httpIrongeekcom

Adrian Crenshaw

httpIrongeekcom

I run Irongeekcom

I have an interest in InfoSec education

I donrsquot know everything - Irsquom just a geek with time on my hands

Irsquom an (Ir)regular on the InfoSec Daily Podcast httpisdpodcastcom

Sr Information Security Engineer at a Fortune 1000

Co-Founder of Derbycon httpwwwderbyconcom

Twitter Irongeek_ADC

httpIrongeekcom

I run Irongeekcom

I have an interest in InfoSec education

I donrsquot know everything - Irsquom just a geek with time on my hands

Irsquom an (Ir)regular on the InfoSec Daily Podcast httpisdpodcastcom

Sr Information Security Engineer at a Fortune 1000

Co-Founder of Derbycon httpwwwderbyconcom

Twitter Irongeek_ADC

httpIrongeekcom

Mile wide 25 feet deep

Feel free to ask questions at any time

There will (hopefully) be many long breaks to play with the tools mentioned

Irsquoll try not to drop anyones docs but my own but volunteers for ldquovictimsrdquo will help

httpIrongeekcom

Other names and related concepts

OSInt (Open Source Intelligence)

Scoping

Footprinting

Discovery

Recon

Cyberstalking

httpIrongeekcom

DNS Whois and Domain Tools

Finding general Information about an organization via the web

Anti-social networks

Google Hacking

Metadata

Other odds and ends

httpIrongeekcom

For Pen-testers and attackers

Precursor to attack

Social Engineering

Disgruntled Employees

User names and passwords

Web vulnerabilities

Internal IT structure (software servers IP layout)

Spearphishing

For everyone else

You want to keep attackers from finding this info and using this against you

httpIrongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

httpIrongeekcom

Tons of fun tools to play with httpwwwbacktrack-linuxorg

Username root Password toor

Many of the DNS tools are in pentestenumerationdns

httpIrongeekcom

Other names and related concepts

OSInt (Open Source Intelligence)

Scoping

Footprinting

Discovery

Recon

Cyberstalking

httpIrongeekcom

DNS Whois and Domain Tools

Finding general Information about an organization via the web

Anti-social networks

Google Hacking

Metadata

Other odds and ends

httpIrongeekcom

For Pen-testers and attackers

Precursor to attack

Social Engineering

Disgruntled Employees

User names and passwords

Web vulnerabilities

Internal IT structure (software servers IP layout)

Spearphishing

For everyone else

You want to keep attackers from finding this info and using this against you

httpIrongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

httpIrongeekcom

Tons of fun tools to play with httpwwwbacktrack-linuxorg

Username root Password toor

Many of the DNS tools are in pentestenumerationdns

httpIrongeekcom

DNS Whois and Domain Tools

Finding general Information about an organization via the web

Anti-social networks

Google Hacking

Metadata

Other odds and ends

httpIrongeekcom

For Pen-testers and attackers

Precursor to attack

Social Engineering

Disgruntled Employees

User names and passwords

Web vulnerabilities

Internal IT structure (software servers IP layout)

Spearphishing

For everyone else

You want to keep attackers from finding this info and using this against you

httpIrongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

httpIrongeekcom

Tons of fun tools to play with httpwwwbacktrack-linuxorg

Username root Password toor

Many of the DNS tools are in pentestenumerationdns

httpIrongeekcom

For Pen-testers and attackers

Precursor to attack

Social Engineering

Disgruntled Employees

User names and passwords

Web vulnerabilities

Internal IT structure (software servers IP layout)

Spearphishing

For everyone else

You want to keep attackers from finding this info and using this against you

httpIrongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

httpIrongeekcom

Tons of fun tools to play with httpwwwbacktrack-linuxorg

Username root Password toor

Many of the DNS tools are in pentestenumerationdns

httpIrongeekcom

All these techniques are legal as far as I know but IANAL

Sorry if I ldquodrop someonersquos docsrdquo other than my own

Please donrsquot misuse this information

httpIrongeekcom

Tons of fun tools to play with httpwwwbacktrack-linuxorg

Username root Password toor

Many of the DNS tools are in pentestenumerationdns

httpIrongeekcom

Tons of fun tools to play with httpwwwbacktrack-linuxorg

Username root Password toor

Many of the DNS tools are in pentestenumerationdns

httpIrongeekcom

Who-do the voodoo that you do so well

httpIrongeekcom

Glue of the Internet

Think of it as a phone book of sorts

Maps names to IPs and IPs to names (and other odds and ends)

Organization information is also kept

69163177249 wwwirongeekcom

httpIrongeekcom

Host name to IP lookup nslookup wwwirongeekcom

Reverse lookup nslookup 20897169250

httpIrongeekcom

Just a few record types cribbed from httpenwikipediaorgwikiList_of_DNS_record_types

Code Number Defining RFC Description Function

A 1 RFC 1035 address record Returns a 32-bit IPv4 address most commonly used to map hostnames to an IP address of the host but also used for DNSBLs storing subnet masks in RFC 1101 etc

AAAA

28 RFC 3596 IPv6 address record

Returns a 128-bit IPv6 address most commonly used to map hostnames to an IP address of the host

MX 15 RFC 1035 mail exchange record

Maps a domain name to a list of mail exchange servers for that domain

CNAME 5 RFC 1035 Canonical name record

Alias of one name to another the DNS lookup will continue by retrying the lookup with the new name

PTR 12 RFC 1035 pointer record Pointer to a canonical name Unlike a CNAME DNS processing does NOT proceed just the name is returned The most common use is for implementing reverse DNS lookups but other uses include such things as DNS-SD

AXFR 252 RFC 1035 Full Zone Transfer

Transfer entire zone file from the master name server to secondary name servers

httpIrongeekcom

Glue of the Internet

Think of it as a phone book of sorts

Maps names to IPs and IPs to names (and other odds and ends)

Organization information is also kept

69163177249 wwwirongeekcom

httpIrongeekcom

Host name to IP lookup nslookup wwwirongeekcom

Reverse lookup nslookup 20897169250

httpIrongeekcom

Just a few record types cribbed from httpenwikipediaorgwikiList_of_DNS_record_types

Code Number Defining RFC Description Function

A 1 RFC 1035 address record Returns a 32-bit IPv4 address most commonly used to map hostnames to an IP address of the host but also used for DNSBLs storing subnet masks in RFC 1101 etc

AAAA

28 RFC 3596 IPv6 address record

Returns a 128-bit IPv6 address most commonly used to map hostnames to an IP address of the host

MX 15 RFC 1035 mail exchange record

Maps a domain name to a list of mail exchange servers for that domain

CNAME 5 RFC 1035 Canonical name record

Alias of one name to another the DNS lookup will continue by retrying the lookup with the new name

PTR 12 RFC 1035 pointer record Pointer to a canonical name Unlike a CNAME DNS processing does NOT proceed just the name is returned The most common use is for implementing reverse DNS lookups but other uses include such things as DNS-SD

AXFR 252 RFC 1035 Full Zone Transfer

Transfer entire zone file from the master name server to secondary name servers

httpIrongeekcom

Host name to IP lookup nslookup wwwirongeekcom

Reverse lookup nslookup 20897169250

httpIrongeekcom

Just a few record types cribbed from httpenwikipediaorgwikiList_of_DNS_record_types

Code Number Defining RFC Description Function

A 1 RFC 1035 address record Returns a 32-bit IPv4 address most commonly used to map hostnames to an IP address of the host but also used for DNSBLs storing subnet masks in RFC 1101 etc

AAAA

28 RFC 3596 IPv6 address record

Returns a 128-bit IPv6 address most commonly used to map hostnames to an IP address of the host

MX 15 RFC 1035 mail exchange record

Maps a domain name to a list of mail exchange servers for that domain

CNAME 5 RFC 1035 Canonical name record

Alias of one name to another the DNS lookup will continue by retrying the lookup with the new name

PTR 12 RFC 1035 pointer record Pointer to a canonical name Unlike a CNAME DNS processing does NOT proceed just the name is returned The most common use is for implementing reverse DNS lookups but other uses include such things as DNS-SD

AXFR 252 RFC 1035 Full Zone Transfer

Transfer entire zone file from the master name server to secondary name servers

httpIrongeekcom

Just a few record types cribbed from httpenwikipediaorgwikiList_of_DNS_record_types

Code Number Defining RFC Description Function

A 1 RFC 1035 address record Returns a 32-bit IPv4 address most commonly used to map hostnames to an IP address of the host but also used for DNSBLs storing subnet masks in RFC 1101 etc

AAAA

28 RFC 3596 IPv6 address record

Returns a 128-bit IPv6 address most commonly used to map hostnames to an IP address of the host

MX 15 RFC 1035 mail exchange record

Maps a domain name to a list of mail exchange servers for that domain

CNAME 5 RFC 1035 Canonical name record

Alias of one name to another the DNS lookup will continue by retrying the lookup with the new name

PTR 12 RFC 1035 pointer record Pointer to a canonical name Unlike a CNAME DNS processing does NOT proceed just the name is returned The most common use is for implementing reverse DNS lookups but other uses include such things as DNS-SD

AXFR 252 RFC 1035 Full Zone Transfer

Transfer entire zone file from the master name server to secondary name servers

httpIrongeekcom

Zonetransfers

Bruteforcing from a dictionary

Nmap ndashsL ltsome-IP-rangegt

httpIrongeekcom

dig irongeekcom any

dig ns1dreamhostcom irongeekcom any

httpIrongeekcom

httpIrongeekcom

CDocuments and SettingsAdriangtnslookup

Default Server resolver1opendnscom

Address 20867222222

gt set type=ns

gt irongeekcom

Server resolver1opendnscom

Address 20867222222

Non-authoritative answer

irongeekcom nameserver = ns1dreamhostcom

irongeekcom nameserver = ns2dreamhostcom

irongeekcom nameserver = ns3dreamhostcom

gt server ns1dreamhostcom

Default Server ns1dreamhostcom

Address 6633206206

gt ls irongeekcom

[ns1dreamhostcom]

Cant list domain irongeekcom Query refused

gt exit

httpIrongeekcom

AXFR = Asynchronous Full Transfer Zone

Domain Internet Groper dig ugentbe ns dig ugdns1ugentbe ugentbe axfr

Or maybe this form DigiNinja dig axfr ns12zoneeditcom zonetransferme

httpIrongeekcom

Other tools in BackTrack dnsreconpy -d ugentbe ndashx dnsenumpl ugentbe

ServerSniff httpserversniffnetnsreportphp httpserversniffnetcontentphpdo=subdomains

GUI Dig for Windows httpnscanorgdightml

httpIrongeekcom

dig irongeekcom any

dig ns1dreamhostcom irongeekcom any

httpIrongeekcom

httpIrongeekcom

CDocuments and SettingsAdriangtnslookup

Default Server resolver1opendnscom

Address 20867222222

gt set type=ns

gt irongeekcom

Server resolver1opendnscom

Address 20867222222

Non-authoritative answer

irongeekcom nameserver = ns1dreamhostcom

irongeekcom nameserver = ns2dreamhostcom

irongeekcom nameserver = ns3dreamhostcom

gt server ns1dreamhostcom

Default Server ns1dreamhostcom

Address 6633206206

gt ls irongeekcom

[ns1dreamhostcom]

Cant list domain irongeekcom Query refused

gt exit

httpIrongeekcom

AXFR = Asynchronous Full Transfer Zone

Domain Internet Groper dig ugentbe ns dig ugdns1ugentbe ugentbe axfr

Or maybe this form DigiNinja dig axfr ns12zoneeditcom zonetransferme

httpIrongeekcom

Other tools in BackTrack dnsreconpy -d ugentbe ndashx dnsenumpl ugentbe

ServerSniff httpserversniffnetnsreportphp httpserversniffnetcontentphpdo=subdomains

GUI Dig for Windows httpnscanorgdightml

httpIrongeekcom

httpIrongeekcom

CDocuments and SettingsAdriangtnslookup

Default Server resolver1opendnscom

Address 20867222222

gt set type=ns

gt irongeekcom

Server resolver1opendnscom

Address 20867222222

Non-authoritative answer

irongeekcom nameserver = ns1dreamhostcom

irongeekcom nameserver = ns2dreamhostcom

irongeekcom nameserver = ns3dreamhostcom

gt server ns1dreamhostcom

Default Server ns1dreamhostcom

Address 6633206206

gt ls irongeekcom

[ns1dreamhostcom]

Cant list domain irongeekcom Query refused

gt exit

httpIrongeekcom

AXFR = Asynchronous Full Transfer Zone

Domain Internet Groper dig ugentbe ns dig ugdns1ugentbe ugentbe axfr

Or maybe this form DigiNinja dig axfr ns12zoneeditcom zonetransferme

httpIrongeekcom

Other tools in BackTrack dnsreconpy -d ugentbe ndashx dnsenumpl ugentbe

ServerSniff httpserversniffnetnsreportphp httpserversniffnetcontentphpdo=subdomains

GUI Dig for Windows httpnscanorgdightml

httpIrongeekcom

CDocuments and SettingsAdriangtnslookup

Default Server resolver1opendnscom

Address 20867222222

gt set type=ns

gt irongeekcom

Server resolver1opendnscom

Address 20867222222

Non-authoritative answer

irongeekcom nameserver = ns1dreamhostcom

irongeekcom nameserver = ns2dreamhostcom

irongeekcom nameserver = ns3dreamhostcom

gt server ns1dreamhostcom

Default Server ns1dreamhostcom

Address 6633206206

gt ls irongeekcom

[ns1dreamhostcom]

Cant list domain irongeekcom Query refused

gt exit

httpIrongeekcom

AXFR = Asynchronous Full Transfer Zone

Domain Internet Groper dig ugentbe ns dig ugdns1ugentbe ugentbe axfr

Or maybe this form DigiNinja dig axfr ns12zoneeditcom zonetransferme

httpIrongeekcom

Other tools in BackTrack dnsreconpy -d ugentbe ndashx dnsenumpl ugentbe

ServerSniff httpserversniffnetnsreportphp httpserversniffnetcontentphpdo=subdomains

GUI Dig for Windows httpnscanorgdightml

httpIrongeekcom

AXFR = Asynchronous Full Transfer Zone

Domain Internet Groper dig ugentbe ns dig ugdns1ugentbe ugentbe axfr

Or maybe this form DigiNinja dig axfr ns12zoneeditcom zonetransferme

httpIrongeekcom

Other tools in BackTrack dnsreconpy -d ugentbe ndashx dnsenumpl ugentbe

ServerSniff httpserversniffnetnsreportphp httpserversniffnetcontentphpdo=subdomains

GUI Dig for Windows httpnscanorgdightml

httpIrongeekcom

Other tools in BackTrack dnsreconpy -d ugentbe ndashx dnsenumpl ugentbe

ServerSniff httpserversniffnetnsreportphp httpserversniffnetcontentphpdo=subdomains

GUI Dig for Windows httpnscanorgdightml

httpIrongeekcom

Fierce httphackersorgfierce fiercepl -threads 100 -dns irongeekcom fiercepl -dns irongeekcom -wordlist dictionarytxt

httpIrongeekcom

nmap -sL ltsome-IP-rangegt

nmap -sL 1920321-10

httpIrongeekcom

Great for troubleshooting bad for privacy

Who owns a domain name or IP

E-mail contacts

Physical addresses

Name server

IP ranges

Who is by proxy

httpIrongeekcom

apt-get install whois

whois examplecom

whois 20897169250

httpIrongeekcom

nix Command line

Nirsoftrsquos httpwwwnirsoftnetutilswhois_this_domainhtml

httpwwwnirsoftnetutilsipnetinfohtml

Pretty much any network tools collection

httpIrongeekcom

Great for troubleshooting bad for privacy

Who owns a domain name or IP

E-mail contacts

Physical addresses

Name server

IP ranges

Who is by proxy

httpIrongeekcom

apt-get install whois

whois examplecom

whois 20897169250

httpIrongeekcom

nix Command line

Nirsoftrsquos httpwwwnirsoftnetutilswhois_this_domainhtml

httpwwwnirsoftnetutilsipnetinfohtml

Pretty much any network tools collection

httpIrongeekcom

apt-get install whois

whois examplecom

whois 20897169250

httpIrongeekcom

nix Command line

Nirsoftrsquos httpwwwnirsoftnetutilswhois_this_domainhtml

httpwwwnirsoftnetutilsipnetinfohtml

Pretty much any network tools collection

httpIrongeekcom

nix Command line

Nirsoftrsquos httpwwwnirsoftnetutilswhois_this_domainhtml

httpwwwnirsoftnetutilsipnetinfohtml

Pretty much any network tools collection

httpIrongeekcom

RobTex httpwwwrobtexcom

ServerSniff httpwwwserversniffnet

httpIrongeekcom

Windows (ICMP) tracert irongeekcom

nix (UDP by default change with ndashI or -T) traceroute irongeekcom

Just for fun httpwwwnabberorgprojectsgeotrace

httpIrongeekcom

So you have a job posting for an Ethical Hacker huh

httpIrongeekcom

The organizationrsquos website (duh)

Corp Info httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCorporate

Wayback Machine httpwwwarchiveorg

Monster (and other job sites) httpwwwmonstercom

Zoominfo httpwwwzoominfocom

Google Groups (News groups Google Groups and forums)

httpgroupsgooglecom

Boards httpboardreadercom httpomgilicom httpgroupsgooglecom

LinkedIn httpwwwlinkedincom

httpIrongeekcom

The organizationrsquos website (duh)

Corp Info httpwwwpentest-standardorgindexphpPTES_Technical_GuidelinesCorporate

Wayback Machine httpwwwarchiveorg

Monster (and other job sites) httpwwwmonstercom

Zoominfo httpwwwzoominfocom

Google Groups (News groups Google Groups and forums)

httpgroupsgooglecom

Boards httpboardreadercom httpomgilicom httpgroupsgooglecom

LinkedIn httpwwwlinkedincom

httpIrongeekcom

Itrsquos all about how this links to that links to some other thinghellip

httpIrongeekcom

Fake profile I made up to use for class

Dropped some Dox at a few places

May sound creepy but you can practice with names from dating sites

Remember what you learned from 4chan

httpIrongeekcom

Large list at

httpwwwirongeekcomiphppage=securitydoxing-footprinting-cyberstalking

Useful

httpcomlullarcom

httpwwwpeekyoucom

httpwwwcheckusernamescom httpknowemcom

httpwwwisearchcom

httpwwwwhitepagescom

Not quite related but cool

httptineyecom

httppipesyahoocompipes

Crap

Most of them

httpIrongeekcom

Fake profile I made up to use for class

Dropped some Dox at a few places

May sound creepy but you can practice with names from dating sites

Remember what you learned from 4chan

httpIrongeekcom

Large list at

httpwwwirongeekcomiphppage=securitydoxing-footprinting-cyberstalking

Useful

httpcomlullarcom

httpwwwpeekyoucom

httpwwwcheckusernamescom httpknowemcom

httpwwwisearchcom

httpwwwwhitepagescom

Not quite related but cool

httptineyecom

httppipesyahoocompipes

Crap

Most of them

httpIrongeekcom

Large list at

httpwwwirongeekcomiphppage=securitydoxing-footprinting-cyberstalking

Useful

httpcomlullarcom

httpwwwpeekyoucom

httpwwwcheckusernamescom httpknowemcom

httpwwwisearchcom

httpwwwwhitepagescom

Not quite related but cool

httptineyecom

httppipesyahoocompipes

Crap

Most of them

httpIrongeekcom

General

httpyouropenbookorg

Geolocation

httpwwwbingcommaps

httptwittermapappspotcom

httpwwwfourwherecom

httpicanstalkucom

httpip2geolocationcom

Neighbors

httpwwwwhitepagescomfind_neighbors

httpIrongeekcom

Maltego httpwwwpatervacomweb5

See differences httpwwwpatervacomweb5clientdifferencephp

NetGlub httpwwwnetgluborg

Covers a large cross section of what this class is about

httpIrongeekcom

George Bronk

Found info on womenrsquos Facebook profiles

Used information to answer security question at mail providers

Found nudes

Posted some sent them to contacts lists asked for more

httpIrongeekcom

Should you have a profile

What if you donrsquot

Impersonators

Robin Sage (by Thomas Ryan)

Get in peoples friends list to probe their connections

httpIrongeekcom

More than just turning off safe search (though thatrsquos fun too)

httpIrongeekcom

PII (Personally identifiable information)

Email address

User names

Vulnerable web services

Web based admin interfaces for hardware

Much morehelliphellip

YOU HAVE TO USE YOUR IMAGINATION

httpIrongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

httpIrongeekcom

Should you have a profile

What if you donrsquot

Impersonators

Robin Sage (by Thomas Ryan)

Get in peoples friends list to probe their connections

httpIrongeekcom

More than just turning off safe search (though thatrsquos fun too)

httpIrongeekcom

PII (Personally identifiable information)

Email address

User names

Vulnerable web services

Web based admin interfaces for hardware

Much morehelliphellip

YOU HAVE TO USE YOUR IMAGINATION

httpIrongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

httpIrongeekcom

More than just turning off safe search (though thatrsquos fun too)

httpIrongeekcom

PII (Personally identifiable information)

Email address

User names

Vulnerable web services

Web based admin interfaces for hardware

Much morehelliphellip

YOU HAVE TO USE YOUR IMAGINATION

httpIrongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

httpIrongeekcom

PII (Personally identifiable information)

Email address

User names

Vulnerable web services

Web based admin interfaces for hardware

Much morehelliphellip

YOU HAVE TO USE YOUR IMAGINATION

httpIrongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

httpIrongeekcom

Operators Description

site Restrict results to only one domain or server

inurlallinurl All terms must appear in URL

intitleallintitle All terms must appear in title

cache Display Googlersquos cache of a page

extfiletype Return files with a given extensionfile type

info Convenient way to get to other information about a page

link Find pages that link to the given page

inanchor Page is linked to by someone using the term

httpwwwgoogleguidecomadvanced_operatorshtml

httpIrongeekcom

Operators Description

- Inverse search operator (hide results)

~ synonyms

[][] Number range

Wildcard to put something between something when searching with ldquoquotesrdquo

+ Used to force stop words

OR Boolean operator must be uppercase

| Same as OR

httpIrongeekcom

inurlnph-proxy siteedu

intitleindexofetc

intitleindexof siteirongeekcom

filetypepptx siteirongeekcom

vnc desktop inurl5800

adrian crenshaw -siteirongeekcom

httpIrongeekcom

inurlnph-proxy siteedu

intitleindexofetc

intitleindexof siteirongeekcom

filetypepptx siteirongeekcom

vnc desktop inurl5800

adrian crenshaw -siteirongeekcom

httpIrongeekcom

SSN filetypexls | filetypexlsx

dig axfrrdquo

inurladmin

inurlindexFrameshtml Axis

inurlhpdevicethisLCDispatcher

ldquo192168rdquo (but replace with your IP range)

httpIrongeekcom

195608_100002238375103_5292346_njpg

inurl100002238375103

httpIrongeekcom

inurlesterpent

inurlester1337

intitleester1337

inurluser inurlirongeek -siteirongeekcom

inurlaccount irongeekldquo

sitefacebookcom inurlgroup (ISSA | Information Systems Security Association)

sitelinkedincom inurlcompany (NSA | National Security Agency)

httpIrongeekcom

Exploit DB Google Dorks httpwwwexploit-dbcomgoogle-dorks

Old School httpwwwhackersforcharityorgghdb

httpIrongeekcom

Metagoofil httpwwwedge-securitycommetagoofilphp

The Harvester theHarvesterpy -d irongeekcom -l 100 -b google

Online Google Hacking Tool httpwwwsecappscomaghdb

Spiderfoot httpwwwbinarypoolcomspiderfoot

Goolag httpgoolagorg

httpIrongeekcom

Gooscan Should be on BackTrack CDVM

Wikto httpwwwsensepostcomresearchwikto

SiteDigger httpwwwmcafeecomusdownloadsfree-toolssitediggeraspx

BiLE httpwwwsensepostcomresearch_mischtml

MSNPawn httpwwwnet-squarecommsnpawnindexshtml

httpIrongeekcom

JSONAtom httpcodegooglecomapiscustomsearchv1overviewhtml

Old httpcodegooglecomapiswebsearch

Really Old SOAP

EvilAPI httpevilapicom (defunct)

Spud httpwwwsensepostcomlabstoolspentestspud

I can Haz API keyz httpsgithubcomsearch

httpIrongeekcom

httpIrongeekcom

Small image on a page you control

Log IPs that contact you

Find the IPs from organizations that have your resume

httpIrongeekcom

ltphp

header(Content-type imagepng)

$im = imagecreatefrompng(1by1PNG)

imagecolortransparent ( $imimagecolorallocate($im 255 255 255))

imagepng($im)

imagedestroy($im)

$hostname=gethostbyaddr($_SERVER[REMOTE_ADDR])

$QUERY_STRING = preg_replace([^a-zA-Z0-9_] $_SERVER[QUERY_STRING])

Write Log

$filename = webbugcsv

$fp = fopen($filename a)

$string =$QUERY_STRING

$_SERVER[REMOTE_ADDR]

$hostname

$_SERVER[HTTP_USER_AGENT]

$_SERVER[HTTP_REFERER]

date(D dS MY hi a)n

$write = fputs($fp $string)

fclose($fp)

end Write Log

gt

httpIrongeekcom

Data about data

httpIrongeekcom

Dennis Rader (BTK Killer)

Metadata in a Word DOC he sent to police had the name of

his church and last modified by ldquoDennisrdquo in it

Cat Schwartz

Is that an unintended thumbnail in your EXIF data or are

you just happy to see me

DarkanakuNephew chan

A user on 4chan posts a pic of his semi-nude aunt

taken with an iPhone Anonymous pulls the EXIF

GPS info from the file and hilarity ensues More details can be on the following VNSFW site

httpencyclopediadramaticacomUserDarkanakuNephew_chan

httpwebarchiveorgweb20090608214029httpencyclopediadramatica

comUserDarkanakuNephew_chan

httpIrongeekcom

Small image on a page you control

Log IPs that contact you

Find the IPs from organizations that have your resume

httpIrongeekcom

ltphp

header(Content-type imagepng)

$im = imagecreatefrompng(1by1PNG)

imagecolortransparent ( $imimagecolorallocate($im 255 255 255))

imagepng($im)

imagedestroy($im)

$hostname=gethostbyaddr($_SERVER[REMOTE_ADDR])

$QUERY_STRING = preg_replace([^a-zA-Z0-9_] $_SERVER[QUERY_STRING])

Write Log

$filename = webbugcsv

$fp = fopen($filename a)

$string =$QUERY_STRING

$_SERVER[REMOTE_ADDR]

$hostname

$_SERVER[HTTP_USER_AGENT]

$_SERVER[HTTP_REFERER]

date(D dS MY hi a)n

$write = fputs($fp $string)

fclose($fp)

end Write Log

gt

httpIrongeekcom

Data about data

httpIrongeekcom

Dennis Rader (BTK Killer)

Metadata in a Word DOC he sent to police had the name of

his church and last modified by ldquoDennisrdquo in it

Cat Schwartz

Is that an unintended thumbnail in your EXIF data or are

you just happy to see me

DarkanakuNephew chan

A user on 4chan posts a pic of his semi-nude aunt

taken with an iPhone Anonymous pulls the EXIF

GPS info from the file and hilarity ensues More details can be on the following VNSFW site

httpencyclopediadramaticacomUserDarkanakuNephew_chan

httpwebarchiveorgweb20090608214029httpencyclopediadramatica

comUserDarkanakuNephew_chan

httpIrongeekcom

ltphp

header(Content-type imagepng)

$im = imagecreatefrompng(1by1PNG)

imagecolortransparent ( $imimagecolorallocate($im 255 255 255))

imagepng($im)

imagedestroy($im)

$hostname=gethostbyaddr($_SERVER[REMOTE_ADDR])

$QUERY_STRING = preg_replace([^a-zA-Z0-9_] $_SERVER[QUERY_STRING])

Write Log

$filename = webbugcsv

$fp = fopen($filename a)

$string =$QUERY_STRING

$_SERVER[REMOTE_ADDR]

$hostname

$_SERVER[HTTP_USER_AGENT]

$_SERVER[HTTP_REFERER]

date(D dS MY hi a)n

$write = fputs($fp $string)

fclose($fp)

end Write Log

gt

httpIrongeekcom

Data about data

httpIrongeekcom

Dennis Rader (BTK Killer)

Metadata in a Word DOC he sent to police had the name of

his church and last modified by ldquoDennisrdquo in it

Cat Schwartz

Is that an unintended thumbnail in your EXIF data or are

you just happy to see me

DarkanakuNephew chan

A user on 4chan posts a pic of his semi-nude aunt

taken with an iPhone Anonymous pulls the EXIF

GPS info from the file and hilarity ensues More details can be on the following VNSFW site

httpencyclopediadramaticacomUserDarkanakuNephew_chan

httpwebarchiveorgweb20090608214029httpencyclopediadramatica

comUserDarkanakuNephew_chan

httpIrongeekcom

Data about data

httpIrongeekcom

Dennis Rader (BTK Killer)

Metadata in a Word DOC he sent to police had the name of

his church and last modified by ldquoDennisrdquo in it

Cat Schwartz

Is that an unintended thumbnail in your EXIF data or are

you just happy to see me

DarkanakuNephew chan

A user on 4chan posts a pic of his semi-nude aunt

taken with an iPhone Anonymous pulls the EXIF

GPS info from the file and hilarity ensues More details can be on the following VNSFW site

httpencyclopediadramaticacomUserDarkanakuNephew_chan

httpwebarchiveorgweb20090608214029httpencyclopediadramatica

comUserDarkanakuNephew_chan

httpIrongeekcom

Dennis Rader (BTK Killer)

Metadata in a Word DOC he sent to police had the name of

his church and last modified by ldquoDennisrdquo in it

Cat Schwartz

Is that an unintended thumbnail in your EXIF data or are

you just happy to see me

DarkanakuNephew chan

A user on 4chan posts a pic of his semi-nude aunt

taken with an iPhone Anonymous pulls the EXIF

GPS info from the file and hilarity ensues More details can be on the following VNSFW site

httpencyclopediadramaticacomUserDarkanakuNephew_chan

httpwebarchiveorgweb20090608214029httpencyclopediadramatica

comUserDarkanakuNephew_chan

httpIrongeekcom

Higinio O Ochoa of CabinCr3w should have know if you are going to post a stripped picture of your girlfriend on a defaced website strip the image of EXIFGPS data too

httpIrongeekcom

JPG EXIF (Exchangeable image file format) IPTC (International Press Telecommunications Council)

PDF

DOC

DOCX

EXE

XLS

XLSX

PNG

Too many to name them all

MAC addresses user names edits GPS info It all depends on the file format

httpIrongeekcom

Strings

FOCA (use compatibility mode if needed)

httpwwwinformatica64comDownloadFOCA

Metagoofil httpwwwedge-securitycommetagoofilphp

EXIF Tool httpwwwsnophyqueensuca~philexiftool

EXIF Viewer Plugin httpsaddonsmozillaorgen-USfirefoxaddon3905

Jeffreys Exif Viewer httpregexinfoexifcgi

httpIrongeekcom

JPG EXIF (Exchangeable image file format) IPTC (International Press Telecommunications Council)

PDF

DOC

DOCX

EXE

XLS

XLSX

PNG

Too many to name them all

MAC addresses user names edits GPS info It all depends on the file format

httpIrongeekcom

Strings

FOCA (use compatibility mode if needed)

httpwwwinformatica64comDownloadFOCA

Metagoofil httpwwwedge-securitycommetagoofilphp

EXIF Tool httpwwwsnophyqueensuca~philexiftool

EXIF Viewer Plugin httpsaddonsmozillaorgen-USfirefoxaddon3905

Jeffreys Exif Viewer httpregexinfoexifcgi

httpIrongeekcom

Strings

FOCA (use compatibility mode if needed)

httpwwwinformatica64comDownloadFOCA

Metagoofil httpwwwedge-securitycommetagoofilphp

EXIF Tool httpwwwsnophyqueensuca~philexiftool

EXIF Viewer Plugin httpsaddonsmozillaorgen-USfirefoxaddon3905

Jeffreys Exif Viewer httpregexinfoexifcgi

httpIrongeekcom

EXIF Reader httpwwwtakenetorjp~ryuujiminisoftexifreadenglish

Flickramio httpuserscriptsorgscriptsshow27101

Creepy httpilektrojohngithubcomcreepy

Pauldotcom httpwwwgooglecomsearchhl=enampq=metadata+site3ApauldotcomcomampbtnG=Search

httpIrongeekcom

Stuff that does not quite fit anywhere else

httpIrongeekcom

httpwwwirongeekcomiphppage=securityhow-to-cyberstalk-potential-employers

Also let us not forget HTTP headers

HTTP11 200 OK

Content-Type textjavascript charset=UTF-8

Cache-Control no-cache no-store max-age=0 must-

revalidate

Pragma no-cache

Expires Fri 01 Jan 1990 000000 GMT

Date Wed 18 May 2011 153403 GMT

Content-Encoding gzip

X-Content-Type-Options nosniff

X-Frame-Options SAMEORIGIN

X-XSS-Protection 1 mode=block

Content-Length 1269

Server GSE

LiveHeaders Plugin

httpwwwshodanhqcom

httpspanopticlickefforg

httpIrongeekcom

httpwwwirongeekcomiphppage=securityhow-to-cyberstalk-potential-employers

Also let us not forget HTTP headers

HTTP11 200 OK

Content-Type textjavascript charset=UTF-8

Cache-Control no-cache no-store max-age=0 must-

revalidate

Pragma no-cache

Expires Fri 01 Jan 1990 000000 GMT

Date Wed 18 May 2011 153403 GMT

Content-Encoding gzip

X-Content-Type-Options nosniff

X-Frame-Options SAMEORIGIN

X-XSS-Protection 1 mode=block

Content-Length 1269

Server GSE

LiveHeaders Plugin

httpwwwshodanhqcom

httpspanopticlickefforg

httpIrongeekcom

User-agent

Disallow private

Disallow secret

httpwwwirongeekcomrobotstxt

httpIrongeekcom

httpwwwirongeekcomiphppage=securityigigle-wigle-wifi-to-google-earth-client-for-wardrive-mapping

httpIrongeekcom

httpsamyplandroidmap

httpIrongeekcom

OSInt Cyberstalking Footprinting and Recon Getting to know you httpwwwirongeekcomiphppage=videososint-cyberstalking-footprinting-recon

Links for Doxing Personal OSInt Profiling Footprinting Cyberstalking httpwwwirongeekcomiphppage=securitydoxing-footprinting-cyberstalking

PTES Technical Guidelines httpwwwpentest-standardorgindexphpPTES_Technical_Guidelines

VulnerabilityAssessmentcouk - An information portal for Vulnerability Analysts and Penetration Testers httpwwwvulnerabilityassessmentcoukPenetration20Testhtml

httpIrongeekcom

Social Zombies - Kevin Johnson and Tom Eston httpwwwyoutubecomwatchv=l79q2G3E8HY httpwwwyoutubecomview_play_listp=C591646E9B0CF33B httpvimeocom18827316

Satan is on my Friends List - Shawn Moyer and Nathan Hamiel httpwwwyoutubecomwatchv=asj8yzXihcc

Using Social Networks To Profile Find and 0wn Your Victims - Dave Marcus httpwwwirongeekcomiphppage=videosdojocon-2010-videosUsing20Social20Networks20To20Profile20Find20and200wn20Your20Victims

httpIrongeekcom

Derbycon Sept 27th-30th 2012

httpwwwderbyconcom

Others httpwwwlouisvilleinfoseccom

httpskydogconcom

httphack3rconorg

httpouterz0neorg

httpphreaknicinfo

httpnotaconorg

Ph

oto

Cre

dits to

KC

(d

eva

uto

) Derb

yco

n A

rt Cre

dits

to D

igiP

httpIrongeekcom

42

Twitter Irongeek_ADC