THM - Advent of Cyber [Day 15 & 16]
Day 15
Today’s task is a break about what kind of security roles there are available, which actually works out perfectly for me considering that last night I ended up working late and couldn’t get to posting a write up anyway. Unfortunately I also lost my streak so that sucks.
Looking at all the roles, the ones that I was most interested in are the Penetration Tester and Red Teamer, but Incident Responder also looked interesting. I think though, that there might be some more pressure to incident responder.
Day 16
This task deals with OSINT or Open Source Intelligence, which is publicly available information that we can leverage against the grinch in our Advent of Cyber story. We actually did some of this a while back in one the tasks build by John Hammond where we looked at PowerShell logs. The task goes on to tell us that there are two real sources of information in OSINT, the clearweb and the darkweb. The clearweb describes well known websites that we know like FaceBook, Twitter, and GitHub. The darknet is accessed through a TOR browser primarily and offers services like Freenet (encypted chat), I2P (networking layer), IPFS (InterPlanetary File Share), and Zeronet (Peer to Peer web hosting). This room, and I’d argue most OSINT, is done though the clearnet. This is because there are a significant amount of more people on the clearnet.
Two OSINT Models
The task shows two kinds of OSINT Methodologies. The first is the RIS-OSINT data-information model. It’s based on gathering information from data that can turn into Intelligence and form a decision in order to make a change.
The other OSINT model is called RIS-OSINT Roller Coaster revolves around making decisions for the client. This model is quite fluid and looks something like this. Undernearth it, I’ll also describe the steps below it.
| RSI Phase | Definition | Example |
|---|---|---|
| Client | What is the question/objective? | |
| Source | What is available on the objective? | Email Servers |
| Monitoring | What is happening with the objective? | Email has been inactive |
| Selecting/Finding | Where is the Objective? How can we find the objective? | Leaked database |
| Indexing | How is the objective retrievable? | ID information from email |
| Syntheses | How can we combine this with others? | ID information from email |
| Dissemination | How can you action/qualify this objective? | Report/Plan |
Account Discovery & Analysis
This is the process of looking at public accounts trying to find a target. These are sites like Reddit, Twitter, Instagram, etc.
| Objective | Purpose |
|---|---|
| ID real or personas | Sometimes people make anonymous personas to hide behind. Depending on initial info, we could be looking for multiple accounts. End objective is to ID further information and accounts that our target owns |
| ID email | Less common to openly find, but still possible and can lead to real name or link to persona |
| Locate linked accounts | Targets will often link other public accounts leading to further information or their real name/persona |
| History | Importance can vary based on what the end goal is |
| Information from posts | Continuing from the history of posts, you can obtain various info from posts. This can include location, other accounts, real names, interests, etc. |
Google Dorking
Google can be an invaluable tool when doing OSINT gathering. We can perform special searches via google by using specific syntax. This is known as Google Dorking.
| Term | Purpose | Example |
|---|---|---|
| site | Specifically searches that particular site and lists all the results for that site. | site:”www.google.com” |
| filetype | Searches for a particular filetype mentioned in the query | filetype:”pdf” |
| link | searches for external links to pages | link :”keyword” |
| inurl | Searches for a URL matching one of the keywords. | inurl:”keyword” |
| before/after | Used to search within a particular date range | (before:2001-01-01 after:2001-01-01) |
OSINT & The Blockchain
The advent of blockchain technology brought a complete openness coupled with a large degree of anonymity. We can see what users are doing, without knowing who they are. The methodology can stay the same because the goal is still to get back to a traditional persona. This will ultimately change over time as blockchain technology and decentralization evolve.
Unique Software Features
It should be noted that each social media site, software, and platform will have their own quirks and features that can be more or less useful when engaging in OSINT. For instance, GitHub showing all changes to a working branch.
The Task
The task is pretty straightforward. It involves translating the initial text that we have and going from there. HINT: It’s a language used by a country that has a lot of ransomware actors. Then we can do some google searches along with looking at certain sites special features to get the last couple of questions.