 Rwy'n cael ei ddweud am yw'r maes o'r maes o'r cyfrwysig, ac mae'r cyfrwysig wedi'u cyfrwysig ar y cyfrwysig o'r cyfrwysig, y dyfodol yn y cyfrwysig, unrhyw yw'r url yn ymdweud arall. Oni'n ymdweud, maes o'r cyfrwysig, ddod o'r rôl yw'r rôl, mae'n amser i'r defcon i'r cyfrwysig, ac mae'n rhaid i'r cyfrwysig o'r cyfrwysig. The then came back to recon village last year to tell people how not to do that because of what he did the first time. Now he's back again. He loves coming back to our village and we're really pleased to have him. Without further ado, I'm going to hand over and enjoy. Perfect, thanks. Thank you, guys. Thank you, everybody. I just want to say, speaking out of a smaller village, not that it's a small village, but speaking out of a smaller village, it's really intimate, it's really awesome and I like to see my audience. Dw i'n ddweud, mae'n fath i'r gwaith. Yn ddweud, rydw i'n ddweud i'n edrych yn ddweud. Cefnodd yn gwlad mewn Twitter. Mewn gwneud y ddweud, mae'n ddweud. Mae'n ddweud, mae'n ddweud, mae'n ddweud. A wneud wrth ein ddweud. Yn amddir i'r rhwng ar ddweud, oes ymlaen, o'r rhwng i mi? Mae'n ddweud, mae'n ddweud. Mae'n ddweud, mae'n ddweud, mae'r ddiwedd fel i gyfnod y Dragan Mwlawn. Rai, yn ni'n hyn? Rwy'n ni! Dw i'n ddryf yn bwysig o'r cofawr yn Gwyrd. Dwi'n cael bod yn ei ddod i, mae'n ddod! Rhaid i'n ddysgfrifio mewn, yw unrhyw yrhaith a rhai i'r ddryf. Rhaid i'n tellaf. Rhaid i'n 2,600 ddryf, ac mae'n ddysgrifio ar adrwydd Cynchop Lohglu, here in Las Vegas. Rhaid i'n ddysgfrifio mewn, rhaid i'n ddysgfrifio. Rydw i ddim. Yn ymddangosol, yna hynny'n dweud? Rydw i ddim. Rydw i ddim, yn ddweud. Rydw i ddim, yn ymdyn nhw'n ddechrau. Abertyd yw'r O-Synth. Dwi wedi'n gweithio'r defconnors a'r oed? Goed, rydyn ni'n gweithio'r old-timer. Rydyn ni'n gweithio'r jokw. Roeddon ni'n gweithio'r egg-timer? Roeddon ni'n gweithio'r egg-timer. Roeddon ni'n gweithio'r awr i'r oed? Mae'r amser yn g늘 popeth o hwnnw... ...fynies o ESME? Rydyn? fo ddiwedd presy wedi bod gentlyn gennym eich grei? Roedd o wneud e Children Begin boarding塊 o ddyn sy'n mynd, enw o'n gwahave... ...odio yn hoffanego iaeth.... ... blaip yn Gaul dow? Mae gelagol iddiwg o'i siarad declined yma. Mae'r hoffaon o'r cymrozge, ychydig ond hyn. Roedd achos, I try not to be an asshole if you're going to replicate my work. I'm doing this for educational purposes only, right? And here they are actually. So, I ain't no lie anus, that's been a joke for the past couple of years. I am not a lawyer, I am not a stalker. I ain't no lie anus, sounds better that way I guess. So again, I'm not here to make life difficult for anybody. So use whatever you learn today wisely. And of course again, this is for informational purposes only. All right, so some caveats before we get started with the actual meat and potatoes. I went into this research not knowing what I would find. I wasn't like looking for something specific. I just kind of aimed my code cannons at it and I wanted to see what was going to happen. So yeah, there was no particular target. I'm not trying to target anybody specific, no stalking this year. And this is just, there is much more to do in this space. This is just scratching the surface. So hopefully with the help of you guys, we get something done. But after the research, what can I tell you that we can expect here? Well, there is porn, there's porn obviously. There is username enumeration, password enumeration, and we'll get into that a little bit sensitive docs and so on and so forth. And thousands and thousands of various media files. That's kind of the fun one. That's just fun to watch. Okay, so let's define a URL shortener. So a URL shortener, of course, you're taking a very big long descriptive URL and you're shortening it into something that is shareable. So you can share it among, let's say, Twitter or text messages or it's just something very quick and easy, something that's memorable or at least easier to remember. But all it really is is a 301 redirect for your like HTTP codes. These are just a 301 redirect to a different URL. So knowing that, we can follow it back. We can follow it back to where the original link went to. Now I chose as good as my target, that's is.gd, as the URL shortener for a couple of reasons. There's no membership required in order to shorten a URL. There's a consistent slug length. So what I mean by that is a lot of URL shorteners, maybe their slug length varies in size. So you have a URL shortener that only used five characters, maybe some that used eight is good, only uses six. No more, no less. I feel like there's a Monty Python joke in there somewhere. I won't attempt it, but. So a six character slug length, it's always going to be six characters. And so there's also advanced shortening features which makes this easy and low hanging fruit. So things to consider, of course, rate limits. I did check the terms of service for as good. And you can scrape all you want as long as it's only one link per second, per machine. So yes, every hour then you're basically able to scrape 3,600 links and so on and so forth. So what is that, 8,600 per day? Something like that. But yes, 3,600 an hour. So terms of service, of course, if you're going to use is good as a URL shortening service, they have some things that you'd want to mind, of course. No spam, no child pornography, of course, thankfully. No malicious content. So you can't like URL shorten malware if they detect it, they'll disable it, et cetera, et cetera. So basically don't be a dick. All right, the maths, because there's always maths. Now, no, I'm not British, but I do love the area. I've never been there, but maybe I love the culture. So okay, like I said earlier, all of the slugs are six characters in length, which means if you, and they don't use special characters either. So no plus sign, no parentheses, nothing of that nature. So you're looking at capital letters, lower case letters, and then zero through nine as your numbers. So if you take a look at all that, that's 62, that's 62 character possibilities in each space. So 62 to the sixth power, which gives you about 56 billion links, closer to 57 billion links actually. Now no, not all of these URL shortened links are actually being used, and we'll get into that in a second, but this is the entire space. This is exactly what can be shortened. And of course, if you have a lower pronounced, a lower case word, like zero A through Z, zero through nine, it shortens that to about two billion, okay? So we're kind of whittling away of the possibilities, or we're trying to whittle away from population size to a sample size. Now, is good actually has some advanced, advanced URL shortening features, such as lower case word pronounceable. Okay, what exactly does that mean? Lower case word pronounceable is just consonant vowel, constant vowel, constant vowel. It's not actually a word, it's just what they consider word-pronounceable. So ba ba ba ba ba ba ba ba ba ba ba ba ba ba ba ba ba ba ba ba ba sounds like a, a sult that hog for $35 a bit. I wish I could do auctioneering better, but it made the joke better. So the word, so the lower case word pronounceable character set is either you're starting with a vowel or you're starting with a consonant and going from there. Felly mae'n ddweud ar FBABABAA, ac mae'n ddweud, mae'n ddweud ar ysgol yw'r ddweud ar 5-2.3 miliwn gweithio. Mae'r ddweud oedd yn ddweud o'r ddweud. Yn cael ei ddweud? Yn y gweith yw'r ffroed, mae'n gweithio gweithio gweithio'r ddweud yn ddweud a'r ddweud yw'r ddweud. Yn ddweud, mae'n gweithio'r ddweud ar y cyfrwyr i ddweud yno i ddweud a chderwch byddwn i'r munud i dim. Felly, y maen nhw'n gwahor yw cyd-feydd y ffosig hwn. Mae'r ffosig hwn yn garf場id ar hyd i ddim yn ysgrifetau ac phir ydych oedd y brwymedd yn ysgrifennu. Mae'r ffordd gyda'n cyfwyd, ond mae'n meddwl. A'r bwysig heddiw ym neglectau a gwneud ar gyfer y bwysig yw negledd. Yn eu pethon yw'r bwysig, ac mae'n ni hefyd yw ei fod yn ddechrau. Here's an example of the scrape as it's going on, I just took a screenshot. I let this go on for about a month and a half on three computers. Could I have done it quicker? Yes, but it was kind of cool to watch it as it computed. The cool thing is like you go to coffee, you come back, oh I found something else, you go take a nap for about eight hours, you come back and it's still running. For a month and a half it was better than watching a screen saver at least. Ac ydyn ni'n rwy'n meddwl ychydig yw'r link ar gyfer y dyfodol, mae'n ddweud y dyfodol newydd, y dyfodol yn ychydig. Llyfrgelladol yn y dyfodol, mae'n gwneud yn y cyfnodol gyda'r ysgol. Mae'r rwy'n meddwl https. ond mae'n dyfodol ymwyng iddynt yn ddweud. Ac mae'n ddweud hynny eich bod hynny. Mae'n ddweud hynny'n cael ei ddweud yw'r wath. So, y bwysigol, y host yw'r cyfnod o'r cyfnod, ychydig yma, y 404 erer. Y ddweud y dyfodol y script, yn ymweld y cyfnod o'r meddwl, a'r cyfrwyr y cwrwyr yw'r cyfrwyr yn ymweld y data ac yn ymweld y cyfrwyr yw'r cyfrwyr. A dyna'r cyfrwyr yw'r cyfrwyr, yw'r cyfrwyr yw'r cyfrwyr, a'r cyfrwyr yw'r cyfrwyr yw'r cyfrwyr. Gall efallai engor' cwrwyr ym un pi或n? G garde y cyfrwyr yw'r cyfrwyr yn ymweld y cyfrwyr o galungu yta o gwmdeudid targaent o santhe o le'i ddweudio. A er ffawr consider yr oly���ол. felly unrheith y gw podsion y ddyneddill hynd da. Yw'r hyn ymweld y cyfrwyr. A dyna'r dod cyfnod o ryf Chrysglwyr. Ond doon, agai ein plryridogi yna'r cyfrwyr, ryf wedi'i ddydd hynod y liian gradually cen y gorydd yn ymweld y cyfrwyrnu, fath o phrygu, oes o ddylch arwain o'r 228000 linklawn ar gael erbyn, a os yr oedd gael 9, nifer 10%. A o'r unrhyw un pwyddaeth 1,3 miliwn linklawns o'r enhyrchar o'r LinkedIn— o pob o ddyn na, ddyn, maen nhw'n bod yn fudda'r cwesti arenol. Ar ychydig, oed yn ôl o'r 0,01% gael yr ondyn, oes yma yn ymgheithio sefydliad bell ymlaeth. Ac wnaeth angen i'w ddyn ni'n credu wedi bod ni'n iawn o'r dweud Let's look a little bit at the data, which I'm sure is is the interesting part, right? So what you're seeing here on the absolute right side, the white text is the entire count for how many of particular links were there. So what I mean by that is at the very top you see 141,444. Those are 141,444 unique links that are referenced in this scrape. At the very bottom you're going to see one link, but that's referenced 66,000 times. So maybe that's an interesting point of data to take a look at. And it actually is. We'll get into that in just a second. And it varies from the top all the way down. So you have two links that are 35,000, et cetera, et cetera, et cetera. And that's how that data goes. I tried to graph it. Didn't work so well. Got to work on that. Now here's our media analysis on the stuff that we've scraped. So we have JPEG, APKs, ZIPs, MP3s, C, that's C source code, PNG files, PDFs, EXEs. We found a lot of stuff here. When I say we, I mean me and the voices in my head. But yeah, so this is like a media analysis of exactly what we found. Again, the text on the right side is the actual data counts. Now again, I've only used native Linux tools. So we're talking like cut, sort, unique, stuff that you'd normally find on a Linux computer or a Unix. Now what we can do though with this data, because I've saved it into a text file. So every URL that was resolvable, I saved into its own URL or sorry, its own text file. So now we can make that searchable. Now what do we search for? We can search for keywords like username equals, password equals, invoice. And you'll, you'll find exactly what you're looking for really. So, and also of course at the very end of the file you can search for Excel type of file endings.doc. You can find anything specific that you're looking for as far as like, you know, the PDF file format, those types of file format. And there's the screenshot of, this is an invoice from February 12th, 2018. Of course the username, the email was kind of blocked, kind of blocked out, at least you know it's from Gmail. But they did, that did have an address along with first and last name. So it's a good starting point. Now what does this actually infer for us? Like what does it, what does this tell us? Okay, well is there stalking potential? Probably of course. We're, we could potentially uncover people of interest. And I could talk about that in just a second with that screenshot at the bottom. And of course the link on the right side is why was this particular address or block reference 46 unique times? Now, do we remember that one link that was referenced 65,000 times earlier? That's the map, that's the map address that was linked 65,000 times. Now why? Well it's not a particular house, I've already checked, it's not one house, it's actually that block. So why would that particular block be referenced so many times? Now we could explain it away such as like a realtor using is good or it could be something else. It's just very interesting to see that kind of data there. But let's talk a little bit about the person of interest on the bottom. First name is Natasha, last name of course blocked out but it's referenced five unique times and that's because it's five unique Natashas with that same last name. Is this a person of interest? Who is this? Is this a celebrity? Is this an unwanted celebrity or somebody who doesn't actually want to be in the space? This is the stuff that I found kind of just as I was going through the data. This is the interesting part, it's almost like ocent by accident, right? I'm not exactly looking for somebody specific but there it is, right? So this is just some of the interesting data points that I found. So what are the next steps in what we're doing here or what I'm doing here? When I say we, now I'm including everybody here. We could scrape the entire character set of is good. We can also scrape, we can apply this methodology to other URL shortners such as Tiny URL, Bitly, you know, all these other things. The only thing that I would say is these other services use memberships or they ask you to kind of sign up and so I didn't get to see exactly as far as do you have to use their API? Could you just use other means, et cetera, et cetera? But that's something that I'd like to explore. So any questions on this so far? Goddamn, that was quick. Yes, question on the map data? Map data specifically? Yes, there's actually a lot of map data, like incredible amounts of map data. So is good, well specifically is good, is used for a lot of map references. There was a lot of one offs though. So it's just one link that referenced an address. But to answer that question, yes, they were pointing to houses, houses that you can easily then pivot to like an assessor's office search to see first and last name of that address and so we can go from there. Now I didn't go down that rabbit hole, but I see that there's that potential there. Also, kind of funny thing here. There's a lot of map data that references secret beaches, like beaches that nobody wants to know about except among their friends, but that's actually shared quite a bit of time, or quite a few times. Also another piece of interesting data. There was about 388 references to porn, that's like X Hamster, XXX, X and XX, Pornhub, and that's just because I searched it not because I was told to. So there's that, I mean there's a treasure trove of information here. The most interesting thing I found though actually, I thought I had a better screenshot of it, was the invoices. So the invoices that I saw there, you had first and last name, you had how much they paid for said service, you had their email address and you had pretty much every piece of information you would need to maybe start some sort of campaign against that particular person. But again, the problem is not the problem, but the issue here is that I wasn't targeting anybody specific. So it kind of just, this is kind of just information that I happened upon. So take that as you will, but that is there. So yes. Yes, I found it once, absolutely. So I found it once by accident. I found a password reset link and I was trying to find it again, but it seemed like it was going to work. Now I'm not going to be an asshole and actually change their password for them, but yes, absolutely yes that was linked. I'm sorry for the people who are watching on TV. The question was, did you ever see a URL that was posted to a password reset link or something that logged you directly into an account? And the answer is yes, that was there. Not directly to the account per se, but to a password reset for that account. That's something that I found one time going through and I know I can find it again. I just haven't yet, but it is there. So another question. Oh yes, Mr Muffins. Oh, absolutely. Well, so actually in the URL shortening service, in Isgood's terms of service, they warn you, they tell you straight up, look, this is going to be public information. They tell you, do not share your personal information, do not share anything of that nature. Obviously we all read the terms of service. So Isgood already knows that that's an issue, but it is there. It's in the terms of service saying don't do that, it's still being done. Also, one thing that I didn't include on the slides here, but I wrote an image loader. So what I did was I took all the URLs that had JPEG, PNG, all these different types of media files, and if you run it, it'll load a new picture every second. Some of the images are not safe for work. So I will make that available to you guys, do that on your own time, and have fun. Just, you've been warned. All right. I love answering questions so we can keep going with this. Mr Muffins. Yes, absolutely. I just made it public a couple of minutes before the talk. So if you want to take pictures there, there you go. That's the URL for GitHub. And my other stuff. In fact, I'm starting a new campaign, a new Twitter campaign. Hashtag roast my code. Go ahead and do that, please. I sincerely mean it because I'm not a coder by profession. I just kind of throw code together and see if it works. So please, hashtag roast my code. Questions? Final size as far as link count, or? Yes, I do. So this is funny. So when I generated the links, I actually generated 56 billion links. And just that text file alone was about 15 gigs of just six characters every line. And that was the entire space. So I was like, ah, that's a lot. So I cut it down to the 2.3 million. And as far as size, again, earlier we had a statistic about only 228,000 links. We're actually resolvable or we're resolved. And so I did save that data. And so actually, thank you for this. But another interesting piece of information here with OSINT is we can see which companies are using these URL shorteners. Because I did see a lot of URL shorteners or URLs shortened from the same company. For instance, postimg.cc, as an example. They use it to show video games that they have for sale on their website, as a shortened URL. So that was an interesting piece of information. Mr Code. So it spits back the unshortened URL and then I would go in and just categorize the data by what it found. It was just checking where it left. Yes, so it was only checking the headers to answer that question. So yes, I didn't download all the information. I just saw where it went to. And then it was up to me to take a look at that data and then look at that. But I know the cool thing about this, too, is that I found a whole bunch of PDFs. So if you guys want to play slide karaoke later, I have a whole bunch now. Or at least I can get them pretty quickly. All right, let's keep going. Questions? Yeah, we can keep going. Yes, over there. This is another. Thank you guys. I love this discussion. So the ransomware, again, if is good, actually detects on their end that a link is malicious, they'll block it. And so when I go to the URL, it has this big warning, warning malicious, malicious. And so I didn't actually see that. By the way, all this was resolved in a VM, so I was okay with going to these URLs. But yes, by the time I got to it, it's not like I was downloading ransomware or malware or anything of the sort, including viruses and whatnot. So I hope that answers your question. So I wanted to say something off that point, but the whiskey made me forget. Question? Not that I've seen, but I didn't go through every single link. This information will be available to you upon request, actually. So the code is there for you. But if you want to talk, we could talk further about exactly what I found with specifics. I'm not trying to burn any sources here or whatnot. So yes. Any further questions? All right. So if there are any further questions, I will be down at the heart bar for however long you guys want to talk to me. I like to talk to people. That's my favorite part of the conference. So if you want to keep continuing this conversation, we definitely can. And I'll get off stage now. Thank you.