In a slightly different Saturday afternoon to usual, I joined a (very well attended!) workshop run by Joe Gray of The OSINTion and organised by DEFCon Toronto and learned a huge amount about OSINT in the process.
OSINT, or Open Source Intelligence, is data collected from publicly available sources (OSINF — Open Source Information) that is useful in an intelligence context. Most recently I’ve been working on the ‘people’ side of this through TraceLabs, who use crowdsourced OSINT to help law enforcement to locate missing persons, but the ‘business’ side was very new to me — and the workshop filled in gaps in both!
There were plenty of tools introduced all the way through, and lots that I hadn’t tried before. recon-ng was the most significant new one to me (it’s built into Kali), and its modular system gives a way to bolt in a bunch of different APIs and build up target profiles quickly. These include ways to query DNS information, to collect information about usernames from multiple social networks, to query WikiLeaks for email addresses, and much more.
On the web side of things, another new tool was https://map.snapchat.com/ — which lets you view what people have been recording on Snapchat (if they opt to show it on the map). In missing persons cases it can be quite easy to get lost in the data, so being able to get some more context about the location as a community will be pretty valuable I think.
I won’t go into too much detail about everything else here, but I would definitely recommend joining one of the OSINTion courses if you’re able!
The CTF
The competition itself was a great way to practice what we had learned during the workshop. Questions ranged from the technical (‘what spam filter does this company use?’) to the personal (‘what laptop does this employee use?’) to the cultural (‘what sort of badges do new employees wear?’). Note that I won’t name any specific companies here.
I have to admit that I stuck with my well-trodden browser-based approach to most of the challenges, but watching Joe explain the solutions made me realise that I could’ve solved them far more quickly given a bit more recon-ng practice. One to brush up on for the next CTF.
Oddly, though, the main bottleneck for me at the start wasn’t tooling but just a mental block: I was looking for the JavaScript framework used by a company and started by looking at the web site source. In fact, you can get far more information by just looking at job adverts — some companies even explicitly state versions of software. A gentle nudge from Joe set me on the right track, and I was able to tick off a whole bunch of challenges very quickly.
Some of the other technical questions were related to infrastructure: the email filtering software, or stakeholder engagement software. For these the DNS route was the way to go — you can get a whole lot of information out of DNS records (especially MX!). With DNS plus job adverts, you can ascertain the technology behind a target pretty quickly.
(Interestingly one team solved one of these challenges by finding an employee’s LinkedIn profile and noticing their technology skills — a nice use of pivoting!)
Once I’d ticked off the majority of the technical challenges (some of them were still elusive at the end — and were hiding in plain sight!) I moved onto the trickier side: people and culture information. With these I gave myself a few minutes per question before moving onto another — especially companies that were more international.
One powerful trick was simply to search Instagram by a location (I say simply, but I learned a lot about Canadian addresses during the CTF). Specifically, the address of the company you’re looking into. This gleans all sorts of photographs by employees — and even by the marketing teams of the companies. Some of these might include photos taken in front of floor signs, of new employees posing with their security badges, or even pictures in employee offices. With these it’s often a small step to search for the name on LinkedIn or Facebook to determine their position in the company and verify who you’re looking at.
The 2 hours flew by, and I had a couple of minutes at the end to make some educated guesses for some of the challenges that I’d missed. I was pretty happy to end up in 18th place out of (I think!) around 85 teams — especially as it was a solo CTF this time around. My next challenge will be the OSINT Search Party CTF in August, and now I’ll be bringing a much better equipped toolkit!
