Hunting Cyber Criminals A Hacker's Guide to Online Intelligence Gathering Tools and Techniques

The skills and tools for collecting, verifying and correlating information from different types of systems is an essential skill when tracking down hackers. This book explores Open Source Intelligence Gathering (OSINT) inside out from multiple perspectives, including those of hackers and seasoned in...

Full description

Saved in:
Bibliographic Details
Main Author Troia, Vinny
Format eBook
LanguageEnglish
Published Newark John Wiley & Sons, Incorporated 2020
Wiley-Blackwell
Edition1
Subjects
Computer crimes
Online AccessGet full text
ISBN9781119540922
1119540925

Cover

Table of Contents:
  • Cover -- Title Page -- Copyright -- About the Author -- About the Technical Editor -- Acknowledgments -- Contents at a Glance -- Contents -- Prologue -- Chapter 1 Getting Started -- Why This Book Is Different -- What You Will and Won't Find in This Book -- Getting to Know Your Fellow Experts -- A Note on Cryptocurrencies -- What You Need to Know -- Paid Tools and Historical Data -- What about Maltego? -- Prerequisites -- Know How to Use and Configure Linux -- Get Your API Keys in Order -- Important Resources -- OSINT Framework -- OSINT.link -- IntelTechniques -- Termbin -- Hunchly -- Wordlists and Generators -- SecLists -- Cewl -- Crunch -- Proxies -- Storm Proxies (Auto-Rotating) -- Cryptocurrencies 101 -- How Do Cryptocurrencies Work? -- Blockchain Explorers -- Following the Money -- Identifying Exchanges and Traders -- Summary -- Chapter 2 Investigations and Threat Actors -- The Path of an Investigator -- Go Big or Go Home -- The Breach That Never Happened -- What Would You Do? -- Moral Gray Areas -- Different Investigative Paths -- Investigating Cyber Criminals -- The Beginning of the Hunt (for TDO) -- The Dark Overlord -- List of Victims -- A Brief Overview -- Communication Style -- Group Structure and Members -- Cyper -- Arnie -- Cr00k (Ping) -- NSA (Peace of Mind) -- The Dark Overlord -- Summary -- Part I Network Exploration -- Chapter 3 Manual Network Exploration -- Chapter Targets: Pepsi.com and Cyper.org -- Asset Discovery -- ARIN Search -- Search Engine Dorks -- DNSDumpster -- Hacker Target -- Shodan -- Censys (Subdomain Finder) -- Censys Subdomain Finder -- Fierce -- Sublist3r -- Enumall -- Results -- Phishing Domains and Typosquatting -- Summary -- Chapter 4 Looking for Network Activity (Advanced NMAP Techniques) -- Getting Started -- Preparing a List of Active Hosts -- Full Port Scans using Different Scan Types -- TCP Window Scan
  • Domain Search -- Bulk WHOIS -- Reverse IP Lookup -- WHOIS Records on Steroids -- WHOIS History -- The Power of Screenshots -- Digging into WHOIS History -- Looking for Changes in Ownership -- Reverse WHOIS -- Cross-Checking All Information -- Summary -- Chapter 10 Certificate Transparency and Internet Archives -- Certificate Transparency -- What Does Any of This Have to Do with Digital Investigations? -- Scouting with CTFR -- Crt.sh -- CT in Action: Side-stepping Cloudflare -- Testing More Targets -- CloudFlair (Script) and Censys -- How Does It Work? -- Wayback Machine and Search Engine Archives -- Search Engine Caches -- CachedView.com -- Wayback Machine Scraper -- Enum Wayback -- Scraping Wayback with Photon -- Archive.org Site Search URLs -- Wayback Site Digest: A List of Every Site URL Cached by Wayback -- Summary -- Chapter 11 Iris by DomainTools -- The Basics of Iris -- Guided Pivots -- Configuring Your Settings -- Historical Search Setting -- Pivootttt!!! -- Pivoting on SSL Certificate Hashes -- Keeping Notes -- WHOIS History -- Screenshot History -- Hosting History -- Bringing It All Together -- A Major Find -- Summary -- Part III Digging for Gold -- Chapter 12 Document Metadata -- Exiftool -- Metagoofil -- Recon-NG Metadata Modules -- Metacrawler -- Interesting_Files Module -- Pushpin Geolocation Modules -- Intrigue.io -- FOCA -- Starting a Project -- Extracting Metadata -- Summary -- Chapter 13 Interesting Places to Look -- TheHarvester -- Running a Scan -- Paste Sites -- Psbdmp.ws -- Forums -- Investigating Forum History (and TDO) -- Following Breadcrumbs -- Tracing Cyper's Identity -- Code Repositories -- SearchCode.com -- Searching for Code -- False Negatives -- Gitrob -- Git Commit Logs -- Wiki Sites -- Wikipedia -- Summary -- Chapter 14 Publicly Accessible Data Storage -- The Exactis Leak and Shodan -- Data Attribution
  • Shodan's Command-Line Options -- Querying Historical Data -- CloudStorageFinder -- Amazon S3 -- Digital Ocean Spaces -- NoSQL Databases -- MongoDB -- Robot 3T -- Mongo Command-Line Tools -- Elasticsearch -- Querying Elasticsearch -- Dumping Elasticsearch Data -- NoScrape -- MongoDB -- Elasticsearch -- Scan -- Search -- Dump -- MatchDump -- Cassandra -- Amazon S3 -- Using Your Own S3 Credentials -- Summary -- Part IV People Hunting -- Chapter 15 Researching People, Images, and Locations -- PIPL -- Searching for People -- Public Records and Background Checks -- Ancestry.com -- Threat Actors Have Dads, Too -- Criminal Record Searches -- Image Searching -- Google Images -- Searching for Gold -- Following the Trail -- TinEye -- EagleEye -- Searching for Images -- Cree.py and Geolocation -- Getting Started -- IP Address Tracking -- Summary -- Chapter 16 Searching Social Media -- OSINT.rest -- Another Test Subject -- Twitter -- SocialLinks: For Maltego Users -- Skiptracer -- Running a Search -- Searching for an Email Address -- Searching for a Phone Number -- Searching Usernames -- One More Username Search -- Userrecon -- Reddit Investigator -- A Critical "Peace" of the TDO Investigation -- Summary -- Chapter 17 Profile Tracking and Password Reset Clues -- Where to Start (with TDO)? -- Building a Profile Matrix -- Starting a Search with Forums -- Ban Lists -- Social Engineering -- SE'ing Threat Actors: The "Argon" Story -- Everyone Gets SE'd-a Lesson Learned -- The End of TDO and the KickAss Forum -- Using Password Reset Clues -- Starting Your Verification Sheet -- Gmail -- Facebook -- PayPal -- Twitter -- Microsoft -- Instagram -- Using jQuery Website Responses -- ICQ -- Summary -- Chapter 18 Passwords, Dumps, and Data Viper -- Using Passwords -- Completing F3ttywap's Profile Matrix -- An Important Wrong Turn -- Acquiring Your Data
  • Data Quality and Collections 1-5 -- Where to Find Quality Data -- Data Viper -- Forums: The Missing Link -- Identifying the Real "Cr00k" -- Tracking Cr00k's Forum Movements -- Timeline Analysis -- The Eureka Moment -- Vanity over OPSEC, Every Time -- Why This Connection Is Significant -- Starting Small: Data Viper 1.0 -- Summary -- Chapter 19 Interacting with Threat Actors -- Drawing Them Out of the Shadows -- Who Is WhitePacket? -- The Bev Robb Connection -- Stradinatras -- Obfuscation and TDO -- Who Is Bill? -- So Who Exactly Is Bill? -- YoungBugsThug -- How Did I Know It Was Chris? -- A Connection to Mirai Botnet? -- Why Was This Discovery So Earth-Shattering? -- Question Everything! -- Establishing a Flow of Information -- Leveraging Hacker Drama -- Was Any of That Real? -- Looking for Other Clues -- Bringing It Back to TDO -- Resolving One Final Question -- Withdrawing Bitcoin -- Summary -- Chapter 20 Cutting through the Disinformation of a 10-Million-Dollar Hack -- GnosticPlayers -- Sites Hacked by GnosticPlayers -- Gnostic's Hacking Techniques -- GnosticPlayers' Posts -- GnosticPlayers2 Emerges -- A Mysterious Third Member -- NSFW/Photon -- The Gloves Come Off -- Making Contact -- Gabriel/Bildstein aka Kuroi'sh -- Contacting His Friends -- Weeding through Disinformation -- Verifying with Wayback -- Bringing It All Together -- Data Viper -- Trust but Verify -- Domain Tools' Iris -- Verifying with a Second Data Source -- The End of the Line -- What Really Happened? -- Outofreach -- Kuroi'sh Magically Appears -- What I Learned from Watching Lost -- Who Hacked GateHub? -- Unraveling the Lie -- Was Gabriel Involved? My Theory -- Gabriel is Nclay: An Alternate Theory -- All roads lead back to NSFW -- Summary -- Epilogue -- Index -- EULA
  • Working against Firewalls and IDS -- Using Reason Response -- Identifying Live Servers -- Firewall Evasion -- Distributed Scanning with Proxies and TOR -- Fragmented Packets/MTU -- Service Detection Trick -- Low and Slow -- Bad Checksums, Decoy, and Random Data -- Firewalking -- Comparing Results -- Styling NMAP Reports -- Summary -- Chapter 5 Automated Tools for Network Discovery -- SpiderFoot -- SpiderFoot HX (Premium) -- Intrigue.io -- Entities Tab -- Analyzing uberpeople.net -- Analyzing the Results -- Exporting Your Results -- Recon-NG -- Searching for Modules -- Using Modules -- Looking for Ports with Shodan -- Summary -- Part II Web Exploration -- Chapter 6 Website Information Gathering -- BuiltWith -- Finding Common Sites Using Google Analytics Tracker -- IP History and Related Sites -- Webapp Information Gatherer (WIG) -- CMSMap -- Running a Single Site Scan -- Scanning Multiple Sites in Batch Mode -- Detecting Vulnerabilities -- WPScan -- Dealing with WAFs/WordPress Not Detected -- Summary -- Chapter 7 Directory Hunting -- Dirhunt -- Wfuzz -- Photon -- Crawling a Website -- Intrigue.io -- Summary -- Chapter 8 Search Engine Dorks -- Essential Search Dorks -- The Minus Sign -- Using Quotes -- The site: Operator -- The intitle: Operator -- The allintitle: Operator -- The filetype: Operator -- The inurl: Operator -- The cache: Operator -- The allinurl: Operator -- The filename: Operator -- The intext: Operator -- The Power of the Dork -- Don't Forget about Bing and Yahoo! -- Automated Dorking Tools -- Inurlbr -- Using Inurlbr -- Summary -- Chapter 9 WHOIS -- WHOIS -- Uses for WHOIS Data -- Historical WHOIS -- Searching for Similar Domains -- Namedroppers.com -- Searching for Multiple Keywords -- Advanced Searches -- Looking for Threat Actors -- Whoisology -- Advanced Domain Searching -- Worth the Money? Absolutely -- DomainTools