Irongeekcom

Adrian Crenshaw

Irongeekcom

I run Irongeekcom

I have an interest in InfoSec education

I donrsquot know everything - Irsquom just a geek with time on my hands

(ir)Regular on the ISDPodcasthttpwwwisd-podcastcom

Sometimes my

presentations

are like this

And sometimes

my presentations

are like this

Irongeekcom

I run Irongeekcom

I have an interest in InfoSec education

I donrsquot know everything - Irsquom just a geek with time on my hands

(ir)Regular on the ISDPodcasthttpwwwisd-podcastcom

Sometimes my

presentations

are like this

And sometimes

my presentations

are like this

Irongeekcom

Mile wide 25 feet deep

Feel free to ask questions at any time

There will (hopefully) be many long breaks to play with the tools mentioned

Irsquoll try not to drop anyones docs but my own but volunteers for ldquovictimsrdquo will help

Irongeekcom

Other names and related concepts

OSInt (Open Source Intelligence)

Scoping

Footprinting

Discovery

Recon

Cyberstalking

Irongeekcom

DNS Whois and Domain Tools

Finding general Information about an organization via the web

Anti-social networks

Google Hacking

Metadata

Other odds and ends

Irongeekcom

For Pen-testers and attackers

Precursor to attack

Social Engineering

Disgruntled Employees

User names and passwords

Web vulnerabilities

Internal IT structure (software servers IP layout)

Spearphishing

For everyone else

You want to keep attackers from finding this info and using this against you

Irongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

Irongeekcom

Tons of fun tools to play withhttpwwwbacktrack-linuxorg

Username rootPassword toor

Many of the DNS tools are inpentestenumerationdns

Irongeekcom

Other names and related concepts

OSInt (Open Source Intelligence)

Scoping

Footprinting

Discovery

Recon

Cyberstalking

Irongeekcom

DNS Whois and Domain Tools

Finding general Information about an organization via the web

Anti-social networks

Google Hacking

Metadata

Other odds and ends

Irongeekcom

For Pen-testers and attackers

Precursor to attack

Social Engineering

Disgruntled Employees

User names and passwords

Web vulnerabilities

Internal IT structure (software servers IP layout)

Spearphishing

For everyone else

You want to keep attackers from finding this info and using this against you

Irongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

Irongeekcom

Tons of fun tools to play withhttpwwwbacktrack-linuxorg

Username rootPassword toor

Many of the DNS tools are inpentestenumerationdns

Irongeekcom

DNS Whois and Domain Tools

Finding general Information about an organization via the web

Anti-social networks

Google Hacking

Metadata

Other odds and ends

Irongeekcom

For Pen-testers and attackers

Precursor to attack

Social Engineering

Disgruntled Employees

User names and passwords

Web vulnerabilities

Internal IT structure (software servers IP layout)

Spearphishing

For everyone else

You want to keep attackers from finding this info and using this against you

Irongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

Irongeekcom

Tons of fun tools to play withhttpwwwbacktrack-linuxorg

Username rootPassword toor

Many of the DNS tools are inpentestenumerationdns

Irongeekcom

For Pen-testers and attackers

Precursor to attack

Social Engineering

Disgruntled Employees

User names and passwords

Web vulnerabilities

Internal IT structure (software servers IP layout)

Spearphishing

For everyone else

You want to keep attackers from finding this info and using this against you

Irongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

Irongeekcom

Tons of fun tools to play withhttpwwwbacktrack-linuxorg

Username rootPassword toor

Many of the DNS tools are inpentestenumerationdns

Irongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

Irongeekcom

Tons of fun tools to play withhttpwwwbacktrack-linuxorg

Username rootPassword toor

Many of the DNS tools are inpentestenumerationdns

Irongeekcom

Tons of fun tools to play withhttpwwwbacktrack-linuxorg

Username rootPassword toor

Many of the DNS tools are inpentestenumerationdns

Irongeekcom

Who-do the voodoo that you do so well

Irongeekcom

Glue of the Internet

Think of it as a phone book of sorts

Maps names to IPs and IPs to names (and other odds and ends)

Organization information is also kept

69163177249wwwirongeekcom

Irongeekcom

Host name to IP lookupnslookup wwwirongeekcom

Reverse lookupnslookup 20897169250

Irongeekcom

Just a few record types cribbed from httpenwikipediaorgwikiList_of_DNS_record_types

Code Number Defining RFC Description Function

A 1 RFC 1035 address record Returns a 32-bit IPv4 address most commonly used to map hostnames to an IP address of the host but also used for DNSBLs storing subnet masks in RFC 1101 etc

AAAA28 RFC 3596 IPv6 address

record

Returns a 128-bit IPv6 address most commonly used to map hostnames to an IP address of the host

MX 15 RFC 1035 mail exchange record

Maps a domain name to a list of mail exchange servers for that domain

CNAME 5 RFC 1035 Canonical name record

Alias of one name to another the DNS lookup will continue by retrying the lookup with the new name

PTR 12 RFC 1035 pointer record Pointer to a canonical name Unlike a CNAME DNS processing does NOT proceed just the name is returned The most common use is for implementing reverse DNS lookups but other uses include such things as DNS-SD

AXFR 252 RFC 1035 Full Zone Transfer

Transfer entire zone file from the master name server to secondary name servers

Irongeekcom

Glue of the Internet

Think of it as a phone book of sorts

Maps names to IPs and IPs to names (and other odds and ends)

Organization information is also kept

69163177249wwwirongeekcom

Irongeekcom

Host name to IP lookupnslookup wwwirongeekcom

Reverse lookupnslookup 20897169250

Irongeekcom

Just a few record types cribbed from httpenwikipediaorgwikiList_of_DNS_record_types

Code Number Defining RFC Description Function

A 1 RFC 1035 address record Returns a 32-bit IPv4 address most commonly used to map hostnames to an IP address of the host but also used for DNSBLs storing subnet masks in RFC 1101 etc

AAAA28 RFC 3596 IPv6 address

record

Returns a 128-bit IPv6 address most commonly used to map hostnames to an IP address of the host

MX 15 RFC 1035 mail exchange record

Maps a domain name to a list of mail exchange servers for that domain

CNAME 5 RFC 1035 Canonical name record

Alias of one name to another the DNS lookup will continue by retrying the lookup with the new name

PTR 12 RFC 1035 pointer record Pointer to a canonical name Unlike a CNAME DNS processing does NOT proceed just the name is returned The most common use is for implementing reverse DNS lookups but other uses include such things as DNS-SD

AXFR 252 RFC 1035 Full Zone Transfer

Transfer entire zone file from the master name server to secondary name servers

Irongeekcom

Host name to IP lookupnslookup wwwirongeekcom

Reverse lookupnslookup 20897169250

Irongeekcom

Just a few record types cribbed from httpenwikipediaorgwikiList_of_DNS_record_types

Code Number Defining RFC Description Function

A 1 RFC 1035 address record Returns a 32-bit IPv4 address most commonly used to map hostnames to an IP address of the host but also used for DNSBLs storing subnet masks in RFC 1101 etc

AAAA28 RFC 3596 IPv6 address

record

Returns a 128-bit IPv6 address most commonly used to map hostnames to an IP address of the host

MX 15 RFC 1035 mail exchange record

Maps a domain name to a list of mail exchange servers for that domain

CNAME 5 RFC 1035 Canonical name record

Alias of one name to another the DNS lookup will continue by retrying the lookup with the new name

PTR 12 RFC 1035 pointer record Pointer to a canonical name Unlike a CNAME DNS processing does NOT proceed just the name is returned The most common use is for implementing reverse DNS lookups but other uses include such things as DNS-SD

AXFR 252 RFC 1035 Full Zone Transfer

Transfer entire zone file from the master name server to secondary name servers

Irongeekcom

Just a few record types cribbed from httpenwikipediaorgwikiList_of_DNS_record_types

Code Number Defining RFC Description Function

A 1 RFC 1035 address record Returns a 32-bit IPv4 address most commonly used to map hostnames to an IP address of the host but also used for DNSBLs storing subnet masks in RFC 1101 etc

AAAA28 RFC 3596 IPv6 address

record

Returns a 128-bit IPv6 address most commonly used to map hostnames to an IP address of the host

MX 15 RFC 1035 mail exchange record

Maps a domain name to a list of mail exchange servers for that domain

CNAME 5 RFC 1035 Canonical name record

Alias of one name to another the DNS lookup will continue by retrying the lookup with the new name

PTR 12 RFC 1035 pointer record Pointer to a canonical name Unlike a CNAME DNS processing does NOT proceed just the name is returned The most common use is for implementing reverse DNS lookups but other uses include such things as DNS-SD

AXFR 252 RFC 1035 Full Zone Transfer

Transfer entire zone file from the master name server to secondary name servers

Irongeekcom

Zonetransfers

Bruteforcing from a dictionary

Nmap ndashsL ltsome-IP-rangegt

Irongeekcom

dig irongeekcom any

dig ns1dreamhostcom irongeekcom any

Irongeekcom

Irongeekcom

CDocuments and SettingsAdriangtnslookup

Default Server resolver1opendnscom

Address 20867222222

gt set type=ns

gt irongeekcom

Server resolver1opendnscom

Address 20867222222

Non-authoritative answer

irongeekcom nameserver = ns1dreamhostcom

irongeekcom nameserver = ns2dreamhostcom

irongeekcom nameserver = ns3dreamhostcom

gt server ns1dreamhostcom

Default Server ns1dreamhostcom

Address 6633206206

gt ls irongeekcom

[ns1dreamhostcom]

Cant list domain irongeekcom Query refused

gt exit

Irongeekcom

Domain Internet Groperdig ugentbe nsdig ugdns1ugentbe ugentbe axfr

Irongeekcom

Other tools in BackTrackdnsreconpy -d ugentbe ndashxdnsenumpl ugentbe

ServerSniffhttpserversniffnetnsreportphphttpserversniffnetcontentphpdo=subdomains

GUI Dig for Windowshttpnscanorgdightml

Irongeekcom

dig irongeekcom any

dig ns1dreamhostcom irongeekcom any

Irongeekcom

Irongeekcom

CDocuments and SettingsAdriangtnslookup

Default Server resolver1opendnscom

Address 20867222222

gt set type=ns

gt irongeekcom

Server resolver1opendnscom

Address 20867222222

Non-authoritative answer

irongeekcom nameserver = ns1dreamhostcom

irongeekcom nameserver = ns2dreamhostcom

irongeekcom nameserver = ns3dreamhostcom

gt server ns1dreamhostcom

Default Server ns1dreamhostcom

Address 6633206206

gt ls irongeekcom

[ns1dreamhostcom]

Cant list domain irongeekcom Query refused

gt exit

Irongeekcom

Domain Internet Groperdig ugentbe nsdig ugdns1ugentbe ugentbe axfr

Irongeekcom

Other tools in BackTrackdnsreconpy -d ugentbe ndashxdnsenumpl ugentbe

ServerSniffhttpserversniffnetnsreportphphttpserversniffnetcontentphpdo=subdomains

GUI Dig for Windowshttpnscanorgdightml

Irongeekcom

Irongeekcom

CDocuments and SettingsAdriangtnslookup

Default Server resolver1opendnscom

Address 20867222222

gt set type=ns

gt irongeekcom

Server resolver1opendnscom

Address 20867222222

Non-authoritative answer

irongeekcom nameserver = ns1dreamhostcom

irongeekcom nameserver = ns2dreamhostcom

irongeekcom nameserver = ns3dreamhostcom

gt server ns1dreamhostcom

Default Server ns1dreamhostcom

Address 6633206206

gt ls irongeekcom

[ns1dreamhostcom]

Cant list domain irongeekcom Query refused

gt exit

Irongeekcom

Domain Internet Groperdig ugentbe nsdig ugdns1ugentbe ugentbe axfr

Irongeekcom

Other tools in BackTrackdnsreconpy -d ugentbe ndashxdnsenumpl ugentbe

ServerSniffhttpserversniffnetnsreportphphttpserversniffnetcontentphpdo=subdomains

GUI Dig for Windowshttpnscanorgdightml

Irongeekcom

CDocuments and SettingsAdriangtnslookup

Default Server resolver1opendnscom

Address 20867222222

gt set type=ns

gt irongeekcom

Server resolver1opendnscom

Address 20867222222

Non-authoritative answer

irongeekcom nameserver = ns1dreamhostcom

irongeekcom nameserver = ns2dreamhostcom

irongeekcom nameserver = ns3dreamhostcom

gt server ns1dreamhostcom

Default Server ns1dreamhostcom

Address 6633206206

gt ls irongeekcom

[ns1dreamhostcom]

Cant list domain irongeekcom Query refused

gt exit

Irongeekcom

Domain Internet Groperdig ugentbe nsdig ugdns1ugentbe ugentbe axfr

Irongeekcom

Other tools in BackTrackdnsreconpy -d ugentbe ndashxdnsenumpl ugentbe

ServerSniffhttpserversniffnetnsreportphphttpserversniffnetcontentphpdo=subdomains

GUI Dig for Windowshttpnscanorgdightml

Irongeekcom

Domain Internet Groperdig ugentbe nsdig ugdns1ugentbe ugentbe axfr

Irongeekcom

Other tools in BackTrackdnsreconpy -d ugentbe ndashxdnsenumpl ugentbe

ServerSniffhttpserversniffnetnsreportphphttpserversniffnetcontentphpdo=subdomains

GUI Dig for Windowshttpnscanorgdightml

Irongeekcom

Other tools in BackTrackdnsreconpy -d ugentbe ndashxdnsenumpl ugentbe

ServerSniffhttpserversniffnetnsreportphphttpserversniffnetcontentphpdo=subdomains

GUI Dig for Windowshttpnscanorgdightml

Irongeekcom

Fiercehttphackersorgfiercefiercepl -threads 100 -dns irongeekcomfiercepl -dns irongeekcom -wordlist dictionarytxt

Irongeekcom

nmap -sL ltsome-IP-rangegt

nmap -sL 1920321-10

Irongeekcom

Great for troubleshooting bad for privacy

Who owns a domain name or IP

E-mail contacts

Physical addresses

Name server

IP ranges

Who is by proxy

Irongeekcom

apt-get install whois

whois examplecom

whois 20897169250

Irongeekcom

nix Command line

Nirsoftrsquoshttpwwwnirsoftnetutilswhois_this_domainhtml

httpwwwnirsoftnetutilsipnetinfohtml

Pretty much any network tools collection

Irongeekcom

Great for troubleshooting bad for privacy

Who owns a domain name or IP

E-mail contacts

Physical addresses

Name server

IP ranges

Who is by proxy

Irongeekcom

apt-get install whois

whois examplecom

whois 20897169250

Irongeekcom

nix Command line

Nirsoftrsquoshttpwwwnirsoftnetutilswhois_this_domainhtml

httpwwwnirsoftnetutilsipnetinfohtml

Pretty much any network tools collection

Irongeekcom

apt-get install whois

whois examplecom

whois 20897169250

Irongeekcom

nix Command line

Nirsoftrsquoshttpwwwnirsoftnetutilswhois_this_domainhtml

httpwwwnirsoftnetutilsipnetinfohtml

Pretty much any network tools collection

Irongeekcom

nix Command line

Nirsoftrsquoshttpwwwnirsoftnetutilswhois_this_domainhtml

httpwwwnirsoftnetutilsipnetinfohtml

Pretty much any network tools collection

Irongeekcom

RobTexhttpwwwrobtexcom

ServerSniffhttpwwwserversniffnet

Irongeekcom

Windows (ICMP)tracert irongeekcom

nix (UDP by default change with ndashI or -T)traceroute irongeekcom

Just for funhttpwwwnabberorgprojectsgeotrace

Irongeekcom

So you have a job posting for anEthical Hacker huh

Irongeekcom

The organizationrsquos website (duh)

Corp Infohttpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCorporate

Wayback Machinehttpwwwarchiveorg

Monster (and other job sites)httpwwwmonstercom

Zoominfohttpwwwzoominfocom

Google Groups (News groups Google Groups and forums)

httpgroupsgooglecom

Boardshttpboardreadercomhttpomgilicomhttpgroupsgooglecom

LinkedInhttpwwwlinkedincom

Irongeekcom

The organizationrsquos website (duh)

Corp Infohttpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCorporate

Wayback Machinehttpwwwarchiveorg

Monster (and other job sites)httpwwwmonstercom

Zoominfohttpwwwzoominfocom

Google Groups (News groups Google Groups and forums)

httpgroupsgooglecom

Boardshttpboardreadercomhttpomgilicomhttpgroupsgooglecom

LinkedInhttpwwwlinkedincom

Irongeekcom

Itrsquos all about how this links to that links to some other thinghellip

Irongeekcom

Fake profile I made up to use for class

Dropped some Dox at a few places

May sound creepy but you can practice with names from dating sites

Remember what you learned from 4chan

Irongeekcom

Large list at

httpwwwirongeekcomiphppage=securitydoxing-footprinting-cyberstalking

Useful

httpcomlullarcom

httpwwwpeekyoucom

httpwwwcheckusernamescom httpknowemcom

httpwwwisearchcom

httpwwwwhitepagescom

Not quite related but cool

httptineyecom

httppipesyahoocompipes

Crap

Most of them

Irongeekcom

Fake profile I made up to use for class

Dropped some Dox at a few places

May sound creepy but you can practice with names from dating sites

Remember what you learned from 4chan

Irongeekcom

Large list at

httpwwwirongeekcomiphppage=securitydoxing-footprinting-cyberstalking

Useful

httpcomlullarcom

httpwwwpeekyoucom

httpwwwcheckusernamescom httpknowemcom

httpwwwisearchcom

httpwwwwhitepagescom

Not quite related but cool

httptineyecom

httppipesyahoocompipes

Crap

Most of them

Irongeekcom

Large list at

httpwwwirongeekcomiphppage=securitydoxing-footprinting-cyberstalking

Useful

httpcomlullarcom

httpwwwpeekyoucom

httpwwwcheckusernamescom httpknowemcom

httpwwwisearchcom

httpwwwwhitepagescom

Not quite related but cool

httptineyecom

httppipesyahoocompipes

Crap

Most of them

Irongeekcom

General

httpyouropenbookorg

Geolocation

httpwwwbingcommaps

httptwittermapappspotcom

httpwwwfourwherecom

httpicanstalkucom

httpip2geolocationcom

Neighbors

httpwwwwhitepagescomfind_neighbors

Irongeekcom

Maltegohttpwwwpatervacomweb5

See differenceshttpwwwpatervacomweb5clientdifferencephp

Covers a large cross section of what this class is about

Irongeekcom

George Bronk

Found info on womenrsquos Facebook profiles

Used information to answer security question at mail providers

Found nudes

Posted some sent them to contacts lists asked for more

Irongeekcom

Should you have a profile

What if you donrsquot

Impersonators

Robin Sage (by Thomas Ryan)

Get in peoples friends list to probe their connections

Irongeekcom

More than just turning off safe search (though thatrsquos fun too)

Irongeekcom

PII (Personally identifiable information)

Email address

User names

Vulnerable web services

Web based admin interfaces for hardware

Much morehelliphellip

YOU HAVE TO USE YOUR IMAGINATION

Irongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

Irongeekcom

Should you have a profile

What if you donrsquot

Impersonators

Robin Sage (by Thomas Ryan)

Get in peoples friends list to probe their connections

Irongeekcom

More than just turning off safe search (though thatrsquos fun too)

Irongeekcom

PII (Personally identifiable information)

Email address

User names

Vulnerable web services

Web based admin interfaces for hardware

Much morehelliphellip

YOU HAVE TO USE YOUR IMAGINATION

Irongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

Irongeekcom

More than just turning off safe search (though thatrsquos fun too)

Irongeekcom

PII (Personally identifiable information)

Email address

User names

Vulnerable web services

Web based admin interfaces for hardware

Much morehelliphellip

YOU HAVE TO USE YOUR IMAGINATION

Irongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

Irongeekcom

PII (Personally identifiable information)

Email address

User names

Vulnerable web services

Web based admin interfaces for hardware

Much morehelliphellip

YOU HAVE TO USE YOUR IMAGINATION

Irongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

Irongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

Irongeekcom

Operators Description

- Inverse search operator (hide results)

~ synonyms

[][] Number range

Wildcard to put something between something when searching with ldquoquotesrdquo

+ Used to force stop words

OR Boolean operator must be uppercase

| Same as OR

Irongeekcom

inurlnph-proxy siteedu

intitleindexofetc

intitleindexof siteirongeekcom

filetypepptx siteirongeekcom

vnc desktop inurl5800

adrian crenshaw -siteirongeekcom

Irongeekcom

inurlnph-proxy siteedu

intitleindexofetc

intitleindexof siteirongeekcom

filetypepptx siteirongeekcom

vnc desktop inurl5800

adrian crenshaw -siteirongeekcom

Irongeekcom

SSN filetypexls | filetypexlsx

dig axfrrdquo

inurladmin

inurlindexFrameshtml Axis

inurlhpdevicethisLCDispatcher

ldquo192168rdquo (but replace with your IP range)

Irongeekcom

195608_100002238375103_5292346_njpg

inurl100002238375103

Irongeekcom

inurlesterpent

inurlester1337

intitleester1337

inurluser inurlirongeek -siteirongeekcom

inurlaccount irongeekldquo

sitefacebookcom inurlgroup (ISSA | Information Systems Security Association)

sitelinkedincom inurlcompany (NSA | National Security Agency)

Irongeekcom

Exploit DB Google Dorkshttpwwwexploit-dbcomgoogle-dorks

Old Schoolhttpwwwhackersforcharityorgghdb

Irongeekcom

Metagoofilhttpwwwedge-securitycommetagoofilphp

The HarvestertheHarvesterpy -d irongeekcom -l 100 -b google

Online Google Hacking Toolhttpwwwsecappscomaghdb

Spiderfoothttpwwwbinarypoolcomspiderfoot

Goolaghttpgoolagorg

Irongeekcom

GooscanShould be on BackTrack CDVM

Wiktohttpwwwsensepostcomresearchwikto

SiteDiggerhttpwwwmcafeecomusdownloadsfree-toolssitediggeraspx

BiLEhttpwwwsensepostcomresearch_mischtml

MSNPawnhttpwwwnet-squarecommsnpawnindexshtml

Irongeekcom

JSONAtomhttpcodegooglecomapiscustomsearchv1overviewhtml

Oldhttpcodegooglecomapiswebsearch

Really Old SOAP

EvilAPIhttpevilapicom (defunct)

Spudhttpwwwsensepostcomlabstoolspentestspud

I can Haz API keyzhttpsgithubcomsearch

Irongeekcom

Data about data

Irongeekcom

Dennis Rader (BTK Killer)

Metadata in a Word DOC he sent to police had the name of

his church and last modified by ldquoDennisrdquo in it

Cat Schwartz

Is that an unintended thumbnail in your EXIF data or are

you just happy to see me

DarkanakuNephew chan

A user on 4chan posts a pic of his semi-nude aunt

taken with an iPhone Anonymous pulls the EXIF

GPS info from the file and hilarity ensues More details can be on the following VNSFW site

httpencyclopediadramaticacomUserDarkanakuNephew_chan

httpwebarchiveorgweb20090608214029httpencyclopediadramatica

comUserDarkanakuNephew_chan

Irongeekcom

Dennis Rader (BTK Killer)

Metadata in a Word DOC he sent to police had the name of

his church and last modified by ldquoDennisrdquo in it

Cat Schwartz

Is that an unintended thumbnail in your EXIF data or are

you just happy to see me

DarkanakuNephew chan

A user on 4chan posts a pic of his semi-nude aunt

taken with an iPhone Anonymous pulls the EXIF

GPS info from the file and hilarity ensues More details can be on the following VNSFW site

httpencyclopediadramaticacomUserDarkanakuNephew_chan

httpwebarchiveorgweb20090608214029httpencyclopediadramatica

comUserDarkanakuNephew_chan

Irongeekcom

JPG EXIF (Exchangeable image file format)IPTC (International Press Telecommunications Council)

PDF

DOC

DOCX

EXE

XLS

XLSX

PNG

Too many to name them all

MAC addresses user names edits GPS info It all depends on the file format

Irongeekcom

Strings

FOCA (use compatibility mode if needed)

httpwwwinformatica64comDownloadFOCA

Metagoofilhttpwwwedge-securitycommetagoofilphp

EXIF Toolhttpwwwsnophyqueensuca~philexiftool

EXIF Viewer Pluginhttpsaddonsmozillaorgen-USfirefoxaddon3905

Jeffreys Exif Viewer httpregexinfoexifcgi

Irongeekcom

Strings

FOCA (use compatibility mode if needed)

httpwwwinformatica64comDownloadFOCA

Metagoofilhttpwwwedge-securitycommetagoofilphp

EXIF Toolhttpwwwsnophyqueensuca~philexiftool

EXIF Viewer Pluginhttpsaddonsmozillaorgen-USfirefoxaddon3905

Jeffreys Exif Viewer httpregexinfoexifcgi

Irongeekcom

EXIF Readerhttpwwwtakenetorjp~ryuujiminisoftexifreadenglish

Flickramiohttpuserscriptsorgscriptsshow27101

Creepyhttpilektrojohngithubcomcreepy

Pauldotcomhttpwwwgooglecomsearchhl=enampq=metadata+site3ApauldotcomcomampbtnG=Search

Irongeekcom

Stuff that does not quite fit anywhere else

Irongeekcom

httpwwwirongeekcomiphppage=securityhow-to-cyberstalk-potential-employers

Also let us not forget HTTP headers

HTTP11 200 OK

Content-Type textjavascript charset=UTF-8

Cache-Control no-cache no-store max-age=0 must-

revalidate

Pragma no-cache

Expires Fri 01 Jan 1990 000000 GMT

Date Wed 18 May 2011 153403 GMT

Content-Encoding gzip

X-Content-Type-Options nosniff

X-Frame-Options SAMEORIGIN

X-XSS-Protection 1 mode=block

Content-Length 1269

Server GSE

LiveHeaders Plugin

httpwwwshodanhqcom

httpspanopticlickefforg

Irongeekcom

httpwwwirongeekcomiphppage=securityhow-to-cyberstalk-potential-employers

Also let us not forget HTTP headers

HTTP11 200 OK

Content-Type textjavascript charset=UTF-8

Cache-Control no-cache no-store max-age=0 must-

revalidate

Pragma no-cache

Expires Fri 01 Jan 1990 000000 GMT

Date Wed 18 May 2011 153403 GMT

Content-Encoding gzip

X-Content-Type-Options nosniff

X-Frame-Options SAMEORIGIN

X-XSS-Protection 1 mode=block

Content-Length 1269

Server GSE

LiveHeaders Plugin

httpwwwshodanhqcom

httpspanopticlickefforg

Irongeekcom

User-agent

Disallow private

Disallow secret

httpwwwirongeekcomrobotstxt

Irongeekcom

httpwwwirongeekcomiphppage=securityigigle-wigle-wifi-to-google-earth-client-for-wardrive-mapping

Irongeekcom

httpsamyplandroidmap

Irongeekcom

Links for Doxing Personal OSInt Profiling Footprinting Cyberstalkinghttpwwwirongeekcomiphppage=securitydoxing-footprinting-cyberstalking

PTES Technical Guidelineshttpwwwpentest-standardorgindexphpPTES_Technical_Guidelines

VulnerabilityAssessmentcouk - An information portal for Vulnerability Analysts and Penetration TestershttpwwwvulnerabilityassessmentcoukPenetration20Testhtml

Irongeekcom

Social Zombies - Kevin Johnson and Tom Estonhttpwwwyoutubecomwatchv=l79q2G3E8HYhttpwwwyoutubecomview_play_listp=C591646E9B0CF33Bhttpvimeocom18827316

Satan is on my Friends List - Shawn Moyer and Nathan Hamielhttpwwwyoutubecomwatchv=asj8yzXihcc

Using Social Networks To Profile Find and 0wn Your Victims - Dave Marcushttpwwwirongeekcomiphppage=videosdojocon-2010-videosUsing20Social20Networks20To20Profile20Find20and200wn20Your20Victims

Irongeekcom

DerbyCon 2011 Louisville KySept 30 - Oct 2httpderbyconcom

Louisville Infosechttpwwwlouisvilleinfoseccom

Other Conshttpwwwskydogconcomhttpwwwdojoconorghttpwwwhack3rconorghttpphreaknicinfohttpnotaconorghttpwwwouterz0neorg

Irongeekcom

42