Making a persona that’s even faker than your social media identity.
This is a continuation of OSINT: Do I have to Capture The Flag? Pt1. if you hadn’t guessed from the title.
You don’t have to read it, it’s just background info and considerations as to how and why you’d consider setting up a simple OSINT CTF.
If you didn’t read it feel free to follow that link. If you don’t want to or already have then you’ll need a mobile number you don’t care about (pre-paid cheap sims are useful here) and a fake persona with a unique name, profile picture and some basic data like a fake address.
Time to build our first OSINT\SE CTF.
First up let’s create a fake email account.
Head over to Gmail and set up an account using your details from the fake persona we created.
Make sure you note down the password you use.
At this stage we want to use the phone number we stood up so we can ‘verify’ our fake account.
We’ll use this account when we sign up for everything else so we are going to be in and out of it.
Make note of your chosen email address and password as these can become good flags or things to identify for your CTF users.
Unusual job
Why not add a bit of flavour to your mimic? In this instance we are going to give our mimic two jobs. Job number one will be owner of a small business and job number two will be purveyor of illicit substances.
Consider creating a weighted scoring system for things found during the CTF.
If it’s a point system maybe score 1 point for finding out their legitimate job and 5 points for discovering the illicit job.
Two simple ways we can flesh this out as part of a persona.
First up use your fake account to sign up to a service like Wix.com
Remember for this we are going with good enough for the exercise. It does not have to be all singing all dancing. If you want you can buy a domain but I find that the free ones are more than fit for purpose.
Populate the page to make it seem legit but maybe add one or two little errors in as well. On your contact page you could add a different email address, maybe the one form the fake persona we created in Part 1. In your persona for the mimic this can be used to reflect them making a mistake and maybe using their real personal address by default.
We’ll make use of the website to deal with part two of our persona as well.
Let’s put something obscure on the site that gives us enough of a hint towards their second job.
Create a word doc called HowToOrder and leave it empty.
Now right click on the doc, wherever you saved it, and go to the details page.
Add a subject along the lines of “Send me a text on <Fake#> for order details”
Click apply then add this to a Google Drive, make it public and put the link somewhere on your fake website.
Anyone doing the challenge and finding this link can download the document. Hopefully when they find it blank it’ll seem unusual enough that they may look at the metadata and follow the instructions.
If you receive a text on your fake phone then reply with something generic like a list of illegal substances. Obviously here you can use any second job you like and if you don’t want to text people then use another fake email address and set an auto-reply to automate your CTF :)
Okay — so we’ve got a fake person, fake jobs, fake website, fake email account and we’ve started to share our information out there on the contact page and in metadata.
Flesh it out a bit
Let stand up a few more fake accounts and use whatever username we’ve chosen when creating our fake persona.
I’d suggest that Twitter is a good candidate.
Create an account, follow a few generic accounts about flowers then maybe one or two dodgier ones in line with your chosen second job.
Once you have an account add your fake profile picture to it so your CTF users know they’ve found the correct account when they discover it.
Send out a few generic tweets.
At this stage you should start to link your accounts — maybe add your fake website to your twitter profile or post a link to it in a tweet.
Tweet your password out for your fake accounts and make sure you use the same one everywhere. If you can turn off 2FA on an account then do it.
This might seem counterintuitive but it serves a useful purpose.
1 — If someone sees an unusual string such as the one in the photo they should be able to connect the dots and work out that it’s likely a password errantly tweeted. (People do this stuff all the time)
2 — If the CTF user uses the password and logs into one of the fake accounts we need to be able to catch them
Note: On the second point we are teaching people how to find out useful information not how to break the law. If someone finds and uses a password they are breaking the computer misuse act.
Put information in any account that can be accessed that would only be discoverable if the participants have broken the law. This should count as an automatic loss in the CTF or at least a heavy points deduction.
One cool way to catch people out that might log into to say your fake Gmail account, is to set up a canary token document then email it to yourself.
Create a canary doc
Go to Canarytokens and choose a word doc.
Use your real email address and add a message so you remember it’s fired from your CTF.
Rename the doc you receive to something interesting and then email it to yourself from your fake account to your fake account. Anyone breaking into the account should be able to find it.
Now anytime someone opens the document you will receive an email notifying you of their naughty behaviour.
You can use these for all sorts of things but I think this is a pretty cool way to get introduced to canary tokens if you’ve never used one before.
One interesting way is to send an email to someone with one in (let them know first) and then look at all the different notification that you get from various security tools opening the attachment on the way to the recipient — this was pretty eye opening when I first saw it. This is also very important to note if you are running internal phishing exercises as you often get false positives from links that are visited in email by well meaning security technologies.
You can use this on any documents to keep track of people finding them as part of the CTF if you like. They are a really useful tool in general so be sure to check them out.
More accounts
Over to you.
Create accounts on anywhere you want to flesh out your user.
Make sure you use the unusual name so it becomes easier to find and reuse email addresses and usernames.
You can make your mimic as detailed as you like at this stage but I’d recommend using popular sites even if you don’t use them yourself — LinkedIn\Twitter, Instagram, Facebook etc.
Why and what?
- Spread information such as contact details
- Link accounts to each other so users have a thread to pull
- Make the account easier to find
- Add individual bits of info on each site so people can build up a profile but have to work for it
Remember to take notes on what you create — have an idea where all the information you create and spread resides but also what you want them to find. You can use this list for creating your scoring system later (easy to find scores low — difficult to find scores high).
Make sure you create a simple narrative for your users. You’ll provide this to them at the start of your session.
Identify what you want them to find, what the point in the exercise is and give them a starter for 10 … maybe that unusual name we created :)
Oh no my account was hacked…
Go to Pastebin (or similar sites) and search for passwords.
Either search it or use a Google dork like “site:pastebin.com intext:password”.
We are looking to emulate this but for our own fake content.
Start by making a paste and include your own information that you want sharing — I’d suggest dumping out your profile we created in part 1 and usernames etc.
If you want you could copy one of these dumps and seed your own data into it. this is a bit dodgy though as you’d be sharing stolen content so up to your own moral compass\legal jurisdictions on this one.
Is that it?
What do we have?
- Fake persona — fake profile and details
- Fake email account — with canary metadata
- Fake mobile phone — used for signing up and adding CTF flavour
- Several fake social media accounts — seeding our data
- “Stolen credentials” leaked on to paste sites
- Fake website for our job and threads to tie it to our second job
- At least one canary token
- A document covering all the stuff we created and how and where to find things
- A narrative to point people in the right direction
It’s up to you to add more flavour and more threads. If people struggle to find the “stolen” data on your chosen paste site maybe tweet out something like “ Can’t believe my data was stolen and put on Pastebin” and then include the unique URL 8 characters to help point people towards it.
The more you create and link the more likely people are to find what is needed.
Make sure you do a test run of your CTF. As discussed in Part 1 we are doing this to achieve something, essentially training people to use skills or demonstrate the threats of data sharing etc.
Do a dry run and make sure your you can use the tools you’ve taught to actually find your user. Make sure the data you say can be found can be found. And listen to feedback and adapt the mimic to help. I’d recommend running the first few in person and be there to drop hints and give support. Once you’ve ran it a few times then you should have a good idea of where you need to add content etc.
Give it a go, this isn’t a be all and end all CTF for OSINT but it’s a nice start and adds a fun\challenge element to any training you are running.
