Wednesday, December 27, 2017

Robert Cialdini - The Power Of Persuasion

1) Reciprocation - the good old give and take!

If you give to someone, that someone, now owes you a favor!
In the context of Obligation, people say YES!

You act first, when you want to influence somebody!
The people that give, also receive! Accept in return, because you have given!

You should say:
"Oh, I know, listen, if the situation was ever reversed, you would do the same for me!"

And you can wait a long time, before you can call in for a favor!

'Reciprocation of Concessions'

"Well if you can't do that..." said, after a higher more expensive offer was made. At which point, you offer a less expensive offer, but the offer that you've wanted all along.

- change of what goes first, which offer! Always start with the larger request (if they accept it, you got what you wanted, with the icing on the cake), but retreat to the lesser offer.
- there's an ethical issue here, but it's the way things work!
- this technique will increase the likelyhood that they will say YES to you!
- make sure you don't miss the moment!
- in the context of concessions, people want to reply positively!


2) The principle of scarcity:
(people want more, of what they can't have)

- in the context of scarcity, people want what they can't have!

Scarcity of Commodities
- when you present an idea or service, you need to explain to people, what it is about this, that they can't get this anywhere else!
- it's not about just explaining the benefits, but also explaining what they stand to lose, if they don't!
- it works in the same way, for information also, and not just products or services
- Look up: Exclusivity of Information!

3) Authority (if an expert says it, it must be true)

- you must tell people about your experience and background (establish your trustworthiness), before you try to influence them


4) The principle of Consistency:
- people are more likely to say to a request, if it is consistent, with what they have already said or done!

"Please call if you want to cancel your reservation!"

Commitment:
2 words:
'Will you' call, if you have to cancel the reservation?

People live up, to what they write down!


5) The principle of Consensus:
- people look at what others are doing, to decide if they should do the same
- 'Operators are waiting. Please call NOW!'
- 'If operators are busy, please call again!'


6) The principle of Liking:

Liking flows from Positive Connections:
- similarities (people that are like us)
- compliments (people who 'do' like us)
- cooperative efforts (people that work with us, to achieve success)

Make a flash card, and put it, inside of your wallet!

Friday, December 8, 2017

Shodan - notes

Here are the basic search filters you can use:

    city: find devices in a particular city
    country: find devices in a particular country
    geo: you can pass it coordinates
    hostname: find values that match the hostname
    net: search based on an IP or /x CIDR
    os: search based on operating system
    port: find particular ports that are open
    before/after: find results within a timeframe


Search Examples

[ NOTE: You can drop the quotes sometimes, on some queries, but you often need them. I recommend you just use them all the time, because that always works. ]

Find Apache servers in San Francisco:

apache city:"San Francisco"

Find Nginx servers in Germany:

nginx country:"DE"

Find GWS (Google Web Server) servers:

"Server: gws" hostname:"google"

Find Cisco devices on a particular subnet:

cisco net:"216.219.143.0/24"

So you basically have some sort of base search term you’re looking for (shown in orange) and then you narrow down your search using the filters like we see above.



User Access Verification

Username: administrator
Password:
Internet#sh run
Building configuration...

Current configuration : 2327 bytes
!
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Internet
!
!
username admin privilege 15 password 7 <your password>
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
ip flow-cache timeout active 1
!
!
ip name-server <your NS>
!
!
!
!
interface FastEthernet0/0
 description :Connection to DMZ Switch
 ip address <Public-IP> <subnet mask>
 ip route-cache flow
 speed 100
 full-duplex
 no cdp enable
!
interface Serial0/0
 description :T1 Connection to Internet
 no ip address
 no ip redirects
 encapsulation frame-relay
 ip route-cache flow
!
interface Serial0/0.1 point-to-point
 ip address 192.168.254.6 255.255.255.252
 ip access-group 120 out
 traffic-shape group 103 384000 7936 7936 1000
 no cdp enable
 frame-relay interface-dlci 16
!
interface FastEthernet0/1
 no ip address
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.200.39 2055
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.254.5
no ip http server
ip pim bidir-enable
!
!
access-list 103 permit ip host <Public-IP> any
access-list 103 permit ip any host <Public-IP>
access-list 120 deny   udp any any eq netbios-ns
access-list 120 deny   udp any any eq netbios-dgm
access-list 120 deny   udp any any eq netbios-ss
access-list 120 deny   tcp any any eq 137
access-list 120 deny   tcp any any eq 138
access-list 120 deny   tcp any any eq 139
access-list 120 deny   udp any any eq 445
access-list 120 deny   tcp any any eq 445
access-list 120 permit ip any any
access-list 120 permit esp any any
access-list 120 permit ahp any any
access-list 120 permit tcp any any
access-list 120 permit udp any any
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq pop3
no cdp run
snmp-server community public RO
snmp-server contact <the name> - Phone number?
snmp-server chassis-id cisco-2600
snmp-server host <Public-IP> public
!
line con 0
 logging synchronous
 login local
line aux 0
 login local
line vty 0 4
 logging synchronous
 login local
!
ntp clock-period 17179877
!
end

GM_Internet#

New School Information Gathering - Chris Gates - personal notes

Agenda:
New School?
OSINT (open source intelligence gathering tool)
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools (serversniff/domain tools/centralops/clez.net/robtex/spoke)
Maltego

Example:
baytsp.com

WTF is baytsp.com?
How many web servers?
How many mail servers?
How many name servers?
IP range/netblocks?
Location(s)?
Usernames, phone numbers, email addresses?

New School?
New School, just a “new” way of looking at Information Gathering, less just discovering network blocks with whois and more take a “full spectrum” look at your target.
 
• OSINT, Open Source Intelligence:
– Out on the net for everyone to find, if you know what to look for
– Domain Names
– Files containing useful information
– Email addresses
– Website Source
 
OSINT
• Generally no direct contact with victim’s servers OR no non-standard traffic directed toward victim
• End Result?
 
Organization's net blocks, external servers IPs and domain names, internal IP ranges, emails to send phishing attacks to, phone numbers to call, trust relationships with other
organizations, & other relevant information for your audit and hopefully identifying exploitable flaws in the target’s network.
 
Isn't that what Google is for?
• Yeah kinda, Google-fu is important but we’re not going to talk much about Google hacking, go read the book.

BayTSP is an innovator in digital copyright,image, trademark, music and textprotection. Located in the heart of SiliconValley, BayTSP offers a revolutionary wayfor digital content owners to track downtheir valuable online property, in order toeffectively deter its theft and misuse.
 
OSINT: Information Gathering and Domain Name Search:
- whois info, NS and AS reports
- search using target domain name and subdomain
- who's handling mail, DNS, net blocks, web hosting, etc
 
OSINT: Information Gathering and Key Words:
- use that google-fu
- password
- login
- target specific keywords
- database/secret/yak yak
- google dorks
- use SEAT/Goolag to audit a specific domain

OSINT: Information Gathering and File Search:
We're looking for: 
- network diagrams (.vsd, .jpg, gif)
- databases (.mdb)
- papers and documents (.doc, .pdf, .sdw)
- spreadsheets (.xls, .ods, .sdc)
- configuration files (.txt, .rft)
Thanks metagoofil!

OSINT: Information Gathering and email addresses
  • Information Gathering and email addresses (email harvesting scripts and frameworks)
  • Information Gathering and Cached Data/Links (archive.org, waybackmachine, google)
  • Information Gathering and Source Code (spider the site, look at HTML source and comments, file paths, file names, scripts used on the site)
 
FierceDNS
- meant specifically to locate likely targets both inside and outside a corporate network
- tries your standard DNS tricks but also does some bruteforcing of domain names and tries to throw some intelligence into the searches
- bruteforce only as good as your wordlist
 
 
SEAT (Search Engine Assessment Tool)
“SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan a site for potential vulnerabilities. It’s multi-threaded, multi-database, and multi-searchengine capabilities permit easy navigation through vast amounts of information with a goal of system security assessment.” 
 
 Google Mail Harvesters
• Goog-mail.py
• theHarvester.py
• There are plenty others
• Consider changing the regex to search for different @ variations: [at] <at> (at)
 
 Metagoofil
  • Meta-what???  
  • MetaGoofil - Metadata analyzer, information gathering tool. 
  • Created by Christian Martorella of Edge Security. 
  • http://www.edge-security.com/metagoofil.php 
  • “Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) available in the target/victim websites. 
  • “It will generate a html page with the results of the metadata extracted, plus a list of potential usernames and path disclosure, can be useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn, etc.”
 
 Why Metadata?
• Metadata can:
• Reveal the creator of a document, and even a possible
network username or derive naming convention.
• Reveal the application that created the document.
• Reveal the version of the software that created the
document.
• Reveal creation date. Document was created recently
with vulnerable version.
• We now have possible usernames, applications used by those individuals and the software versions. Now we can deliver a directed client side attack for something installed in the enterprise.
• Also try running your word documents through The Revisionist by Michael Zalewski
http://lcamtuf.coredump.cx/strikeout/
• The Revisionist can pull out deleted comments and text if the “track changes” had been used and dump the document with deleted text to an HTML file.

ServerSniff.net
 http://serversniff.net/
 NS/MX Reports
 AS Reports
 Subdomains
 TLDs
 Hostnames on an IP
 Domains on webserver
 Web Tools
 HTML Comments
 HTML Code
 SSL Certificate Info
 Links within page
 Web Server Headers

http://www.domaintools.com/

Hosting history: Track previous web hosts and hosting providers
 Domain history: viewing contact information before it was privatized
 Registrant Alert: Find new registrations by someone
 Registrant Search: Find all domains someone owns
 Links to Wikipedia references
 Best/Most tools on site are for pay :-(
 
http://centralops.net/co/
http://clez.net/net
• Query port and service scan information
• dns, ping, whois, ssl info, traceroutes
• email verification, open relay checking
 
http://www.robtex.com/
spoke.com
 Search for people locate their company
 Search for companies and retrieve names
 
 TouchGraph
• http://touchgraph.com
• “TouchGraph's powerful visualization solutions reveal relationships between people,
organizations, and ideas.”
• Visually show the big picture on how things are tied together using Google results.
 
 Maltego
 http://www.paterva.com/web2/Maltego/maltego.html
• By Roelof Temmingh from Paterva
• What is it?
• Maltego is a program that can be used to determine the relationships and
real world links between:
– People
– Groups of people (social networks)
– Companies
– Organizations
– Web sites
– Internet infrastructure such as:
    • Domains
    • DNS names
    • Netblocks
    • IP addresses
– Phrases
– Affiliations
– Documents and files
• All using open source intelligence (OSINT)
 
• What else can Maltego do?
  • Technorati transforms, blog tags, search blogs for phrases
  • Incoming links, who links to your domain
  • Social network transforms; find a name, find their email, blog, phone number, etc
  • Print graphs on several pages
  • Can export the data into .csv, can save the maltego file and be opened by any other maltego instance
  • Save pieces of graphs as images
  • Can write your own transforms or stand up your own server.
  • ** version 2 is for pay but cheap $430 USD for first year 


 So What?
• Ok lots of information what did I get from all of it?
   – If you are allowed to send social engineered emails or do client side attacks, you have an initial target list of email addresses. Using email dossier/maltego I can verify working email addresses. I only need one person to open/click that email for my foothold.
  – Naming conventions, users and offices, phone numbers, relationships between organizations
  – Target organization’s IP Space and footprint. VPN server’s IP, Terminal/Citrix server IPs, firewall’s IP, etc.
  – Software versions of software that is typically targeted in client side attacks (MS office)
  – Using Maltego we see the relationships between our site and other sites in addition to the above.
 – All gained without your typical definition of “scanning”
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
About Us