[Here’s a fun and useful one: Monseigneur John Strand announces the release of his Pushpin tool that helps penetration testers and ethical hackers leverage geolocation information from social networking sites in their work. As a bonus, John provides some tips for how you can incorporate it into your pen test regimen as you search for info leakage from a target organization. Even outside of your pen tests, you may want to download pushpin just for a fun. It’s dead simple to use. I spent an hour with it the other day looking through public photos and videos nearby some of my favorite target organizations. It was a hoot. –Ed.]
By John Strand
One of the better aspects of penetration testing is tying together a variety of different attack vectors to make something beautiful and unique. For example, doing some research on a target and tailoring a custom spear-phish attack for them is one of our favorite testing activities.
On our recent penetration tests, we have been trying to demonstrate the risk of geolocation tied with social networking. This topic is brought up in late-night conversations and secret penetration testing cabals, but very rarely is it used in actual tests today. There has been significant work in this area by Kevin Johnson, Larry Pesce and Ben Jackson, and we wanted to extend this research.
To that end, we are releasing pushpin.py. To run pushpin, you specify a latitude and longitude and a radius in kilometers. Pushpin provides all of the tweets, YouTube videos, and Flicker pictures posted from locations within that radius.
How can this be useful in a penetration test? What you can do is first create a list of users and possible email addresses from a target organization. This can be done using tools and techniques such as Maltego, Google hacking, Jigsaw, or LinkedIn. Next, take each of the accounts and users that were discovered and see if they have accounts with Twitter, YouTube, or Flicker. You would be shocked to discover just how many people associate their work email with their social media account names. Once you have identified the accounts that are being used, you can next use pushpin to see if they have posted pictures, videos, or tweets in the area near their place of employment or any place you specify.
Odds are, they have.
Next, start harvesting in that area and searching the output for your target accounts. This gives you a very good idea of the places they visit, and in some situations you can even get a few pictures or a video of the inside of their offices. Look carefully at those photos and videos for tips and information that could really light up a report with some pretty interesting findings.
We currently are looking for some people to help extend the tool and incorporate additional sites and geolocation data. Please see the source code of the tool for more info.
Once again, you can download pushpin here.
By the way, I’ll be teaching SANS Security 504: Hacker Techniques, Exploits, and Incident Handling next month at the SANS Cyber Defense Initiative conference in Washington DC from December 9-14, 2011. If you can’t make it to DC in December, I’ll also be teaching 504 via SANS vLive across the Internet starting November 28.