>>Hi everyone, um so, actually I just wanna talk about something before we start the presentation. Uh so I was a backup speaker, uh this is not the guy who um is here, I’m, well not, he’s not here obviously cause I’m here. Um because this is the content slide from his talk. So if you are looking for the z/OS stuff, please contact him he really did all the work. He got accepted, um he deserves the credit for it. Uh so you can just reach out to him on his Twitter handle at the bottom here or follow him on GitHub. So he wrote 3 couple, uh 3 things that will basically help when you’re looking at the mainframe stuff. Uh so if you’re looking for that, you can follow this slide. Okay, so um we’re gonna actually do like a bunch of stuff. I know the nature is like about Maltego uh but really we’re gonna be looking at more interesting things, um and I’m gonna be using Maltego just to do the correlation uh and finding it. So I’m going to do a little bit of intro, like who I am, boring stuff. Uh and then how to do footprinting in like 10 seconds. Um and then we’ll start looking at uh interesting things. So I’m gonna try being uh the first section being uh hunting ICS devices. So if you’re looking to find uh power systems on the internet, how do we find them or what or, or whatever else. Um, and we’ll start by saying okay well first we want to look at maybe something that um I have context on, uh so I’m looking for like Nevada energy or something. And then we’ll more to saying okay well if I want to look at an entire country’s uh power system how do I look at that. Uh the second thing section we’ll look at interesting people. So the first section is kind of like interesting places. Um and that will be like looking at how do you use those uh all the different breaches that have happened to say okay well using footprinting and networking side I can track uh people from interesting organizations and find information about them outside of the organization. And then the last 1, uh just looking at interesting locations and individuals who work there. Um, and then questions if there are any and then beer. So that’s uh, the agenda for today. So a little bit about myself. Uh my name is Andrew MacPherson my alias is Andrew Mohawk. I’ve been worked at Paterva for 10 years. Uh my employee number has all those zeros in incase we hire a million people then I’ll still be number 1. Uh and I have an Information Science degree from 2000 and 6. So also for Def Con and Black Hat I dyed my hair uh white, which has gone really well with my friends. Um so they just comment that I look like Draco all the time. It’s uh great. Um, and then of course like this a, this is an analogy, anyone who has a hammer everything looks like a nail. So to me I’m in a work at Paterva. I build a lot of stuff in Maltego I’ll basically try to automate everything with it. Um so I’m that guy just for the Maltego hammer. Okay, then I was meant to co-present with uh Roelof Temmingh, so he’s the co-founder of Sense Post. Uh he’s not here cause he couldn’t move his flights in time. Um but he started 10 person 2007 when I started there. Uh he’s the MD, he does stuff. And uh he’s done a lot of talks. So he’s really confident, not standing next to me though. Okay so the first section is uh generally I’ll tell you what is Maltego, what does it do, if you don’t’ know we’ve got loads of video tutorials and you’ll just see using it during the presentation, so you’ll have an idea of roughly ya know, what it can do. Um and then you can just follow those if you want to figure out more about the tool. So, there’s a heck of a lot of demos um, well there’s not a lot but it will be like a constant demo basically as we move through the pieces. Uh but all my demos really on a stable internet connection which they told me I can use the Def Con wireless um, so that’s really unstable. At this stage I had, I do have a MIFI device with me, but if ever I’m, he’s like bored to hack RF today could just not turn it on, uh til I finish the talk that would be great. Um then obviously I need all the code to work um, so Marco tweeted at me just now. He said it’s not hacking if it’s not spitting exceptions. So I’ve tried my best. Um this should be some, hopefully everything works but we’ll see how that goes. And then, obviously I’ll be using stuff that’s online so all the demos will be on the internet. Um I’ll be using some remote APIs and things uh so I need nothing to have changed so I’ve made all the sacrifices necessary. Uh but if everyone could ya know keep their fingers and toes crossed, h otherwise you, you really don’t want to see me dance. Okay, so a quick foot printing 101. So if we do a footprint on an organization I say, okay I start with a domain, I get DNS names, IP address, netblocks and AS numbers. Um so if you’re using it in the tool, I’m just gonna pick um, so try and make it a little more interesting. So I pick NSA dot gov. And let’s say I wanna find out ya know I wanna do, uh just a basic forward footprint. So we have a number of transforms to do DNS stuff like you can do MX transform uh we can look up passive DNS, things like that. Um and I can find all of those uh from here. So this is online, this needs to work, yay. Um there you can see, okay NSA is hosting their stuff that I can find. You can find some DNS names. And I get a whole bunch of others right, so these are like something NSA dot gov, um xcaliber, carry 7, and star fox. Things like this. And then I can say okay well if I look at this model I go domain, DNS, now DNS to IP addresses, so say okay I take all of these and I resolve them to IP addresses. So, pretty straightforward stuff, right? The idea of Maltego is that nothing in the tool is complicated, nothing that you could run is something that you couldn’t figure out by hand or be able to do. Um but the correlation is what gives you, ya know any sort of capabilities. So here you can see instead of one DNS name, multiple IPs. Uh straightforward stuff. Over here 2 different DNS names on the same IP address. Okay so what I can do then I follow it further down, I say okay I take the uh, different IP addresses and just take them to netblocks. Uh, that’s your boundaries. Alright and then I’ll take the netblocks to AS’s. So if you're all pen testing you can follow this section you see what I’m doing. I basically really quickly did the forward foot print on just waiting for those to come back. Alright so there’s the netblocks, a- take those to almost, take those to A S numbers and then I have that uh kind of footprint. And there’s nothing really interesting in a forward footprint almost all the time. Like this interesting stuff comes from passive. Uh looking at reverse, finding other things in the netblocks. And I’ll show you like as we move to like footprinting people like where it’s more exciting. Okay and then from the AS numbers since I don’t know any of them um, you can take them and say, who’s the company owner. I can figure up, okay this one belongs to uh Akamai. Okay so there’s like a more interesting one. So some DNS name at NSA dot gov resolve to the 10 net address, so I enter an IP address. Uh probably like a misconfigured DNS name. And then if I, so, kay so there you can see if I look it up uh it still has that address. So that’s kind of like new live, um so Maltego is really, really good at being able to do this quickly. Kay so that was a basic forward footprint, do that in a few minutes. And, and then what we did in the tool is we aid okay well actually you do this all the time um and we’re really lazy so we try to automate everything we can. Uh so this is a concept of machines which is the ability to then script uh basically the way that you run stuff so that it goes automatically. Kay so you can do it with a little bit of code There’s an example of one. And here I can just say okay well this must do everything that I’ve just done but in an automated way, right so then you can do foot prints with buttons. Kay because everybody wants to see it uh have it be shiny. So I can say well uh if I start with a domain uh, let’s just do NSA again. Kay, instead of running each individual transform I can just go and say run a machine, now I didn’t have touch it and it will then do the whole foot print for me. Alright so it’s a really nice way to kind of automate that stuff. Uh so I don’t have to do anything for it. And the reason that we have footprinting is so that it can give us information for targeting. Right so when we start targeting organizations I can say hey this footprint gave me DNS names, domain names, IP address, netblocks um so that I can use them when I’m looking for, say ICS devices or when you’re trying to profile individuals who work at organizations. Specifically, like more sensitive organizations. Um that we find. So, because we were doing I’m actually going to stop that one. Um, because the talk will head towards ICS devices in the first section I was like okay well what are ICS devices that I would be interested in? Okay so I say well Vegas is made up of basically LED’s and then I t- I look for energy companies in Las Vegas and the biggest one is uh Nevada Energy, right? So, I was like okay well this is a good place. We’re gonna find cool stuff on Nevada energy. So, if I do a footprint on Nevada Energy, uh, its NV energy dot com. Kay run this footprint it will go ahead and find all the things I’ll then use uh to start profiling them. Alright so this stuff if you’re a pen tester is, is kind of the defaults that you go through uh if you’re doing uh pen testing, especially from outside the organization. Alright, there all the DNS names, I’ll get those to IP addresses um and so on. So, it’s really quick to be able to do this with this stuff. Um and basically the take away is Maltego is really good for footprinting. Kay, you can do it really quickly, it makes nice graphs, people will think you’re doing complex stuff uh even if it’s really simple. Um also you can do things like so, I see it’s listed over there if I change, I can change the different layouts, um and I can change the sizing so I can see things that are more important in a network, right? So this netblock more heavily used than other ones so if I’m profiling stuff I could quickly go and head for that. Um, so once we’ve done the targeting then we could say okay well that’s our basics now we can start looking for exciting stuff. Uh. So start looking at industrial control systems. Alright, they’re pretty basic. Um devices that you have and they used to operate and automate your industrial processes. So, those are things like power, water, manufacturing, treatment. Um you know when you see the car advert being built and it’s like ‘jooot jooot’ [speaker makes noise] that’s ICS devices. Um, and these are systems that are d- designed to be really reliable, right? They’re there for like to run for 30 years without ever falling over. Um and of course you really don’t want them to fall over, right? So things go really bad if one sensor say for water up stream says, hey uh the water is flowing really quickly and then downstream they open uh the dam because they expect more water to arrive there. Right? So you don’t really want any breakage in this stuff. Um, and really it’s a worry thing. So if you want to hack ICS devices not what I’m going to cover here at all. Uh but they are like just 100’s of different talks, tweets, YouTube videos. I could just google for it, there’s YouTube video uh hacking a PLC with metasploit. So you can just follow along, kick buttons, um and be able to compromise the devices. Alright, but the thing that you find in all of these videos is that actually they have the device with them. So, if I go there, they’re like oh cool they bought 25 PLCs. They’ve got them in their lab. They’re all IP’d in and they can own them. But really if you have to do it as an attacker and specifically an attacker saying, mmm, okay I’m looking for a really specialized target. Like either a specific industry, like I’m going for Nevada energy or a particular country. Like I want to own all the powers uh power plants in wherever, Germany. Um then you need to figure out okay well how can I find these different devices. Alright so that’s the first part of the talk uh that we’re looking at so we did footprinting. I can get information on the organization in, in this case Nevada energy and, and then I can say okay well actually these devices I need to figure out how they’re on the internet. And first, uh if you go so you go to one of the Sherdin pages, it tells you about it. They, a lot of them have implemented networking. They’re basically like hacked it on to the actually devices. Because these devices are really old uh for the most part. Haven’t been really updated uh as quickly as the rest of the security. So there’s a couple of major protocols that you’ll find, um and they’re like Modbus, Siemens S7, and Niagara Fox and, and things that you’ll be able to search for. Uh then of course if you look through the documentation right everyone is like, hey by default please file all these devices. Uh put them in a egg up network. Make sure they’re not on the internet. Um and everyone should follow the documentation I guess but uh it doesn’t really ever happen. So, uh then we get onto Shodam. So Shodam uh basically a search engine for the internet. Actually the guy that wrote Shodam is here somewhere. Um and it allows us to search for particular strings. So if I open, uh so if open Shodam I can search for I don’t know, let’s say I was looking for uh, apache point 2 point 2 point 2. And it will find all different things on the internet that match apache 2 point 2 if I click on search. Hopefully. So here it says, hey this is a particular machine running that, uh I can see the different countries. So what I can do is okay instead of looking for this sort of stuff, I’m looking for ICS devices and if I look at this I can see there are, so there’s a bunch of different protocols and each of these kind of has their own spec. So if I take something like um, so just do port 1 oh 2. So, that’s uh for the uh 7 stuff if I remember right. So then here I get these results, right? And look at these results and it says hey, uh there’s this is located in Turkey, this some basic hardware. Uh the firmware version. So things that are on the internet that I can find. Right but remember we’re trying to target something. Like, I don’t want to just go and shotgun approach every single ICS device in the world. I want to find specific ones. And most of the time they don’t have sort of the information pulled in so I think there will be one maybe. Mmm. Uh yea, so here’s one that says hey this one's got a plant identification, it’s at the Mauser Factory, um and it’s in Taiwan. Right so then I could say, okay if I was targeting that, that’s really good uh stuff that I can use. So, the first way that we try to do it is to say okay well I can go through all the ICS devices and I can start targeting them. So, the idea would be that um you can take these ICS devices and let’s say you had uh some vulnerabilities in a couple of them, you would say okay well these are the ones I’m looking at. And I can basically go and do what I just did but in the tool. Um, it’s not that exciting. So, I’ll just say port 1 oh 2, find me all the um ICS IP addresses. Right so any device that matches that uh, w- actually, sorry that’s not the right one. So, port 1 oh 2 uh just on default Shodam. Alright that will then go and give you that list of however many I’ve requested. So in this case 255 but if you were to go through each individual one, so I mean for the cement stuff there’s like 2,000. But if I take uh, 5 oh 2 or one of the others, then you’ll see that there’s like, there could be a heck of a lot, Right so there’s 13,000. I’ve got to go through each category, there’s like 20 of them. Um and it will take a really long time. So hopefully this is going to come back. In the event that it doesn’t come back I do actually have a graph of this. Uh so this isn’t really exciting so, I’ll open that graph. Kay so if I open this graph it basically says a search report wanted to go to these IP addresses out. I can go in there and look at them. I can see the results. Uh, in here you get the data segment that says, uh let me just move this slightly bigger. So it says all the defaults that we found right? No planted identification. And then I’ll say well if I’m targeting Nevada Energy I could say search for the word energy, right down here. I say find this one device and it’s called new underscore energy underscore 1. So that may be interesting but it doesn’t say Nevada Energy. So, that’s the main problem, it doesn’t really work actually if you’re trying to compromise these sort of things. Um plus it’s really tedious to do because I have to go through each individual one. So then the next thing you say okay well obviously that’s dumb thing to do things, right you’re not going to go through each individual thing. You’re gonna say well let’s make 1 way to search for all of them. So kind of like the google hacking of before. I can say well I’ve got something that I found. I can put it into Shodam and I can search for all of these different things. I can search for port 5 oh 2. I can search for port 1 oh 2. All of these, uh so some of these require other th- stuff like 19 62 and PLC. And, and then I’ll be able to say okay well what I can do for a particular organization I can run this footprint. Get a bunch of these details out and then I’ll be able to say okay from here I can go and find the ICS devices. Right so it’d be if I um, where’s my Nevada Energy graph? Uh, kay so this one's on Nevada Energy I could say, take these netblocks that I found, uh let’s put that in normal mode. Alright so take these individual netblocks where I found new information from the company, I did the footprint and uh take one of those and now run the transform that says, r- so take 2 ICS IP address. Alright so what that does is it takes every netblock converts it to CID off of Shodam and then it will each for each individual port, each individual property that we have that will make these identifiable. Alright and here at the bottom you can see, so I just put the output on so you can see what’s there. So it’s searching for net colon whatever the CIDR every port or SLS address or whatever else. And you’ll see here you’ve got actually no results. Alright so I’ve got zero results. Uh from everything. Which is really lame cause I was like okay if I’m an organization it’s gonna be on their network. Right? They’ve gotta secure this stuff. It is, ya know fairly important to their uh business. So it doesn’t actually work either. Right. The only thing nice about it is I can start with footprinting information and I can say cool, while I can go from the domain or the network or the IP address and I can say okay, I can use that and I can apply it. It does work sometimes. So I did some other footprints. Uh when I was playing around with it. And if you take uh basically any university alright so their footprint is slightly larger if you uh look at it on scale alright. But I can find a bunch of different uh ICS devices from Shodam on there. And I can go and look at them and you’ll see that those are really nicely done. So a lot of the time they’ve got good DNS names. They say uh, this is for bacnet. They’ve got it in the host name. Um and I can read about it. So they fill in these details but actually I’m looking to target something more interesting. So this really doesn’t work for me either. So at this stage we’re like well what other stuff can we do, right? So we can’t, we can’t do, it’s not on the network. Um, we can’t just search all ICS devices and hope that someone put in Nevada Energy. Uh cause they didn’t do that either if you’re wondering. So we say okay well, what other kind of stuff can I give Shodam to say, I’ve got this piece of information and I wanna say okay from here I wanna take it to ya know, whatever my ICS devices with all these different things. And one of the things you can give Shodam is you can give it a GPS coordinate. Kay so this is really cool because I can say well I know some stuff about Nevada energy like if um, if I had to look at it I’ll say I know that they’re probably going to be in Las Vegas. I want to turn off all the LED’s I go to get them from uh Vegas. So what I can do is I can take any sort of point in Vegas, I’m just going to zoom out a bit. Alright so here’s all of Las Vegas and I can say okay I pick a point roughly central and I take the GPS coordinates. Alright so from around here um, I can take these GPS coordinates and I can say okay, find me IP addresses around these GPS coordinates that match any sort of the ICS devices. Match port 1 and 2, bacnet, Siemens S7, all of that stuff. And I can put it in a radius. Kay so in this case I mean it’s, where is it? It’s really huge, right? So I’m gonna put in like 50-kilometers. I mean in miles that’s 10,000. I don’t know how to do the conversion. Um it’s something really big. So uh, hopefully this is gonna run so this will take a while. And, and this is then going to show saying okay I’ve got these points I can go within a 50-kilometer radius find any IP addresses. So they’ve got a really cool way that they can go from uh GPS coordinates to IP addresses which is really tricky and we’ll, we’ll talk about it uh just not when you, when you look at like look doing a sort of country scale attack on this sort of stuff. Now I really need the internet to work with me here. That still going. I’ve decided this one is taking too long as well. Um it should come back to us and I’ll probably just switch off to it. Bu tI have these saved as well. So, um, Las Vegas, ICS Devices. So, oh, here again we started from GPS coordinates but from the GPS coordinates we found all the different ICS devices for Vegas. Kay, so I’m just gonna work with this so we can step through it. Kay see here GPS coordinates, all the ICS devices. But actually, that doesn’t tell me exactly where it is. It just tells me that within 50 kilometers of the central point I picked in Las Vegas I can find these. So, what I want to do is I want to say okay well for all of these different devices show me exactly where they are. Alright so, I’m gonna select those. And now the other graph came back, see the demo does work it just takes really long. Um, bu there I can say okay I’ve got these ICS devices and I’m gonna pull up the exact coordinates. Alright so uh, I wanna see these particular coordinates now they’re coming back, um and that will give me information about it as well. So we’re trying to find a lot more than just GPS, like stuff that says, Desert Toyota, no idea what that means. But that’s fold in on the PLC right, so whatever they have or whatever kind of device it is, uh they’ve got. So, if that's running then putting out all of those. So, I could say okay, well on my map um, this is CCU, CCU dot I don’t know what it is I’m just going to pick a random one. Um and I can then just put it in make sure, hey is this still in Vegas is this the right place. So that you can see it’s still in Vegas and hopefully on someway near something that’s using, uh PLC or ICS device. Maybe it’s shell. I’m not really sure where it is. Um and we’ll look at why this is interesting. Now so now I’ve got all of them I’m gonna say okay well actually I want to visualize all of these devices right. I, cause I’m not going to go through each one like that, that will take me forever. Uh so I’m gonna take all the GPS coordinates, all the ICS devices and I’m just gonna send it to a map. Kay, hopefully this loads up. And next okay, cool. So now I’ve got a map of all ICS devices in Las Vegas and I can go through them and say hey, what’s on this one, nothing, GPS great. Uh this one say, JCI, I don’t know what that stuff is. And remember we’re trying to get Nevada Energy so what you do is go through all of them and since I’ve cheated before I actually know where it is. Um, but you could zoom into this one over here alright and you will see that this one is at Popeyes Louisiana kitchen, alright. Seems unlikely that they’ll have an ICS device. But if you look just next door that’s where Nevada Energy is, alright so if you were targeting them I’d say that’s likely to be the ICS device that’s sitting at this particular place so then I can target that and say hey there’s my target. I can’t match it on the other things but I can find it uh in this sort of way. So that’s really cool to be able to find it so I can target uh that particle thing and you can see it in the slides. So now I least get results, now I can at least find something that says Nevada Energy. That’s pretty good. That’s how I could do it. But actually it’s, it’s kind of manual and you know I have to get lucky on it. Um and mostly because of these coordinate systems. Which kind of sucks uh if I’m doing a densely populated area. But actually if I’m looking to be someone who targets, okay not just Nevada Energy I target like all power systems in Poland, right. I decided that actually I’m going to attack Poland today. Um so in a dense area that stuff sucks if it’s, if it’s out but in an, in an unpopulated area so if I look at something like, uh actually I have this written down so I don’t have to do this. Right, if I look at something like this, so this is a power station in Poland somewhere. Um, if it loads up. There we go. Kay and if I look at this power station over here you can see that they’ve got the chimneys with the smoke so they must make electricity that’s how I know that that works. Um and I can say okay well if I know that this power station is there and if you look around it like there’s nothing. Right it’s like countryside and you know no real towns so, I’m not actually worried about hitting other ICS devices. So what I can do is I can say well let me take a coordinate kind of right in the middle of the power station over here. Uh, and then say well for these GPS coordinates let me look for any IP addresses around it and this time I gonna take just a radius of 3 kilometers right because actually I could make it bigger uh because there’s nothing else around it. So here I find hopefully some results. So we’ll wait for that to return. So, so there I find 2 individual uh there’s a Ethernet IP uh both Ethernet IP devices. So I could take these and say okay show me the properties of them uh so I can pull out their GPS. You see they’re both at the same place. And if I go and look at those particular ones uh you’ll see that it says, hey these ICS devices are located in this cool field, alright. Uh and this field doesn’t run a lot of power systems. So it’s unlikely that it’s gonna be in here. But it is sus- ya know close enough to the power station that I’m looking at that I can argue, okay that’s probably gonna be my targets. So if I’m targeting uh all power stations in a particular place or in this place just this one and I know that they’re not going be in the city then this is okay for me, Like this will work uh because I can argue that most likely I’m gonna uh be able to get to that. So that way works pretty well within a 3 kilometer radius, that worked out fine. Um but actually if I wanted to target in this case all power plants in Poland then I’d have to go and like google power plants in Poland, I get a lot of them from like Wikipedia or something. I’d have to go find them on google, find all the GPS coordinates put them all into Maltego and then I can run with it. Alright. So that doesn’t really work for us. We’re like, well how can I find all power systems in a particular area? We found this thing called GEONAMES so GEONAMES is a geographical database and um, it’s really nice because you can look up a place and you get tit’s location. Like you get GPS coordinates you put in Eiffel tower, there you go, GPS coordinates for it. But because it’s got a really nice API we can use it in the reverse way. So they categorize everything by saying either it’s, uh ya know tourist spots, uh or things like power station, wind mill, uh hydroelectric plants, things like that. So what I can do is I can say well actually I’m gonna start at the categories and I’m gonna say, hey I’m looking for any categories that match power then I’m gonna say okay from here show me any devices you have or any GPS coordinates you have that match my category of power in a particular location, right. So I’m using the reverse of it. Uh so if I do that in tool, over here. Uh everything you can do with the free version as well, sorry I’m using the paid for version here. Um, so if I take power and I search for uh feature codes, so this is what they call it in the tool, then I get out uh like 3 or 4 different ones. So power station, windmill, not sure why it references power but clearly it does something, hydroelectric power station. Alright so then I can say well from a power station show me all the locations that you have. And it will say okay well what country do you want to look that up in? And I can say in this case Poland, alright so PL. And I get all the different power stations hopefully for a particular location. Mm, so now I’ve essentially gone and said okay well doing it just this way I know exactly where every power station is and now I can start doing the ICS device. So just a s- sanity check then I’ll pick a random one and hopefully it shows it nicely. Uh so this is that is the Leuven Railway Substation. Kay, wherever that is. That hopefully has the chimney that makes the electricity. Um, kay now uh, that was too much. Uh so it’s over here. Maybe I can street view it. Kay so middle of Poland, not a lot of streets, not a lot of Google cars have been here. Um, but this is obviously gonna be one of the substations. Right if you go through them until I find another one uh like the one that we saw. So I’ve got all the coordinates and I’ve said, okay so all the power stations, all the ones in Poland and then I can run that transform that says, okay find all the ICS devices around here within a 3 kilometer radius. So essentially what I’ve done is now plotted all the ICS devices in a particular country based on the category um so that if you were targeting them um you know you could target them all at once. Alright just say, hey these are the vulnerabilities I’ve got, they impact C97 or 96 or whatever else. And and, then I can go and start looking at those. So you’ll see I didn’t get results for all of them obviously they might actually have not put them on the internet. Uh or something like that. Uh but these ones I can then find all of them. Alright so here’s one this ModBus uh come on, here you go, Fox, uh things like that. So now I have, okay all of the different locations and then this is where you’d go and uh attack that sort of information. Alright so it’s really nice to be able to do that, to say okay I’ve got it on a country. And so just as a side note on this, the only reason we have the ability to do this is that we’re arguing that, that the geo to IP stuff works pretty well right. We’re saying if I give you coordinates you can tell me IP addresses are on there, I can scan those IP addresses if they have uh you know the right sort of ICS stuff uh that’s there. So if people ask, hey is this actually good? Sometimes. Right, that’s like the best I’ve got for it. So in denser areas geo to IP is pretty good, kay because the way they work it out is generally they look at like the latency times and they can say it’s likely to be located here. Um, based on this. So, in less populated areas it is worse but most of the time that’s okay because the targets that you’re looking at are going to be surrounded by ya know nothing that will impact your search. So if you look at an example of this. Here’s an ICS device that says it’s in Grey Street 164. So we could say okay that’s exactly where it is and then we could say well where did we find it? We find it over here. So it’s about 300 meters out. Which for most part isn’t too bad because you remember if you’re doing some sort of attack that says well I’m gonna go for in this case let’s say everything in a harbor and I end up taking down like the manufacturer plant that’s next to the harbor, I’m still going to cause like a whole lot of chaos um and that might be okay for what I’m doing. So it really depends on the type of attacks. But here we’re looking at server log collateral especially in the denser areas. Um, if you are doing that. Uh [inaudible] okay. So that’s on ICS devices. Right so we can find interesting places I can be like, hey I can find all of the based on the country or I can look at uh where their physical located and I can find each individual one that I’m looking for and that gives us interesting infrastructure to target. But what about people? So if I wanna look at interesting um people who work at interesting places. So I don’t care about like people who don’t work at like places that don’t end in gov or something that I’d target. In this case because I’m an attacker looking for that sort of scale. Um so breaches happen all the time. Alright there’s like 100’s of them. Uh there’s loads and loads of different data sources you can use to get these. And everyone kind of does the same order of it. So they say hey are there credit cards in there? Who's involved in this? Um and you can get like there’s loads of work done on this by like blogs and white papers and things like this. And actually I’m just gonna use that Ashley Madison as an initial example. Um and then I’ll go from there. So, um you don’t actually need to know this slide. We’ll get into the talk I use like a bunch of things um they are free but uh that’s not really that important. Uh this one, essentially what happens with the database is they have got fields like email address field, or the IP address. But if you want to do what we’re doing and say well we’ve got a footprint of a netblock and I wanna take that to ya know all users that are in there. You have to convert the netblock to long and IP addresses um so that you can use it. Uh s- so some basic fudging of the data to get it to uh work. So I’m just gonna skip that. Uh but basically if you’re u- looking at it from a forward method I can say well I can go from a domain to a profile or a email address, or a alias to a profile and that’s fairly interesting, maybe. I mean it’s okay. Um, but users who obviously who work in places that are like more critical I’d say ya know, you probably shouldn’t be in there. So you say we, we generally say users don’t’ register work email address on places like this. Kay but if you take something like um, state dot gov right because they also denied the visa the previous guy. I can say well if I look at Ashley Madison there are um, 34 different accounts there. Alright so then I can take those accounts and I can take them to emails addresses and I can look at the email addresses. So I know that Ashley Madison the signup process is a bit weird. So someone could have signed them up. Uh there are 34 of them and actually you can take each one to transaction to start looking at how many of these people have paid money so that you can say well that’s probably a legitimate account. Alright but these are all state dot gov accounts so that’s one way that you’d do it, you just look at those profiles. I go in target those individuals. Um but not really that exciting. So, a way that’s way more exciting is to say well let me look at the foot printing stuff and say well if I know that you work at uh let’s say the CIA right. So that’s gonna be our example. I saw you work at the CIA then I can do a footprint of the organization and CIA didn’t register, well at least not at CIA dot gov. Um they didn’t register any accounts in that database. So now okay, I’m not going to find them. But what I do know is I know that I can foot print their organization really well. Kay so if I take uh the CIA uh, let’s do it from here. Take CIA dot gov um, I run the footprint on it. Kay that will then go and find all the different results for me so I can look at it. So the idea that I’m looking for here is I’m trying to find okay what network space do they have on the internet? Kay, Cause if I know what network space they have on the internet I can start looking at that. I realize I started this clock a little bit late. Okay, uh we’re gonna skip doing the actual foot print and I’m gonna open it so that we can get to the good stuff. Uh see I wanted to. Hey. Okay so here’s the CIA foot print you just have to trust me that it’s right. Um and if I look at it I’ve done like the networking side of things. I can find this. Why is this still running? I can find this uh particular netblock. Alright so this netblock is interesting to me because most of this stuff sits in it. So I’m gonna say okay, I’m gonna work with this netblock. Um and now I’ve got this netblock over here. The first thing I’m gonna do is just take it to IP addresses. Alright. Uh fairly, f- I mean there chance it doesn’t actually do anything. Uh where’s to IP, uh there it is. Kay so that just says, found the IP address in netblock pulled them out individually so I can work with it. Alright so one of the first things that I generally do is when we do this, is I footprinted the organization. I find CIA uses this netblock. Um then I run a transform that says to Wikipedia page edits. And the reason I wanna do that is if you look at a Wikipedia page um, you can see edits and edits by the history right? So if you don’t have an account if you have an account you will say uh here’s your username. If you don’t have an account it gives you the IP address. So what I can do is I can foot print an organization, figure out the network space, take it to all the IP addresses and then say from these IP addresses show me any places that they’ve been on the internet. That’s if I find out in Wikipedia which hopefully will happen very soon. Um, then I can say okay I know they edited those. So I actually get some a whole bunch of context. So I get firstly that I know they uh edited pages so I know info-information about the people. Right? Someone edits it like, how to stuff teddy bears? Then I know if I’m going to do a phishing attack ya know stuffing of teddy bears will be a good topic. Um, so I can see all of these if I need it validated I can just see where the pages are. So if I take uh, intelligence you’ll see that here these are all the a pages that they’ve edited that, with the word intelligence, right so if I take uh let’s look at central intelligence. Uh, then I can see what they edited. So here’s the difference, they um, they removed the text that said the agency has embassy in every state in the union and every nation in the world. So someone at the CIA removed that from there. Kay but more importantly uh instead of just these uh. While I’ve got these, IP addresses and I can see stuff they edit I know that these are probably their exit nodes. Alright they’ve got a huge network. All the network funnels through these points um and there I can say, hey these particular nodes are mostly likely their exit nodes. So now what I can do is I can say, well if I look through all the breach data I can say well I don’t care that they didn’t register from a so this is CIA, I don’t care that they registered, that they didn’t register from CIA. But show me anyone who has an account that came from one of these IP addresses. Cause I know if they’re browsing the internet they’re probably going uh through these, uh accounts. So I’m gonna take it to the Ashley Madison one. Uh and Ashley Madison is obviously just an example. There’s a lot more. Okay so there’s the account. So here I can see that’s the account number. And I can take that to email address and now I’m gonna have to zoom in very quickly. Kay, uh there we go. So you can see that that is at Gmail. So I don’t want to put the address on the, on the screen or whatever. >>Aww >>You [laughter] so you can go and look it up it’s in the database anyway. Um hopefully figure out how to do it. So that’s really interesting for us to be able to say okay I can find the exit nodes, I can find people who work at those organizations and their accounts. Um and this is the example that we just ran through right. So get the networking, find the exit nodes so I can see the wiki pages that they edited so I now those are likely exit nodes. Uh then I find the profile. So if this is also blurred out, um and actually then we’ll say okay let’s validate the profile. Let’s look it up elsewhere on the internet and you see something like we found the CV so same email address. Says he worked at the CIA. Uh, November 20 11, it’s currently. Um and then of course we found like some worse stuff. So like there’s a GitHub account and on the GitHub account he has like credentials for Gmail. Uh including his email address so someone could log into it. Um, and actually that’s probably too much information. Like if we’re looking at it, we’ll say that profile seems too easy. Like to find that much information about a person is really unlikely including passwords and things. So it could possible be a honey pot for um, them because they know that that data is in there. I mean we can’t say for sure but obviously there’s a lot more than just that one person um that you could use. Alright then uh I think I still have like a few minutes. Um then the other thing is that we have some friends at uh SocialLinks and we told them about this idea. And they said, hey they’ve got tons of breaches, well they can find it and they can get us these uh you know they can get us other information ‘bout this. So instead of saying we just looked at Ashley Madison, they said well they’ve got 100 of them, let’s go and use those. And when you do that I’m just going to show you the graph at the bottom here. You’ll see that here’s all the different uh account and obviously those are people who don’t register from their work account so then I can say well I can target these individuals outside of when they’re at the CIA right? Cause at the CIA they probably have decent security and stuff but who knows what it’s like at home um or other things that I can, I can find. Uh then you can also take the email addresses look at the header and if you apply it to the network blackout can see where the SMTP relays are. So then I know hey, this is the right uh, I’m just using it to validate the footprint. I can say all of these or this one IP address has uh leaked information so if I take um these IP addresses. So from the netblock that we found originally and it’s just gonna search all emails that were like in leaks, like HB Go here and stuff um so that you can get uh that sort of stuff out. Um, and one of them does have that in. So I’ll show you now. Um, so then how much time is left? 5, okay. So then the last section that I wanna cover while it’s running is that let’s say that we wanted to tie into more individuals. So here we said, okay we found ICS devices based on location or country, something that I was looking for. Then we found individuals based on their network footprint and how they access the internet. Um and then what we can do is we can say well, actually for ICS devices let’s say that I can’t get an implant in there right? Let’s say that I can’t run my exploit I need someone to physically go and do it. So what I can do is say well actually I can try and find people who work there. Okay and if I can’t find it in the organization like a lot of the places are very sensitive about that’s out there. Um I can try with the, the 1 method that I used now for the CIA or I can do something like this. Twitter has this great function that’s called Geo/search. Right. Which means what I can do is I can put in GPS coordinates and I can say, show me anyone that’s made a tweet around here. And if I can get that out I can then start profiling that person, right. So I can see hey, ya know what do they say around here. Um, so I can use the same method that I did for the ICS devices. I can say okay I find interesting locations. Like I find all power plants, uh actually let’s do it quickly. So say start with a phrase. Power, oh, I’m gonna stop this quickly. Kay start with power. I find um, all the feature codes. So you know what matches power? I say all power stations, uh I’ll pick, okay I’m just gonna pick Poland again. Alright I find GPS coordinates for every power station that they know about in Poland. And then I can say from here, take it to um, uh take it to, people who have tweeted around these. Alright. Uh so what is that? 2 tweets from the GPS. Kay now I can give it like a 1 kilometer radius. Um and then I’m looking for any individuals that have been there. They’ve tweeted from the parking lot you know going home, whatever excited for beer. Um, and then I can say okay well now I can profile these people. Alright so here, see our latest, something job. Click. Um, and I can look at, it came from this particular IP address and I can then say, uh where was that, where was that actually physically uh found. And then I can look it up and say okay this is close enough to the power station that I can assume that this is uh, where this person uh works. Alright. So, I’m just picking a random one. I don’t know how well it will work. Um, but there should be a power station around here. And then I can see hey, this is the individual marker where they tweeted from. So if I start tracking that person I’ll see okay maybe this things from work. Or maybe there’s stuff uh at home. Okay so just to do the conclusions. Um, if you’re looking for ICS devices in the internet they’re really, really difficult to attribute. Okay so you can’t, like no one puts in this is where it is, this is the plant, anything like that. Um, they’re usually not on the corporate networks unless they are not visible to the internet. It could all be firewalled off. Obviously then I can’t see it so I don’t know, uh but find. They’re a lot easier to find on GPS. Even if it’s more of a manual process for an individual target and if you’re looking at doing it on a large sector like, ya know targeting the harbor or a particular power plant. Then you need to know that you’re gonna accept collateral damage right. That geo to IP stuff is not as accurate as you’d want it to be. Um so you might end up being like okay I target all the things around it. Then if you look at the breach data it gives us a lot of information on the people and the organizations. So first I find exit nodes. I can validate those. That, that’s where they’re come from, from an organization. Um so as a pen tester you would maybe target those because you know that. But internal and external access. Um then you also find the private emails addresses. Right so I can say, hey cool I can go from someone who works at a particular target, find a network space, find accounts they’re registered with and say cool now I’ve got their Gmail or whatever. I can look it up on Facebook or whatever else. Um and then have the ability to uh go and target those individuals uh privately outside of their organization. Okay, uh so thanks for coming to the talk. Uh if anyone has questions I think I have to meet in the corridor, um I’m Andrew Mohawk on Twitter or Andrew at Paterva dot com, cool. [Applause] Thanks.