Książki

The skills and tools for collecting, verifying and correlating information from different types of systems is an essential skill when tracking down hackers. This book explores Open Source Intelligence Gathering (OSINT) inside out from multiple perspectives, including those of hackers and seasoned intelligence experts. OSINT refers to the techniques and tools required to harvest publicly available data concerning a person or an organization. With several years of experience of tracking hackers with OSINT, the author whips up a classical plot-line involving a hunt for a threat actor. While taking the audience through the thrilling investigative drama, the author immerses the audience with in-depth knowledge of state-of-the-art OSINT tools and techniques. Technical users will want a basic understanding of the Linux command line in order to follow the examples. But a person with no Linux or programming experience can still gain a lot from this book through the commentaries.

This book's unique digital investigation proposition is a combination of story-telling, tutorials, and case studies. The book explores digital investigation from multiple angles:





Through the eyes of the author who has several years of experience in the subject.

Through the mind of the hacker who collects massive amounts of data from multiple online sources to identify targets as well as ways to hit the targets.

Through the eyes of industry leaders.



This book is ideal for:

Investigation professionals, forensic analysts, and CISO/CIO and other executives wanting to understand the mindset of a hacker and how seemingly harmless information can be used to target their organization.

Security analysts, forensic investigators, and SOC teams looking for new approaches on digital investigations from the perspective of collecting and parsing publicly available information.

CISOs and defense teams will find this book useful because it takes the perspective of infiltrating an organization from the mindset of a hacker. The commentary provided by outside experts will also provide them with ideas to further protect their organization's data.

Hunting Cyber Criminals - A Hacker's Guide to Online Intelligence Gathering Tools and Techniques

Prologue xxv





Chapter 1 Getting Started 1





Why This Book is Different 2





What You Will and Won't Find in This Book 2





Getting to Know Your Fellow Experts 3





A Note on Cryptocurrencies 4





What You Need to Know 4





Paid Tools and Historical Data 5





What about Maltego? 5





Prerequisites 5





Know How to Use and Configure Linux 5





Get Your API Keys in Order 6





Important Resources 6





OSINT Framework 6





OSINT.link 6





IntelTechniques 7





Termbin 8





Hunchly 9





Wordlists and Generators 9





SecLists 9





Cewl 10





Crunch 10





Proxies 10





Storm Proxies (Auto-Rotating) 10





Cryptocurrencies 101 11





How Do Cryptocurrencies Work? 12





Blockchain Explorers 13





Following the Money 15





Identifying Exchanges and Traders 17





Summary 18





Chapter 2 Investigations and Threat Actors 19





The Path of an Investigator 19





Go Big or Go Home 20





The Breach That Never Happened 21





What Would You Do? 22





Moral Gray Areas 24





Different Investigative Paths 25





Investigating Cyber Criminals 26





The Beginning of the Hunt (for TDO) 27





The Dark Overlord 27





List of Victims 28





A Brief Overview 29





Communication Style 30





Group Structure and Members 30





Cyper 31





Arnie 32





Cr00k (Ping) 35





NSA (Peace of Mind) 36





The Dark Overlord 38





Summary 41





Part I Network Exploration 43





Chapter 3 Manual Network Exploration 45





Chapter Targets: Pepsi.com and Cyper.org 46





Asset Discovery 46





ARIN Search 47





Search Engine Dorks 48





DNSDumpster 49





Hacker Target 52





Shodan 53





Censys (Subdomain Finder) 56





Censys Subdomain Finder 56





Fierce 57





Sublist3r 58





Enumall 59





Results 60





Phishing Domains and Typosquatting 61





Summary 64





Chapter 4 Looking for Network Activity (Advanced NMAP Techniques) 67





Getting Started 67





Preparing a List of Active Hosts 68





Full Port Scans Using Different Scan Types 68





TCP Window Scan 70





Working against Firewalls and IDS 70





Using Reason Response 71





Identifying Live Servers 71





Firewall Evasion 73





Distributed Scanning with Proxies and TOR 73





Fragmented Packets/MTU 74





Service Detection Trick 74





Low and Slow 76





Bad Checksums, Decoy, and Random Data 76





Firewalking 79





Comparing Results 79





Styling NMAP Reports 81





Summary 82





Chapter 5 Automated Tools for Network Discovery 83





SpiderFoot 84





SpiderFoot HX (Premium) 91





Intrigue.io 95





Entities Tab 96





Analyzing uberpeople.net 99





Analyzing the Results 104





Exporting Your Results 105





Recon-NG 107





Searching for Modules 111





Using Modules 111





Looking for Ports with Shodan 115





Summary 116





Part II Web Exploration 119





Chapter 6 Website Information Gathering 121





BuiltWith 121





Finding Common Sites Using Google Analytics Tracker 123





IP History and Related Sites 124





Webapp Information Gatherer (WIG) 124





CMSMap 129





Running a Single Site Scan 130





Scanning Multiple Sites in Batch Mode 130





Detecting Vulnerabilities 131





WPScan 132





Dealing with WAFs/WordPress Not Detected 136





Summary 141





Chapter 7 Directory Hunting 143





Dirhunt 143





Wfuzz 146





Photon 149





Crawling a Website 151





Intrigue.io 152





Summary 157





Chapter 8 Search Engine Dorks 159





Essential Search Dorks 160





The Minus Sign 160





Using Quotes 160





The site: Operator 161





The intitle: Operator 161





The allintitle: Operator 162





The fi letype: Operator 162





The inurl: Operator 163





The cache: Operator 165





The allinurl: Operator 165





The fi lename: Operator 165





The intext: Operator 165





The Power of the Dork 166





Don't Forget about Bing and Yahoo! 169





Automated Dorking Tools 169





Inurlbr 169





Using Inurlbr 171





Summary 173





Chapter 9 WHOIS 175





WHOIS 175





Uses for WHOIS Data 176





Historical WHOIS 177





Searching for Similar Domains 177





Namedroppers.com 177





Searching for Multiple Keywords 179





Advanced Searches 181





Looking for Threat Actors 182





Whoisology 183





Advanced Domain Searching 187





Worth the Money? Absolutely 188





DomainTools 188





Domain Search 188





Bulk WHOIS 189





Reverse IP Lookup 189





WHOIS Records on Steroids 190





WHOIS History 192





The Power of Screenshots 193





Digging into WHOIS History 193





Looking for Changes in Ownership 194





Reverse WHOIS 196





Cross-Checking All Information 197





Summary 199





Chapter 10 Certificate Transparency and Internet Archives 201





Certificate Transparency 201





What Does Any of This Have to Do with Digital Investigations? 202





Scouting with CTFR 202





Crt.sh 204





CT in Action: Side-stepping Cloudflare 204





Testing More Targets 208





CloudFlair (Script) and Censys 209





How Does It Work? 210





Wayback Machine and Search Engine Archives 211





Search Engine Caches 212





CachedView.com 214





Wayback Machine Scraper 214





Enum Wayback 215





Scraping Wayback with Photon 216





Archive.org Site Search URLs 217





Wayback Site Digest: A List of Every Site URL Cached by Wayback 219





Summary 220





Chapter 11 Iris by DomainTools 221





The Basics of Iris 221





Guided Pivots 223





Configuring Your Settings 223





Historical Search Setting 224





Pivootttt!!! 225





Pivoting on SSL Certificate Hashes 227





Keeping Notes 228





WHOIS History 230





Screenshot History 232





Hosting History 232





Bringing It All Together 234





A Major Find 240





Summary 241





Part III Digging for Gold 243





Chapter 12 Document Metadata 245





Exiftool 246





Metagoofil 248





Recon-NG Metadata Modules 250





Metacrawler 250





Interesting_Files Module 252





Pushpin Geolocation Modules 254





Intrigue.io 257





FOCA 261





Starting a Project 262





Extracting Metadata 263





Summary 266





Chapter 13 Interesting Places to Look 267





TheHarvester 268





Running a Scan 269





Paste Sites 273





Psbdmp.ws 273





Forums 274





Investigating Forum History (and TDO) 275





Following Breadcrumbs 276





Tracing Cyper's Identity 278





Code Repositories 280





SearchCode.com 281





Searching for Code 282





False Negatives 283





Gitrob 284





Git Commit Logs 287





Wiki Sites 288





Wikipedia 289





Summary 292





Chapter 14 Publicly Accessible Data Storage 293





The Exactis Leak and Shodan 294





Data Attribution 295





Shodan's Command-Line Options 296





Querying Historical Data 296





CloudStorageFinder 298





Amazon S3 299





Digital Ocean Spaces 300





NoSQL Databases 301





MongoDB 302





Robot 3T 302





Mongo Command-Line Tools 305





Elasticsearch 308





Querying Elasticsearch 308





Dumping Elasticsearch Data 311





NoScrape 311





MongoDB 313





Elasticsearch 314





Scan 314





Search 315





Dump 317





MatchDump 317





Cassandra 318





Amazon S3 320





Using Your Own S3 Credentials 320





Summary 321





Part IV People Hunting 323





Chapter 15 Researching People, Images, and Locations 325





PIPL 326





Searching for People 327





Public Records and Background Checks 330





Ancestry.com 331





Threat Actors Have Dads, Too 332





Criminal Record Searches 332





Image Searching 333





Google Images 334





Searching for Gold 335





Following the Trail 335





TinEye 336





EagleEye 340





Searching for Images 340





Cree.py and Geolocation 343





Getting Started 343





IP Address Tracking 346





Summary 347





Chapter 16 Searching Social Media 349





OSINT.rest 350





Another Test Subject 355





Twitter 357





SocialLinks: For Maltego Users 358





Skiptracer 361





Running a Search 361





Searching for an Email Address 361





Searching for a Phone Number 364





Searching Usernames 366





One More Username Search 368





Userrecon 370





Reddit Investigator 372





A Critical "Peace" of the TDO Investigation 374





Summary 375





Chapter 17 Profile Tracking and Password Reset Clues 377





Where to Start (with TDO)? 377





Building a Profile Matrix 378





Starting a Search with Forums 379





Ban Lists 381





Social Engineering 381





SE'ing Threat Actors: The "Argon" Story 383





Everyone Gets SE'd-a Lesson Learned 387





The End of TDO and the KickAss Forum 388





Using Password Reset Clues 390





Starting Your Verification Sheet 391





Gmail 391





Facebook 393





PayPal 394





Twitter 397





Microsoft 399





Instagram 400





Using jQuery Website Responses 400





ICQ 403





Summary 405





Chapter 18 Passwords, Dumps, and Data Viper 407





Using Passwords 408





Completing F3ttywap's Profile Matrix 409





An Important Wrong Turn 412





Acquiring Your Data 413





Data Quality and Collections 1-5 413





Always Manually Verify the Data 415





Where to Find Quality Data 420





Data Viper 420





Forums: The Missing Link 421





Identifying the Real "Cr00k" 422





Tracking Cr00k's Forum Movements 423





Timeline Analysis 423





The Eureka Moment 427





Vanity over OPSEC, Every Time 429





Why This Connection is Significant 429





Starting Small: Data Viper 1.0 430





Summary 431





Chapter 19 Interacting with Threat Actors 433





Drawing Them Out of the Shadows 433





Who is WhitePacket? 434





The Bev Robb Connection 435





Stradinatras 436





Obfuscation and TDO 437





Who is Bill? 439





So Who Exactly is Bill? 440





YoungBugsThug 440





How Did I Know It Was Chris? 441





A Connection to Mirai Botnet? 442





Why Was This Discovery So Earth-Shattering? 444





Question Everything! 445





Establishing a Flow of Information 446





Leveraging Hacker Drama 447





Was Any of That Real? 448





Looking for Other Clues 449





Bringing It Back to TDO 450





Resolving One Final Question 451





Withdrawing Bitcoin 451





Summary 452





Chapter 20 Cutting through the Disinformation of a 10-Million-Dollar Hack 453





GnosticPlayers 454





Sites Hacked by GnosticPlayers 456





Gnostic's Hacking Techniques 457





GnosticPlayers' Posts 459





GnosticPlayers2 Emerges 461





A Mysterious Third Member 462





NSFW/Photon 463





The Gloves Come Off 464





Making Contact 465





Gabriel/Bildstein aka Kuroi'sh 465





Contacting His Friends 467





Weeding through Disinformation 468





Verifying with Wayback 468





Bringing It All Together 469





Data Viper 469





Trust but Verify 472





Domain Tools' Iris 474





Verifying with a Second Data Source 475





The End of the Line 476





What Really Happened? 476





Outofreach 476





Kuroi'sh Magically Appears 477





What I Learned from Watching Lost 477





Who Hacked GateHub? 478





Unraveling the Lie 479





Was Gabriel Involved? My Theory 479





Gabriel is Nclay: An Alternate Theory 479





All roads lead back to NSFW 480





Summary 481





Epilogue 483





Index 487