Browse: Home / Metadata Extraction using FOCA
Metadata Extraction using FOCA
By Sudhanshu on March 1, 2013 in Analyst - 0 Comments
In this Information age, Data is very crucial. From Information security point of view also data is what everybody is behind. Data loss for any organization can have a very negative impact financially as well as reputation wise. Most of the time people share their data knowingly, but sometimes we don’t realize and reveal critical information in the form of metadata and this data could play a major part in a cyber attack.
Metadata: Simple data can be described as raw values which need to be processed for the purpose of generating information and deriving knowledge. Meta data is commonly described as ‘data about data’; however this definition is not complete and does not covers all properties of metadata. A better definition as described by Wikipedia (http://en.wikipedia.org/wiki/Metadata) is as following.
Metadata (metacontent) is defined as data providing information about one or more aspects of the data, such as:
- Means of creation of the data
- Purpose of the data
- Time and date of creation
- Creator or author of data
- Location on a computer network where the data was created
- Standards used
Metadata has been utilized for various purposes from cataloging archives, data virtualization to SEO (Search Engine Optimization) for web sites. All this metadata is put up intentionally by the owner for the purpose of better and easy management of information; whereas we are going to talk about the metadata that user puts-up without being aware of (most of the time).
We can extract metadata for a given domain using a tool called as FOCA.
FOCA: FOCA means seal in Spanish language. FOCA or Fingerprinting Organizations with Collected Archives is a tool to discover files on target website and extract metadata from it. FOCA is a Windows based tool for the metadata extraction. It provides a GUI for easy usage. FOCA basically uses search engines for the purpose of discovering files and extracts metadata from them. There also exists an online version of the application, which can be found at http://www.informatica64.com/foca/.
Figure 1. FOCA extracts metadata from a word document
User simply needs to input the project name and the domain that need to be parsed for the discovery and extraction of metadata. FOCA utilizes different search engines for the purpose of discovering the list of files available on that domain. After discovering the list, the user can download the file(s) so that the metadata can be extracted from them, as shown in figure 1. This extracted metadata could reveal sensitive information such as the OS being used, specific application used to create the file, name of the machine etc. This information can help an attacker to craft his/her attacks against an infrastructure.
Policies and procedures need to be developed for document sanitization before hosting them online. Strong policies and mitigation methods like usage of Data Loss Prevention (DLP) tools (MetaShieldProtector, OpenDLP etc.), if employed properly can help to prevent such data loss and help the organization to implement defense in depth.
Posted in Analyst |
By Sudhanshu on December 6, 2012 in security,Testing Framework - 0 Comments
Cross Site Request forgery (CSRF) is a kind of Web Application attack which tries to exploit the trust the website has in user’s browser. In this attack the attacker sends a crafted URL to the victim and if the victim clicks on the URL he/she makes an action on a web application he/she is authenticated to. For example an attacker may send the following URL to the victim and if he/she clicks the URL money is transferred from his/her account to the attacker’s account (the victim needs to be authenticated to the Web Application beforehand):
<img src=http://vulnbank.com/withdraw?account=victim&amount=10000&for=attacker>
To safeguard its user’s from such attacks Web application developers need to implement Unique Request tokens to each request made by an authenticated user. This token need to be secure and should be associated with the user session and should have a time limit for its validity. Implementing CAPTCHA and re-authentication for sensitive web actions would also be helpful.
To test web applications against this attack we can use CSRFTester by OWASP. CSRFTester is java application which records an authentic user session and based on it generates a webpage which attempts to replicate the same action. We simply need to run the tool and configure our browser to go through local proxy (default port 8008) and start recording. After this we need to perform web actions (through the browser) and then we can generate HTML for the action. The generated HTML page would help us to check if the application is vulnerable or not. Figure 1 demonstrates CSRFTester.
Figure 1. CSRFTester
Posted in security, Testing Framework |
By Sudhanshu on December 4, 2012 in Analysis,CYBINT - 0 Comments
Most of us use social networks and image sharing platforms without realizing how much information we might be leaking without realizing it. Sometimes we even reveal our current location through these platforms.
Creepy is a python application which can extract out this information and display the Geo-Location on a map. Currently creepy supports search for Twitter, Flickr, twitpic and some other platforms with some limitations. Creepy extracts the geo-location based on EXIF information stored in images, Geo-location information available through API and some other techniques.
Creepy can be used for the Information Gathering phase during a pentest and also a Proof-of-concept tool to demonstrate to users what information they are revealing about themselves. Figure 1 shows creepy in action.
Figure 1. Creepy in action
We should be aware that this information might be misused by stalkers and people with malicious intents. To safeguard ourselves from such information leakage we can disable the Geo-Location features on Social networks and our smart phones.
Posted in Analysis, CYBINT |
By Sudhanshu on December 2, 2012 in CYBINT,Testing Framework - 1 Comments
There are many tools out there which can be used for the recon phase of a Pentest, but Maltego stands out of all. Maltego is basically an OSINT (Open Source Intelligence) and forensics application which is very useful for the information gathering purpose. Maltego is capable of pulling out open information from the web and connect it together based on the transform used. Maltego works on client-server architecture; the user can send queries using the client and see the relationship diagram between different entities. As all the information collected is open source so we need not to probe the original target and hence no log is generated on it.
Sploitego is a transform package which extends the capabilities of the original Maltego tool and provides functionality helpful from a pentester’s perspective. Sploitego is developed in Python by Nadeem Douba, a Senior Information Security Consultant. It provides the ability to perform local transforms like Nmap scanning, Nessus assessment and many more features from within the Maltego interface. Figure 1 shows a simple IP scan result using Sploitego transform.
Figure 1. Sploitego: IP Scanning
Unlike the original Maltego transforms Sploitego uses locally installed applications to probe the target and generate results. This can be very helpful as now pentesters can leverage the information gained through Maltego transforms and perform advanced fingerprinting on it from the same interface. Sploitego utilizes Canari which is an extensible framework and allows developers to focus on the core data mining logic without getting into the details of XML serialization, debugging, transform installation etc. It utilizes many python libraries to perform its transforms, like Scapy (a networking library with support for various protocols). Sploitego also allows saving the generated result in csv format for later review. It can be downloaded from https://github.com/allfro/Sploitego. All in all Sploitego compliments Maltego by extending its power and elevating it towards a complete reconnaissance tool.
Posted in CYBINT, Testing Framework |
By Sairam Murali on November 28, 2012 in Analysis,Malware,malware,Malware Intelligence,malware kit,Malwarebytes,virus,vulnerabilities - 0 Comments
Abstract
In this paper, I have discussed various issues pertaining to Trend Micro. Issues and solutions discussed here are for both servers and clients that are running Trend Micro OSCE. Some critical issues are also discussed, they are combined with a definitive solution, for which the knowledge base has failed to provide effective solution. There is also a comparative study discussed at end of the paper which proves that these solutions had given best result.
Description
This paper mainly focuses on Trend Micro’s Corporate anti-virus product and the main intent of this documentation is to trouble shoot issues that have been in existence and some set of solutions are discussed here, meanwhile if the mentioned issues were encountered in the production environment this guide would be helpful to extenuate the issue and make the production environment sanative.
Related Studies
1. Detailed study about Trend Micro OSCE corporate edition.
2. Trend Micro KB article on traditional approaches.
3. A descriptive study on Windows Server 2008 R2 edition and IIS v7.0
Proof
The solutions mentioned in this paper have been tested and all of those are workable solutions. The testing environment was Windows Server 2008 R2 and IIS 7.0.
Conclusion
This documentation has mulled on Trend Micro corporate anti-virus. Henceforth these can be used to solve issues and promote production in a better way. This proves that Trend Micro works perfectly by sanitizing the environment.
Source:
Some contents mentioned in the paper where taken as a reference from Trend Micro Knowledge Base for effective troubleshooting and to furnish what were the traditional approaches that were available till now.
Download the article from the below link,
Trend Micro OSCE Server and Client Issue Optimization as part of Enterprise End Point Security
Posted in Analysis, Malware, malware, Malware Intelligence, malware kit, Malwarebytes, virus, vulnerabilities |
By DigitOnto on September 27, 2012 in Phishing,spam - 0 Comments
After being in an hibernation for several months, I believe that it is the right time to get back into business. Having said that, I was going through the SPAM folder along with a friend of mine on a common GMAIL account (because GMAIL is definitely awesome). We came across a really interesting email that looked just like Linkedin, but yet as you all know it wasn’t.
Figure 1: Illustrates how exactly it looks like an email template from linkedin with links pointing to a different site.
When looking at the email from the original source, we could see the IP that it came from and the “Return-Path” information.
Whois from Domaintools.com indicated that this IP is from Ukraine:
UnmaskContent.com for the link in the email showed that the link was still active and redirecting the users elsewhere:
The above website has been listed in Web Of Trust (www.myWOT.com) in a very low ranking as shown below:
We thought that this email was interesting because we received a second email that was sounding more of a reminder to the previous reminder, although there were few things that were different:
- Google/Gmail detected this to be bad.
- It was from a different return-path email.
- Different source IP origination.
- Different links in the email.
The original source of the second email is as follows:
The Whois information for the sourcing IP:
We wanted to spread a word to all our readers to be cautious about such fake emails that appear to come from legitimate domains/organizations. Such emails, SPAM and Phishing emails are all a whack-a-mole game. They keep popping up every time you kill an old/existing one and the attackers constantly change their methods and techniques of attacking victims or post-compromise call-backs. It could be seen as a game or war between the good and bad and the only thing one could do is to catch up with the other side and provide defensive tactics & strategies accordingly.
Thank you.
Posted in Phishing, spam | Tagged Fake Email, Linkedin, Phishing, SCAM |
By HardWired on August 13, 2012 in Tools - 0 Comments
THC-Hydra 7.3 Updates:
* Hydra main:
- Added -F switch to quit all targets if one pair was found (for -M)
- Fixed a bug where hydra would terminate after reporting a successful login when an account would accept any password
- Fixed a bug with very large wordlists (thanks to sheepdestroyer for reporting!)
- Enhanced the module help
* configure script:
- Added fix Oracle library inclusion, thanks to Brandon Archer!
- Added –nostrip option to prevent binary stripping (requested by Fedora maintainer)
* Added a Makefile patch by the Debian maintainers to support their SecurityHardeningBuildFlags for the wheezy build as requested
* dpl4hydra: added install directory support
* All code: message cleanups
* SNMP module
- originally already supported write and v2 although this was not in the module help output. Added.
- added SNMPv3 MD5/SHA1 authentication support, though beta still
* HTTP module:
- fixed HTTP NTLM auth session
- implemented errata fix for HTTP digest md5-sess algorithm
- set default path to /
* HTTP Form module:
- set default path to /
- support HTTP/1.0 redirects
- fix failed condition check when pcre is not used
* IMAP module: fixed auth detection
* POP3 module: Updated auth and capability detection
* Oracle module: fixed bad handling
* Oracle listener module: fixed hash size handling
* Telnet/Cisco/Cisco-enable modules: support “press ENTER” prompts
* FTP module:
- Fixed a bug where 530 messages were incorrectly handled
- Clarification for the usage of ftps
* Mysql module: added patch from Redhat/Fedora that fixes compile problems
* Added IDN and PCRE support for Cygwin
http://www.thc.org/download.php?t=r&f=hydra-7.3-src.tar.gz
Posted in Tools | Tagged Cracker, Logon Cracker, passwords, pentest, pentesting, THC-Hydra |
By Sairam Murali on July 26, 2012 in Analysis,Analytics,attack,AVPro,Books,Electronic security,exploit,ISecurity,Malware,malware,Malware Intelligence,malware kit,Malwarebytes - 0 Comments
Abstract
It was all about the work, I was involved where I had to provide solution for issues on malwares, initially the work started with solving all the issues using an anti-virus but the thought provoked me; why can’t there be some other way of solving these problems. So the quest started and initially I had to do a good literature review combined with the research on malwares that affects the PC day to day or more common among users. So with these data I could confront to some solutions, which I wanted to share it with everybody and let them also get benefitted.
Description
The main intent of this document is to provide panacea on “issues or problems” that are caused by Malware (or any infection) without the help of the anti-virus. The motive behind the design of this document is that even a LAY MAN who’s having NO KNOWLEDGE on MALWARE/VIRUS, can use this document to analyze the issue and follow the solution in the document to solve the issue.
Related Studies
1. A peer literature review on various corporate anti-virus with the DAT file size.
2. Detailed research on malwares.
3. Another documentation that ran where to accommodate the most common viruses that are prevailing in the production environment.
Proof
The solutions provided were tested and has rendered desired results. These results were carefully crafted to make it understandable for every user who needs solution for their infection.
Conclusion
This document is designed with behavior of the malware and the solution for it. Also the documentation addresses solution for some issues that are common in the day-to-day life and production environment.
Please drop your comments.
If you require any help you can very well email me or post your issue and I will try to revert at the earliest.
Download: : Malware Issue Optimization in a Production Environment
Posted in Analysis, Analytics, attack, AVPro, Books, Electronic security, exploit, ISecurity, Malware, malware, Malware Intelligence, malware kit, Malwarebytes |
By Sairam Murali on July 21, 2012 in Books,Conditions,Contributing - 2 Comments
This post is been referred to a document that provides you a apprehensive set of steps (document enclosed in the link below) that helps you to configure NTP in windows. Where you need to edit the registry entries to get the NTP configured.
The main motive behind the post is that, these steps are perfect and it pertains only to the configuration of NTP and to make its configuration reflect on all the computers. Also there are various other posts regarding the configuration but the niche lies in hitting the bullseye i.e., People tend to search and find out diverse results and later they have to coagulate to get the desired result.
Unlike here its straight and perfect, so that user time consumption is reduced during his/her search and can continue by using the information in this file for his/her work to get the desired result..
Hope this document may come in handy for all.
Download:NTP_configuration_in_windows
Posted in Books, Conditions, Contributing | Tagged NTP Configuration, NTP in Windows Server 2003 & 2008, RFC 1305, RFC 958 |
By Kumar on July 10, 2012 in Tools - 0 Comments
The THC IPV6 ATTACK TOOLKIT (THC-IPV6) is a complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library
Features:
- added new tool: detect_sniffer6 (Windows, Linux, *BSD, OS X, …)
- added new tool: fake_router26 which gives more control on options
- added new tool: dnsrevenum6 which reverse enumerates the DNS
- added new tool: inverse_lookup6 which gets the IPv6 addresses of a mac address
- added new tool: fake_solicitate6 which lets you fake neighbor solicate packets
- added new tool: address6 converts between ipv6ipv4 and mac addresses
- added new tool: passive_discovery6 which detects all sending systems and includes DAD detection
- much more
Download: http://www.thc.org/releases/thc-ipv6-1.9.tar.gz
Posted in Tools |
