The Pushpin Tool – Incorporating Geolocation Info Leakage via Social Networks in Your Pen Tests

[Here’s a fun and useful one: Monseigneur John Strand announces the release of his Pushpin tool that helps penetration testers and ethical hackers leverage geolocation information from social networking sites in their work.  As a bonus, John provides some tips for how you can incorporate it into your pen test regimen as you search for info leakage from a target organization.  Even outside of your pen tests, you may want to download pushpin just for a fun.  It’s dead simple to use.  I spent an hour with it the other day looking through public photos and videos nearby some of my favorite target organizations. It was a hoot.  –Ed.]

By John Strand

One of the better aspects of penetration testing is tying together a variety of different attack vectors to make something beautiful and unique. For example, doing some research on a target and tailoring a custom spear-phish attack for them is one of our favorite testing activities.

On our recent penetration tests, we have been trying to demonstrate the risk of geolocation tied with social networking. This topic is brought up in late-night conversations and secret penetration testing cabals, but very rarely is it used in actual tests today. There has been significant work in this area by Kevin Johnson, Larry Pesce and Ben Jackson, and we wanted to extend this research.

To that end, we are releasing To run pushpin, you specify a latitude and longitude and a radius in kilometers.  Pushpin provides all of the tweets, YouTube videos, and Flicker pictures posted from locations within that radius.

How can this be useful in a penetration test? What you can do is first create a list of users and possible email addresses from a target organization. This can be done using tools and techniques such as Maltego, Google hacking, Jigsaw, or LinkedIn. Next, take each of the accounts and users that were discovered and see if they have accounts with Twitter, YouTube, or Flicker. You would be shocked to discover just how many people associate their work email with their social media account names. Once you have identified the accounts that are being used, you can next use pushpin to see if they have posted pictures, videos, or tweets in the area near their place of employment or any place you specify.

Odds are, they have.

Next, start harvesting in that area and searching the output for your target accounts. This gives you a very good idea of the places they visit, and in some situations you can even get a few pictures or a video of the inside of their offices.  Look carefully at those photos and videos for tips and information that could really light up a report with some pretty interesting findings.

We currently are looking for some people to help extend the tool and incorporate additional sites and geolocation data. Please see the source code of the tool for more info.

Once again, you can download pushpin  here.


By the way, I’ll be teaching SANS Security 504: Hacker Techniques, Exploits, and Incident Handling next month at the SANS Cyber Defense Initiative conference in Washington DC from December 9-14, 2011.  If you can’t make it to DC in December, I’ll also be teaching 504 via SANS vLive across the Internet starting November 28.

How Attackers Exploit Modern, Secure Wireless LANs

[Editor’s note: For today’s blog installment, you’ve simply GOT to check out this fantastic webcast from Josh Wright about modern wireless attacks.  Bad guys are going beyond undermining just WEP and even WPA, and are branching out into all kinds of Wireless LAN attacks against WPA2 and more.  In this presentation, Josh covers the tools and techniques details that every penetration tester, ethical hacker, and incident handler needs to know.  Even if you don’t have time to listen to the audio at the link below (shame on you! :), at least do yourself a favor and check out the slides.  Good stuff!  –Ed.]

By Joshua Wright

Two weeks ago I had a chance to deliver a presentation via webcast to a great audience.  I spoke on the topic of modern WiFi attacks, how the industry has moved away from WEP to more secure technologies, and how attackers have similarly migrated WiFi attacks, not against infrastructure devices so much, but against wireless clients.

You can download the slides  here, or watch the recorded webcast here.

–Josh Wright

By the way, if you are interested in these kinds of attacks and their defenses, you should definitely check out my SANS 617 course on Wireless Ethical Hacking, Penetration Testing, and Defenses.  It’s offered via the SANS OnDemand system, so you can follow along at your own pace across the Internet, without travel expenses!  Sign up by November 23, 2011 for 617 OnDemand, and get a free 11″ MacBook Air!