printer info found in odf files returned by Google


Types of Engineers


DNS Prediction


Google Sets Prediction


Demo:

Mda.mil


FOCA 2.0


What’s new in FOCA 2.5?

  • Network Discovery

  • Recursivealgorithm

  • InformationGathering

  • SwRecognition

  • DNS Cache Snooping

  • ReportingTool


FOCA 2.5: Exalead


PTR Scannig


Bing IP


FOCA 2.5 & Shodan


Network DiscoveryAlgorithm

http://apple1.sub.domain.com/~chema/dir/fil.doc

  • http -> Web server

  • GET Banner HTTP

  • domain.com is a domain

  • Search NS, MX, SPF records for domain.com

  • sub.domain.com is a subdomain

  • Search NS, MX, SPF records for sub.domain.com

  • Try allthe non verified servers onall new domains

    • server01.domain.com

    • server01.sub.domain.com

  • Apple1.sub.domain.com is a hostname

  • Try DNS Prediction (apple1) onalldomains

  • Try Google Sets(apple1) onalldomains


Network DiscoveryAlgorithm

http://apple1.sub.domain.com/~chema/dir/fil.doc

11) Resolve IP Address

12) GetCertificate in https://IP

13) Searchfordomainnames in it

14) Get HTTP Banner of http://IP

15) Use Bing Ip:IPtofindalldomainssharingit

16) Repeatforevery new domain

17) Connecttotheinternal NS (1 orall)

18) Perform a PTR Scansearchingforinternal servers

19) Forevery new IP discovered try Bing IP recursively

20) ~chema-> chemaisprobably a user


Network DiscoveryAlgorithm

http://apple1.sub.domain.com/~chema/dir/fil.doc

21) / , /~chema/ and /~chema/dir/ are paths

22) Try directorylisting in allthepaths

23) Searchfor PUT, DELETE, TRACE methods in everypath

24) Fingerprint software from 404 error messages

25) Fingerprint software fromapplication error messages

26) Try commonnamesonalldomains (dictionary)

27) Try Zone Transfer onall NS

28) Searchforany URL indexedby web enginesrelatedtothehostname

29) Downloadthe file

30) Extractthemetadata, hiddeninfo and lost data

31) Sortallthisinformationand presentitnicely

32) Forevery new IP/URL startoveragain


FOCA 2.5 URL Analysis


FOCA 2.5 URL Analysis


Demo: fbi.gov

whitehouse.gov


CustomizableSearch


FOCA + Spidering


FOCA + Spidering


DNS Cache Snooping


DNS Cache Snooping


DNS Cache Snooping

  • DNS Cache Snooping + Evilgrade

  • DNS Cache Snooping + AV bypassing


FOCA Reporting Module


FOCA Reporting Module


Demo: DNS

Cache Snooping


FOCA Online

http://www.informatica64.com/FOCA


Cleaning documents

  • OOMetaExtractor

http://www.codeplex.org/oometaextractor


IIS MetaShield Protector

http://www.metashieldprotector.com


Questionsat Q&A room 113

  • Chema Alonso

    • [email protected]

    • http://www.informatica64.com

    • http://www.elladodelmal.com

    • http://twitter.com/chemaalonso

  • Workingon FOCA:

    • Chema Alonso

    • Alejandro Martín

    • Francisco Oca

    • Manuel Fernández «The Sur»

    • Daniel Romero

    • Enrique Rando

    • Pedro Laguna

    • SpecialThanksto: John Matherly [Shodan]


  • Login