Workshop takeaways: OSINT for Cyber Defenders

My key takeaways

• Always do OSINT with the assumption in mind, that the software you are using is compromised
• Sock puppet accounts
  • do not use real images like from Google Image Search as this might be considered identity theft in some countries
  • make the email account information match you sock puppet
  • use lastpass to store information about sites or accounts for you sock puppet
• proxychains uses spaces instead of :
  • on Kali conf is at /etc/proxychains4.conf
  • activate random chain
  • the IPs you get from rsock are the same, but different ports. The IP will be changed on rsocks side by port
• dig <domain> +short will return only the IP. Usefull if piped into other commands
  • works with other dig parameters as well
  • dig <domain> -t all +short | tee <domain>_info.txt seems a usefull command for basic information
• arin.net can provide interesting information about US companies
• Domaintools.com may sometimes give hidden whois information
  • historical information might be interesting as well
• free information sources are often good, but most time it will not be on par with paid information sources
• dnsrecon -d <domain> -t brt will try to brute force for DNS information
  • dnsrecon -d <domain> -b = using bing
  • dnsrecon -d <domain> -y = using yandex
  • can be combined in one request
• Recon-ng comes with no module pre installed
  • use marketplace search to list available modules
  • use marketplace install <module path> or marketplace install all to install
  • keys list will list your API keys
    • keys add <apiname> <key> to add a key
• DNSTwist is usefull to find typosquatting domains
  • typosquatting domains might not only used to phish your coworkers but also your customers
• You can pipe keywords in Google dorks like keyw1|keyw2|keyw3
• if a bad actor knows what he is searching for, often he doesn’t need expensive or special tools
• Maltego creates great visual represantation of information and creates also great reports out of the box.
  • Also a lot what is possible with separate tools, can be done with Maltego in one GUI
  • Some tools in the Maltego Marketplace are free, some bring-your-own-key, some paid
  • Also access to tools like Crowdstrike that might be not available as often in other tools

Env

• Provided by BSidesMEsh21
• Moderator:
  • MUC:SEC e.V.
• Presenter:
  • Mario Rojas, Maltego

additional links

• https://www.fakenamegenerator.com
• https://rsocks.net
  • allows sign up with protonmail for free plan
• https://dnsdumpster.com
• https://cvedetails.com
• https://github.com/elceef/dnstwist
• phishing domain search
• Dorks
• TweetDeck to keep track of topics/keywords