 Hello everyone, so as you know that the speaker couldn't come so we will be taking up question and answers like Q&A on OSINT and no more about it and it's going to be an interactive Q&A so that I'm going to be asking questions to them and then we will be popping some questions for you as well so that it will be interactive it shouldn't be like a speaker is speaking and then you're listening that's it it'll be if you have a question in the middle just raise your hand will make sure that it gets answered so the first question so I would actually like to give it to Sudhanshu. Hi guys so basically the idea is to have a casual discussion a lot of times we do talks and then we listen what the speaker has to say but a lot of times you know the audience would like to ask some questions which is not related to the talk they're actually attending so you know this is the opportunity I mean not just for you for us as well I know are there a lot of things which I would like to ask and maybe some of you have questions some of your answers to that I would love to answer that and to ask questions all right so I would like to ask one thing like what kind of OSINT do you guys do is it more into security or offensive security or defensive security or you guys do investigation or it kind of makes for you guys I mean I'm just trying to ask this because we want to get more talks which are you know which the audience is more interested in so for the next time when we select the talks we'll keep that in mind that you know what kind of audience do we get me I've been doing pen testing for a long time right so I'm always a little biased towards that side but I did in my last job I used to do OSINT for investigation and due diligence so I know a little bit about that side as well. Sudhanshu has done a lot of pen testing he has always been an attacker so you know if you want to not just do OSINT but also get into security you know bypass antiviruses and all those you know malicious things he's the guy. Jennifer has been head of research in multiple organizations and she generally do OSINT in investigations on the people side and she's really really good on that. So I want to ask Jennifer that how do you do human hacking? Okay so I managed to think that I wasn't going to speak beside introducing speakers this year and look we'll be lo and behold I'm speaking again. So yeah so I kind of was here last year I spoke at the Diana initiative last year and then I spoke on the stage I had massive imposter syndrome and it's the reason why I didn't apply to speak again this year. I can't code in the slightest I can't hack what I do everything is behavioral science I hack people I follow the way that they behave I follow the way that they act I don't need to be able to break down things to be able to tell what their passwords are because guess what if they like their kids if they like their dog that's most likely their password if they're kind of simple about things then they're going to have leaked things on everywhere else. So I basically just follow people's behaviors people are inherently stupid and people like to follow patterns so if people have got like patterns of life behavior people like to but we're all tired of a morning so people use the same routine people get the same trains of a morning so people complain about trains the number as a London commuter we all sit there and we complain with as a London commuter Southwest trains why is my train delayed well thank you for telling me exactly what train you get on every single morning and then I sit there and I'm like I'm then sitting next to you on the train and I'm having a conversation with you about the local sports team because guess what you're following them on Twitter before you know I've just happily socially engineered myself into your life you don't even realize it but I know everything about you because you've put it all on your dating profile I know your dating profile sitting there because you've used the same picture as your LinkedIn picture why because you like the headshot that your company did for you which is also on your company profile like people are so so simple so that's kind of how I look at things so when I kind of worked alongside these guys in different ways and shapes and forms I've kind of looked at things in a really really different way and that I kind of come up for it from a well that's great what these guys can do and they can massively massively help me in different ways but actually from my perspective people are like you hear it so many times people are the weakest link but people are inherently stupid and whether it is no matter how good at security anybody else is there's somebody in your family who is stupid and it might be your 12 year old kid it might be your 60 year old grand who's just decided she wants to get an Instagram account to see what is going on but people don't understand I've got new bosses because I've just joined a new company and they've all decided we need to learn Twitter no you don't please just keep off it but they've all gone on there and they've all done randomly weird things like follow their kids great thanks you've also all joined your housing associations and now I know exactly where you all live no that's kind of what I end up doing so it's in a really roundabout way is what I end up doing and a really long thing this is why I don't talk because I can't stop so that's what ends up happening all right so I will throw a question to Sudanshu Sudanshu so when you you do any kind of security exercise be a pentester or a team what is your approach you know on how you start OSINT you know figuring out a company and then how do you go about it and how effective is this process I mean how is it different from doing just pentest not doing a lot of recon and versus you do a lot of recon so what are your thoughts on this thanks room yes so I've been doing pentesting for quite some time now and I identified that recon is one of the most important process not the exploitation or the privilege escalation or the persistent one if you know your recon if you identify the organization or your target you can do a greater amount of damage than running just exploits on them right so we do it all the way so the first thing that I would like to mention is if you have a name or target or a domain whatever you're gonna start with just identify anything that is associated to it right now it depends on the type of the set that you're targeting right if it's a domain that you can enumerate subdomains if it's an IP address you can see what are the IP addresses associated to it near to it or neighbors to it right so we can do different things around different technologies different assets if it's a website the first thing that I would try to do is to identify the open ports to identify the technology stack instead of just running a sequel injection or trying to run a burst scan over it right so identifying that anything that is associated to your target type that is the primary thing that I try to do once I have that information then I go into deeper like I say if it's a web application then I try to crawl that application see what are the keywords that they are using if there's any directory that I can enumerate once I have that information then I'll go into the exploitation or identification of the vulnerabilities so that is how we approach about vulnerabilities in general anything specific feel free to answer so do you have any interesting case where you find someone has done a really really big stupidity maybe you're leaking some information or leaving some misconfiguration in the system and if the you know stories you have around this these stories like sound really really stupid or simple sometimes like I was doing a pen test for an organization and they had just they just gave us a domain and said that okay enumerate the information identify the target attack surface and then in the next phase you're going to do the exploitation and testing of the stuff but in the first phase itself we identified some credentials being leaked on Github and some on Pastewin and even before the test was going to start we had the admin level access just because the credentials are lying out there so it might sound really stupid that it was a really simple assessment we didn't do any hardcore exploitation on RCE over them but just because that information was out there anyone could do it right so this makes them a really lucrative target because it's really really easy for anyone to do it you don't need to do know how the tools runs how to use command line or how specific technology works but just because that information is lying out there you can directly use and exploit it to gain that admin access and once we had that access it was really easy to get into the network and to pivot into the domain admin and it was game over right because parameter is one which people really care about once you're inside that parameter inside the internal network it's usually a DA or the credentials or the secret card details so that's usually how it goes. Well I'm surprised how relaxed in how relaxedly you say you just a DA you know it's not a joke. Yeah so from what Jenny said and what Sadanshu said I remember one of the story which is into security and as Jenny said people are inherently stupid so one of the pentas I was doing and then I was doing a little bit of forcing on the target I was already inside the machine trying to do some brute forces on the windows boxes and then searching the name of the company I find a good repository the person actually revealed the password the password was summer 17 and then I was like alright let me try that that didn't work so I went back and I was thinking hey so the first one actually is using this password and should work somewhere so I realized I went back again to the GitHub repository check the date of the repository it says 2017 so the next thing I was trying was summer 18 because I was doing the test in 2018 and bang on this work I was like what this shouldn't work man I mean it was it was as stupid and that day I realized that you know a lot of times people when you say that you should not use same password across multiple websites what people do is they will come up with the patterns right so the patterns I've seen is password you know name appended by you know the first three letters of the domain name or maybe the first three letters of the form fields some weird patterns and the problem with that is once you once someone figured out that pattern it is as easy you know as trying the same password everywhere so yeah so I would like to ask these you guys how many of you use the same password and at multiple websites or if someone would like to volunteer to share the same password yeah I mean yeah give a demo of it here yeah all right so now we've talked about the use cases we have talked about human hacking attacking but how do we do defense again like defense for OSIN what should we do to make sure that our data is safe all right so there is definitely overlap when you do OSIN for defensive security few things which you have to do is when you do attack you just do it once but when you do defense you have to do it in a recursive manner so you know you obviously you have to attack somewhere so you'll you know write scripts which will scrape get up and look out for your password sensitive information about your organization but you won't just check it once you will check it maybe daily or weekly and figure out you know as soon as someone goes out about your organization on on any of these websites you should get an alert notification of Slack whatever similarly you should have a really good track of your assets because when you are in cloud you don't even know if your box only has a private IP address or you know someone just a pen in a public IP address as well or maybe someone change the security group so you know you have to keep an eye on how many assets you have keep constantly checking them similarly if you have some vulnerabilities in terms of you know any of the any of the user civilian information or if you would like to keep a check if someone talks about your company in security manner for example someone talks about the company's you know I just hacked your company and someone tweets about it so before the whole world gets to know you should definitely know about it so you should have a check on these keywords maybe you can use the streaming API's of Twitter and keep an eye that as soon as someone talks about your company you should get an alert and you are the first one who should be taking action on top of it maybe it's a false positive maybe it's a negative it doesn't matter because it's in terms of reputation you should be on top of it right similarly you can use a lot of threat intelligence feeds for example if you have SIEM systems and you get an IP address hitting you and hitting your website again and again you can maybe check the rank of the website and assign the score to the IP address now if the IP address is sending multiple requests based on your score you can actually block the IP address a little a little earlier than you will block other IP addresses so you know you can and there are so many things about it you can use Google alerts you can use detection page detection kind of things to make sure you know what kind of parameter you are leaking out alright so I mean it cannot be summarized in just one answer of course there is no specific way to talk about it but overall these things should be checked in a recursive manner especially if you are doing OSINT on your own organization you should keep an eye on these things in a recursive manner. Thank you so can we have questions from the audience? Sure. So this is my question for Jenny right? Yeah. Have you ever ran into an individual or personality who stumped you? Can you speak to that? Maybe there's something interesting about their personality that makes it difficult for them to be hacked. Can you use this? So yeah. There's a couple of cases. And there's one that I'll kind of mention. People who have split personality disorder are really difficult to follow because which personality do you follow? So somebody that I was actually trying to map out had multiple personality disorder. Now I was able to map out 12 of their personalities and 12 of them all interacted and you could and the problem was they didn't all interact. Three of them interacted together and the rest of them were all separate. Now you could see there was a clear delineation of timings that occasionally the person ended up dealing with. Some of them ended up using similar kind of variations of phone numbers. Some of them used the same phone number others but it was really one of those that some of them as soon as the personality of the individual changed they used a different mobile. They used a different device. They went from a Windows device to a Mac device and it was one of those of a this is impossible. And it's one of those of a okay what is the purpose of what I'm trying to do here and what is it? And that's what it always ends up coming down to. And it's a case of how am I trying to map it out? When it comes to large criminal organizations so I work with a number of different charities. I work with a number of human trafficking charities and trying to track those organizations tends to be really really difficult because they are so much better and advanced than we are at monitoring them. So they know they know on methodologies better than we know our own methodologies in how to track them. And that's why we struggle because they know how to hide better than we know how to find them. So they're the ones that I normally find the difficulties for. So where I work with stop the traffic and I'm I'm kind of the Nigeria lead with that. And even though I can sit there and tell you a lot of information to do with here are the best here are the networks that end up working across there and here are the key individuals pinpointing those individuals ends up being incredibly difficult. I will be able to tell you the people on the ground. I will be able to show you the picture and can I have their mobile number and can I give you anything more than that? I'll be able to tell the police on the ground here the details. And then I can't piece the final elements together. And they tend to be the weirdest cases. Sometimes I just can't find people. The less information I find about people the weirder it tends to be. Kind of bringing into what you were saying about how can you kind of reduce your the risk. I work with a lot of high net worth people because they're like oh help me reduce my footprint or people will turn around and go I don't have social media I'm safe and I'm like oh hello challenge accepted because I don't care if you've not got an active footprint I'll find you passively because someone's taking a picture of you if you've walked along this corridor today I don't care if you haven't got Twitter somebody's put you on their Twitter today and you've got if you live anywhere you're on an electoral roll somewhere your birth records are somewhere somebody's leaked some information about you so the passive records are out there about you if I can't find passive records to do with you and I can't find active records to do with you do you exist have you change your name if you change your name how have you done that because records to do with name changes are also kept and that's when I'm really then starting to question and if I can't find anything to do with you that's really when I'll start getting a little antsy and that's probably when I'll start rooting towards these people with a healthy find what I need and there you go generally speaking how would each of you hide from yourselves to you any other questions guys just one mic so for somebody that's just getting started with investigative recon what are some of the most valuable tools or services available that you found in your experience and there is no magic tool my boss wishes there was a magic tool there I there are certain things that depend on what you want to do people is a great thing I'm not going to advertise anything but people is a great tool if you have any form of detail like goes with a phone number or an email address it's a great starting point and I honestly from there on in would use a lot of stuff that you'll end up finding on github beyond that honestly the rest of it is just kind of be searching around I wouldn't go paying for a lot of the tools that are out there and that's simply my choice and I would recommend the data split tool that the boys standing next to me develop because it's amazing and yeah definitely check out the data split tool that these boys use and have developed and they don't use it they develop it what am I talking about but yeah take what I would honestly recommend is all of these tools have trials use them see if it's useful for you don't ever sign up to anything unless you do use the trial because that's the worst thing you can possibly do and most places if they don't offer your trial it's because they're trying to trap you immediately into something and you're just going to end up getting trapped never ever get trapped into that oh we've got all this amazing data if you love linkedin information rocket reaches your one forwards that will give you your email addresses from linkedin I would like to add to that something so there's no such tool that can help you in anything that you require right so because every time your requirement would be different sometimes you're trying to identify the domains of a company next time you're behind a person right so the best tool that I would recommend is your methodology right if you understand what you're behind and you want to how we want to achieve then you can achieve right so like Jenny mentioned we created a tool of our own because you're not finding anything out there which held our case it might not help you you can give it a try definitely but it's the methodology and understanding of what you are behind and how you can identify that that is going to help you and if you know that you can just hire anyone to code it or you can code it yourself so we can take one more question before we wrap up so when you're conducting some investigation for a red teaming exercise to participate in the reconnaissance phase and of course there are many aspects in this kind of investigation so there's the organization itself it's financial position many of the important employees affiliates you name it so you have a shit ton of information and you really need to correlate them in one way or another and maybe your brain is sometimes too little to do that as smart as you are do you have any tips and tricks on data management in terms of this kind of correlation yeah so as far as I understand your question you're asking about when we do any kind of investigation or OSINT or red team we find a lot of data could be in terms of important people or assets of financial acquisitions or whatever how do we keep track of that data is that what you're asking yeah so there are definitely a bunch of phases in this so one is that you document everything of course that goes without saying where you might use whatever editors you have or you know CSB files you should always record these kind of sessions maybe you can use browser add-ons or some screen to order software so that you know what you are searching for and if you find something you always have an evidence once you have the information the most important part is to connect the dots as you asked and none of the tool as far as I know will automatically do it for you so most of the time I've seen analysts using some graph software where you visualize these things you can obviously do it manually you know but you can use utilities like Lumify or you know case file you can use case file you can use multi-go where you know just pump data and then connect the dots those kind of things especially in the kind of exercises I do we don't really have to join a lot of dots it's not more than one or two layers of you know the information we have but especially when you are doing investigations or especially around people that's where you find some information on Facebook and then you know you reverse image that do this, do that so that's where a lot of layers are there so and I think in red teaming at all you don't need a lot of joining the dots kind of thing of course there are a few layers and it depends on the kind of size of the organization but honestly I've not encountered such kind of tests so far okay that's what we'll wrap up there and we'll move on to the next session thank you very much thanks