Sunday, 21 August 2011

Unleashing the power of metadata with FOCA Free


The terrific guys at informática64 put together the FOCA tool (for mostly automated metadata extraction in the free version) quite a while ago and they just keep improving it continously. The Pro version is just 100€ + VAT and you get a lesson from Chema Alonso along the way so worth considering too :).

I recently heard on the Spanish version of the PaulDotCom podcast that the tool name "FOCA" ("Seal" in Spanish) comes from the guy who first implemented the tool at informática64. His name is "Fernando Oca" and his username was logically "Foca". This led to a lot of healthy jokes at informática64 and the tool name was inevitable :).

The version used in this tutorial will be FOCA Free (the free version has significantly less options but it is still very useful). They are going to release version 3 soon (Spanish) so I might publish another tutorial in a few months, when the tool will be significantly improved as they say.


This is a windows tool so you just download it from here, install it (typical "next next finish" install) and run it. No secrets here :)

Basic usage

The first step when using FOCA is to choose your search type, you can choose "" or " filetype:doc", etc.

In this demonstration we will use and search for .doc documents only. Because Google is mostly a Linux/MAC shop (asfaik) this yields little results which is good for demonstration purposes:

When you have a bunch of sites as I did in a recent test I like to use: OR ..... and if they are not very big do not specify a filetype: This will return everything, including web pages, which you can analyse later for HTML comments, etc too.

The next step is to download all documents, to do that just Right click / Download All:

This will download all indexed files locally, after the download completes we can retrieve the metadata from the downloaded files (Metadata / Extract all documents metadata):

Once the metadata is extracted we can review it:

The metadata identifies 3 potential users as well as 1 software package in use and an operating system.
Apparently all 3 users are using Mac OS at Google! :)

We can now correlate the metadata to get a per user, printer, etc view. We can do this as follows:

 In the analysis we can see that all the metadata comes from the same user, who is using Mac OS and Microsoft Office 2008 for Mac OS. This information would be useful in a targetted client side attack because specific exploits could be searched for the versions in use by the client:

Now let's look at information from the field. What can you really find in a normal pen test?
A bunch of users, printers, folders, software and operating systems :)

When you look on the by user metadata analysis you can see what software version is potentially running each user and you get a nice icon to quickly identify each computer by username:

The servers and printers usually contain very interesting correlated information like for example which users had access to each printer or server.

It is a bit of a pain to extract the information out of FOCA Free (I suppose this is easier to do in the paid version :)) but you can at least browse the downloaded files and perhaps even run them through another metadata tool like the exiftool. You can extract the information of each record (one by one manually) by right clicking on it:

On a default Windows 7 Installation FOCA downloads the files on:
C:\Users\<windows 7 user>\AppData\Local\Temp

You can tell apart the FOCA files from the rest quite accurately based on the download timestamp.

A minor issue, particularly when many domains are used at once is that files like index.php will be created as "index(1).php", "index(2).php", etc. Then it takes a bit of work to figure out which index.php belongs to each domain.

Better results can be achieved with a tool like wget or Httrack for website crawling and HTML comments and JavaScript code analysis.

The true power from FOCA comes from the automated "even my grandma can do it" metadata analysis, including correlation by user, server and printer.

Monday, 8 August 2011

Red Meat Series: Installing BeEF on Windows Systems

I also posted this guide as a wiki entry on the BeEF project page here.

Installing BeEF on a Windows System might be a bit confusing for some users: There is not a typical windows installer where you click "Next Next Finish" and then everything works. You need to perform a series of manual steps to get BeEF to work and there can be some strange problems along the way.

This article tries to explain one way of doing this which worked for me.

The first step is to install ruby. You can download ruby for windows from this URL:

You can check the hashes in Windows using a tool like for example Hash Tab (which adds a tab to the file properties showing you the hashes).

In addition to verifying the hashes, before you run any executable you download from the internet it is a good approach to run it through Virus Total first. This will scan the executable with more than 40 antivirus engines. This is however not a guarantee that the program is not malicious and can in fact be bypassed (using msfencode, for example). When no antivirus engine finds a problem with the downloaded file that provides you with a higher degree of confidence that the file is hopefully safe.

Once we are happy with the file hashes and the virus analysis we can move on and install this program. These steps are skipped later on other executables for brevity. I installed Ruby ticking all the boxes:

 After installing Ruby, you need to download the SQLite dll from this URL.

Now extract the SQLite zip file on the Ruby192\bin folder:

 Unless you have it handy we will also need to download and install a good SVN client for windows like for example Tortoise SVN:

 I marked everything as "install all the features in the local drive" during setup (although this is obviously not necessary, depends on what else you plan to do with SVN):

 You will have to reboot your system after installing Tortoise SVN. Once you reboot you can get the latest BeEF version by performing an SVN export (right click on a blank space in the BeEF folder / Tortoise SVN / Export):

That will present you the following screen, where you can put in the BeEF trunk URL:

 When you click OK you should see something like this (files are copied from the SVN URL to your hard drive):

 Now, using the windows command line (I like start / run / type: cmd + Enter) you just need to do ruby install on the BeEF installation folder, in this example E:\BeEF. You can choose the option to install ruby gems automatically or manually:

 If the gems installation goes ok, you should see something like this:

But you might get a missing win32 console gem error too:
no such file to load -- Win32/Console/ANSI (LoadError)

 This error is easy to solve, just do gem install win32console:

You could also get this error (or similar "requires installed build tools" message):
The 'json' native gem requires installed build tools

In this case we need to install the Development kit. You can donwload it from this URL. There are great instructions on how to install this kit here (What comes next is the result of directly following the instructions in the development kit wiki). First we need to download it:

The file is a self-extracting compressed file so you just need to extract it in a handy place like C:\DevKit, for example:

Now we need to run "ruby dk.rb init" to generate the "config.yml" file to be used later:

We can open the file to make sure that it found where Ruby was installed:

Now a few other steps:

  1. ruby dk.rb review (checks things are ok)
  2. ruby dk.rb install (creates DevKit hooks)
  3. gem install rdiscount --platform=ruby (you should see the message "Temporarily enhancing PATH to include DevKit...")
  4. ruby -rubygems -e "require 'rdiscount'; puts'**Hello RubyInstaller**').to_html (just to check the gem was installed and works correctly)
In one picture:

 Now that DevKit is installed we should have no problem to install that missing json gem:

Now we can check the installation, just do "ruby beef" to start beef. Of course you will need your Windows Firewall to allow that application :).

 Now, do not be lame and wonder what the password is by going to the GUI here:

The password is in the configuration file at <beef folder>\extensions\admin_ui\config.yaml. You can see that the default username and password is beef / beef. That does not mean that those are the credentials you should use to login. What that really means is that everybody knows those credentials and if you don't change them your BeEF server could be compromised:

Therefore what you should do is to change those credentials and pick a different username and a very long and complex password:

After saving the file above. You will get the following error message when you try to login: "invalid username or password". This is due to the fact that when BeEF was loaded the previous configuration file was read so the old credentials are still in use:

What we need to do here is to stop the BeEF server (via Control + C) and then start it again. That will make BeEF read the new configuration file so the new credentials will now be accepted:

 The credentials work this time and we are presented with the BeEF server home page:

How do we know if BeEF is working? We need some client browser to connect. Just copy the hook URL ( will work from the same computer)

Now you need a web server: a place where you can create a web page that contains a call to the JavaScript hook. You could also exploit an XSS vulnerability on an internet server to get around this but that will be covered later in the Red Meat Series :). In this example, we will use a typical Apache installation where a simple index.html file is created:

The most important bit from the screenshot above is the script part: It is only that part of the page that contains the hook to BeEF. That is the kind of JavaScript you would like to use to exploit an XSS vulnerability with BeEF.

When a user browses to this site, they are presented with a normal web page. In the background the script connects back to the BeEF server:

The BeEF server receives the new connection and from there different client side commands and attacks are possible via the BeEF framework:

At this point the installation has been verified to be successful. Enjoy and do not be evil :).

Tuesday, 2 August 2011

Blog Spam Analysis Series: CISSP Spam surprise

Update 08/08/2011: Added link to further evidence of Shon Harris spamming via blog comments from ittraining blog at the bottom of the post.

I have maintained this blog for some time. I appreciate comments but sometimes there is spam that unfortunately gets in:

In particular, I was interested in the CISSP spam: The CISSP post is one of the most popular in this blog and perhaps that is why Spam tends to get there.

In the screenshot above you may notice that the CISSP spam so far comes from three spammers: Gowshika, Mithun and Nitheesh. Let's take a look at them:

Gowshika's information:
- Spam messages to my blog to date: 1 (100% CISSP Spam)
- No blog, only a blogger profile: Probably too busy spamming people to keep up a blog too ;)
- Profile created in May and alive until at least August 2011 when the spam arrives
- Potentially an Indian female according to minor research below if the name is really her real name.
- Spam link goes to:

Although I did not know this initially, a simple Google search reveals that Gowshika is an Indian name:

Would you put your name in your profile if you were a spammer? I suppose I would not :). That being said we have to admit that Gowshika was smart enough to avoid writing down her surname, email address and phone number :). Gowshika could also be the name of the spammer's girlfriend or whatever but this somehow points to India anyway.

I was going to go with the rough rule of "if it finishes in 'a' it is possibly a girl" but I actually double checked that Gowshika is truly a female name with a couple more Google searches like "Gowshika male" and "Gowshika female".

Next spammer:
Mithun's information:
- Spam messages to my blog to date: 2 (100% CISSP spam)
- No blog, only a blogger profile: Probably too busy spamming people to keep up a blog too ;)
- Profile created in May and alive until at least August 2011 when the spam arrives, previous spam link sent on 29/6/2011.
- Potentially an Indian male according to minor research below if the name is really his real name.
- Spam links go to:

There is a famous Indian actor as the first Google result (so possibly: Indian and male):

Next spammer:

Nitheesh's information:
- Spam messages to my blog to date: 2 (100% CISSP spam, 1 message went to this post but the spam link still pointed to a CISSP site)
- No blog, only a blogger profile: Probably too busy spamming people to keep up a blog too ;)
- Profile created in May and alive until at least August when I could still open the profile (02/08/2011). both spam links sent on 21/6/2011.
- Potentially an Indian male according to minor research below if the name is really his real name.
- Both spam links go to:

A simple Google search reveals this is an Indian male name:

At this point the state of the investigation is as follows:
- 3 spammers for all CISSP spam links to date
- Potentially 2 Indian males and 1 Indian female
- 100% of CISSP spammers were potentially Indian
- 100% of the CISSP links go to
- Spam links:

I was thinking that despite looking very similar if not identical to Shon Harris' main CISSP domain for selling CISSP materials, this site would probably be some form of malware site (seriously, that was my first reaction). However, I was wrong: appears to be a legitimate site and even Shon Harris' linkedin profile links to it!

It seems unlikely to me that Indian people would bother to post CISSP spam comments in my blog for the lulz alone. You do not need to be very smart to realise that the business model points to Shon Harris outsourcing spammers in India to increase sales of her CISSP training materials.

Further, there is evidence gathered by that was previously spamming via email too, both in 2008 and in 2010 

Not only that, but Jericho from actually confronted Shon Harris directly about it in 2010 and Shon did not mention, ever, in a single line of her emails (yes I read it all) that she was not sending spam. Ironically the conversation started because Shon had problems to unsubscribe from the mailing list :).

There are hints of this in the emails that went on between Jericho and Shon but I wondered this myself too as I was investigating the spam in my blog: What is the value of the CISSP code of ethics if the top authority in CISSP training materials and a CISSP herself, Shon Harris, violates them like this?

One of the clauses in the code of ethics is literally: "Act honorably, honestly, justly, responsibly, and legally".  A CISSP, or anybody with some basic ethics for that matter, should not be sending Spam. Matters get worse when you are not only a CISSP but also training other future CISSPs, most people would expect the trainer to lead by example.

Finally, I would like to mention that the following looks unprofessional too:

# curl -A CISSP -i|head -3
HTTP/1.1 200 OK
Date: Tue, xx Aug 2011 xx:xx:xx GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ PHP/5.2.9

Pro tip: Do not spam security folks ;)

Update 08/08/2011: Further evidence of this activity from the ittrainingblog (04/08/2010):
"FUNNY UPDATE: Check out the comment spam we got from Shon Harris' blog, I actually approved it. Im interested to know what spammy SEO company she has marketing her site, Shon has far too strong a name in the industry for that."