Hunting Cyber Criminals A Hacker's Guide to Online Intelligence Gathering Tools and Techniques

The skills and tools for collecting, verifying and correlating information from different types of systems is an essential skill when tracking down hackers. This book explores Open Source Intelligence Gathering (OSINT) inside out from multiple perspectives, including those of hackers and seasoned intelligence experts. OSINT refers to the techniques and tools required to harvest publicly available data concerning a person or an organization. With several years of experience of tracking hackers with OSINT, the author whips up a classical plot-line involving a hunt for a threat actor. While taking the audience through the thrilling investigative drama, the author immerses the audience with in-depth knowledge of state-of-the-art OSINT tools and techniques. Technical users will want a basic understanding of the Linux command line in order to follow the examples. But a person with no Linux or programming experience can still gain a lot from this book through the commentaries.

This book’s unique digital investigation proposition is a combination of story-telling, tutorials, and case studies. The book explores digital investigation from multiple angles:

• Through the eyes of the author who has several years of experience in the subject.
• Through the mind of the hacker who collects massive amounts of data from multiple online sources to identify targets as well as ways to hit the targets.
• Through the eyes of industry leaders.

This book is ideal for:

Investigation professionals, forensic analysts, and CISO/CIO and other executives wanting to understand the mindset of a hacker and how seemingly harmless information can be used to target their organization.

Security analysts, forensic investigators, and SOC teams looking for new approaches on digital investigations from the perspective of collecting and parsing publicly available information.

CISOs and defense teams will find this book useful because it takes the perspective of infiltrating an organization from the mindset of a hacker. The commentary provided by outside experts will also provide them with ideas to further protect their organization’s data.

ABOUT THE AUTHOR

VINNY TROIA is a cybersecurity evangelist and hacker with Night Lion Security. He is an acknowledged expert in digital forensics investigations, security strategies, and security breach remediation. Vinny possesses deep knowledge of industry-standard security and compliance controls, is frequently seen providing security expertise on major TV and radio networks, and recently introduced Data Viper, his own threat intelligence and cyber-criminal hunting platform.

Prologue xxv

Chapter 1 Getting Started 1

Why This Book is Different 2

What You Will and Won’t Find in This Book 2

Getting to Know Your Fellow Experts 3

A Note on Cryptocurrencies 4

What You Need to Know 4

Paid Tools and Historical Data 5

What about Maltego? 5

Prerequisites 5

Know How to Use and Configure Linux 5

Get Your API Keys in Order 6

Important Resources 6

OSINT Framework 6

OSINT.link 6

IntelTechniques 7

Termbin 8

Hunchly 9

Wordlists and Generators 9

SecLists 9

Cewl 10

Crunch 10

Proxies 10

Storm Proxies (Auto-Rotating) 10

Cryptocurrencies 101 11

How Do Cryptocurrencies Work? 12

Blockchain Explorers 13

Following the Money 15

Identifying Exchanges and Traders 17

Summary 18

Chapter 2 Investigations and Threat Actors 19

The Path of an Investigator 19

Go Big or Go Home 20

The Breach That Never Happened 21

What Would You Do? 22

Moral Gray Areas 24

Different Investigative Paths 25

Investigating Cyber Criminals 26

The Beginning of the Hunt (for TDO) 27

The Dark Overlord 27

List of Victims 28

A Brief Overview 29

Communication Style 30

Group Structure and Members 30

Cyper 31

Arnie 32

Cr00k (Ping) 35

NSA (Peace of Mind) 36

The Dark Overlord 38

Summary 41

Part I Network Exploration 43

Chapter 3 Manual Network Exploration 45

Chapter Targets: Pepsi.com and Cyper.org 46

Asset Discovery 46

ARIN Search 47

Search Engine Dorks 48

DNSDumpster 49

Hacker Target 52

Shodan 53

Censys (Subdomain Finder) 56

Censys Subdomain Finder 56

Fierce 57

Sublist3r 58

Enumall 59

Results 60

Phishing Domains and Typosquatting 61

Summary 64

Chapter 4 Looking for Network Activity (Advanced NMAP Techniques) 67

Getting Started 67

Preparing a List of Active Hosts 68

Full Port Scans Using Different Scan Types 68

TCP Window Scan 70

Working against Firewalls and IDS 70

Using Reason Response 71

Identifying Live Servers 71

Firewall Evasion 73

Distributed Scanning with Proxies and TOR 73

Fragmented Packets/MTU 74

Service Detection Trick 74

Low and Slow 76

Bad Checksums, Decoy, and Random Data 76

Firewalking 79

Comparing Results 79

Styling NMAP Reports 81

Summary 82

Chapter 5 Automated Tools for Network Discovery 83

SpiderFoot 84

SpiderFoot HX (Premium) 91

Intrigue.io 95

Entities Tab 96

Analyzing uberpeople.net 99

Analyzing the Results 104

Exporting Your Results 105

Recon-NG 107

Searching for Modules 111

Using Modules 111

Looking for Ports with Shodan 115

Summary 116

Part II Web Exploration 119

Chapter 6 Website Information Gathering 121

BuiltWith 121

Finding Common Sites Using Google Analytics Tracker 123

IP History and Related Sites 124

Webapp Information Gatherer (WIG) 124

CMSMap 129

Running a Single Site Scan 130

Scanning Multiple Sites in Batch Mode 130

Detecting Vulnerabilities 131

WPScan 132

Dealing with WAFs/WordPress Not Detected 136

Summary 141

Chapter 7 Directory Hunting 143

Dirhunt 143

Wfuzz 146

Photon 149

Crawling a Website 151

Intrigue.io 152

Summary 157

Chapter 8 Search Engine Dorks 159

Essential Search Dorks 160

The Minus Sign 160

Using Quotes 160

The site: Operator 161

The intitle: Operator 161

The allintitle: Operator 162

The fi letype: Operator 162

The inurl: Operator 163

The cache: Operator 165

The allinurl: Operator 165

The fi lename: Operator 165

The intext: Operator 165

The Power of the Dork 166

Don’t Forget about Bing and Yahoo! 169

Automated Dorking Tools 169

Inurlbr 169

Using Inurlbr 171

Summary 173

Chapter 9 WHOIS 175

WHOIS 175

Uses for WHOIS Data 176

Historical WHOIS 177

Searching for Similar Domains 177

Namedroppers.com 177

Searching for Multiple Keywords 179

Advanced Searches 181

Looking for Threat Actors 182

Whoisology 183

Advanced Domain Searching 187

Worth the Money? Absolutely 188

DomainTools 188

Domain Search 188

Bulk WHOIS 189

Reverse IP Lookup 189

WHOIS Records on Steroids 190

WHOIS History 192

The Power of Screenshots 193

Digging into WHOIS History 193

Looking for Changes in Ownership 194

Reverse WHOIS 196

Cross-Checking All Information 197

Summary 199

Chapter 10 Certificate Transparency and Internet Archives 201

Certificate Transparency 201

What Does Any of This Have to Do with Digital Investigations? 202

Scouting with CTFR 202

Crt.sh 204

CT in Action: Side-stepping Cloudflare 204

Testing More Targets 208

CloudFlair (Script) and Censys 209

How Does It Work? 210

Wayback Machine and Search Engine Archives 211

Search Engine Caches 212

CachedView.com 214

Wayback Machine Scraper 214

Enum Wayback 215

Scraping Wayback with Photon 216

Archive.org Site Search URLs 217

Wayback Site Digest: A List of Every Site URL Cached by Wayback 219

Summary 220

Chapter 11 Iris by DomainTools 221

The Basics of Iris 221

Guided Pivots 223

Configuring Your Settings 223

Historical Search Setting 224

Pivootttt!!! 225

Pivoting on SSL Certificate Hashes 227

Keeping Notes 228

WHOIS History 230

Screenshot History 232

Hosting History 232

Bringing It All Together 234

A Major Find 240

Summary 241

Part III Digging for Gold 243

Chapter 12 Document Metadata 245

Exiftool 246

Metagoofil 248

Recon-NG Metadata Modules 250

Metacrawler 250

Interesting_Files Module 252

Pushpin Geolocation Modules 254

Intrigue.io 257

FOCA 261

Starting a Project 262

Extracting Metadata 263

Summary 266

Chapter 13 Interesting Places to Look 267

TheHarvester 268

Running a Scan 269

Paste Sites 273

Psbdmp.ws 273

Forums 274

Investigating Forum History (and TDO) 275

Following Breadcrumbs 276

Tracing Cyper’s Identity 278

Code Repositories 280

SearchCode.com 281

Searching for Code 282

False Negatives 283

Gitrob 284

Git Commit Logs 287

Wiki Sites 288

Wikipedia 289

Summary 292

Chapter 14 Publicly Accessible Data Storage 293

The Exactis Leak and Shodan 294

Data Attribution 295

Shodan’s Command-Line Options 296

Querying Historical Data 296

CloudStorageFinder 298

Amazon S3 299

Digital Ocean Spaces 300

NoSQL Databases 301

MongoDB 302

Robot 3T 302

Mongo Command-Line Tools 305

Elasticsearch 308

Querying Elasticsearch 308

Dumping Elasticsearch Data 311

NoScrape 311

MongoDB 313

Elasticsearch 314

Scan 314

Search 315

Dump 317

MatchDump 317

Cassandra 318

Amazon S3 320

Using Your Own S3 Credentials 320

Summary 321

Part IV People Hunting 323

Chapter 15 Researching People, Images, and Locations 325

PIPL 326

Searching for People 327

Public Records and Background Checks 330

Ancestry.com 331

Threat Actors Have Dads, Too 332

Criminal Record Searches 332

Image Searching 333

Google Images 334

Searching for Gold 335

Following the Trail 335

TinEye 336

EagleEye 340

Searching for Images 340

Cree.py and Geolocation 343

Getting Started 343

IP Address Tracking 346

Summary 347

Chapter 16 Searching Social Media 349

OSINT.rest 350

Another Test Subject 355

Twitter 357

SocialLinks: For Maltego Users 358

Skiptracer 361

Running a Search 361

Searching for an Email Address 361

Searching for a Phone Number 364

Searching Usernames 366

One More Username Search 368

Userrecon 370

Reddit Investigator 372

A Critical “Peace” of the TDO Investigation 374

Summary 375

Chapter 17 Profile Tracking and Password Reset Clues 377

Where to Start (with TDO)? 377

Building a Profile Matrix 378

Starting a Search with Forums 379

Ban Lists 381

Social Engineering 381

SE’ing Threat Actors: The “Argon” Story 383

Everyone Gets SE’d—a Lesson Learned 387

The End of TDO and the KickAss Forum 388

Using Password Reset Clues 390

Starting Your Verification Sheet 391

Gmail 391

Facebook 393

PayPal 394

Twitter 397

Microsoft 399

Instagram 400

Using jQuery Website Responses 400

ICQ 403

Summary 405

Chapter 18 Passwords, Dumps, and Data Viper 407

Using Passwords 408

Completing F3ttywap’s Profile Matrix 409

An Important Wrong Turn 412

Acquiring Your Data 413

Data Quality and Collections 1–5 413

Always Manually Verify the Data 415

Where to Find Quality Data 420

Data Viper 420

Forums: The Missing Link 421

Identifying the Real “Cr00k” 422

Tracking Cr00k’s Forum Movements 423

Timeline Analysis 423

The Eureka Moment 427

Vanity over OPSEC, Every Time 429

Why This Connection is Significant 429

Starting Small: Data Viper 1.0 430

Summary 431

Chapter 19 Interacting with Threat Actors 433

Drawing Them Out of the Shadows 433

Who is WhitePacket? 434

The Bev Robb Connection 435

Stradinatras 436

Obfuscation and TDO 437

Who is Bill? 439

So Who Exactly is Bill? 440

YoungBugsThug 440

How Did I Know It Was Chris? 441

A Connection to Mirai Botnet? 442

Why Was This Discovery So Earth-Shattering? 444

Question Everything! 445

Establishing a Flow of Information 446

Leveraging Hacker Drama 447

Was Any of That Real? 448

Looking for Other Clues 449

Bringing It Back to TDO 450

Resolving One Final Question 451

Withdrawing Bitcoin 451

Summary 452

Chapter 20 Cutting through the Disinformation of a 10-Million-Dollar Hack 453

GnosticPlayers 454

Sites Hacked by GnosticPlayers 456

Gnostic’s Hacking Techniques 457

GnosticPlayers’ Posts 459

GnosticPlayers2 Emerges 461

A Mysterious Third Member 462

NSFW/Photon 463

The Gloves Come Off 464

Making Contact 465

Gabriel/Bildstein aka Kuroi’sh 465

Contacting His Friends 467

Weeding through Disinformation 468

Verifying with Wayback 468

Bringing It All Together 469

Data Viper 469

Trust but Verify 472

Domain Tools’ Iris 474

Verifying with a Second Data Source 475

The End of the Line 476

What Really Happened? 476

Outofreach 476

Kuroi’sh Magically Appears 477

What I Learned from Watching Lost 477

Who Hacked GateHub? 478

Unraveling the Lie 479

Was Gabriel Involved? My Theory 479

Gabriel is Nclay: An Alternate Theory 479

All roads lead back to NSFW 480

Summary 481

Epilogue 483

Index 487

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.