?rial-h-i?i-I'alIIHal-.Usin KEYSCOE to Enable TAO Ban: Allen Hamiltnn SIDS Analyst 16 July EDGE . I I ?5{-47 TOP SECRETHCOMINTHREL TO USA, AUS, CAN, GER, . TDP SEGHETHGUMIHTHRELTD burpose show 82 how to use XKS to enable TAO operations . The material covers some of the more common searches in XKS, and shows you how to retrieve valuable SIGINT data that finds useful to eXploit a target . It?s NOT designed to teach you about TAO (there are many other briefings for that) TDP TD USA, ALIS, CAN, GER, MEL SECRETHCUMINTHHEL TD USA, AUS, BAH, GER, HZL a What TAO needs from a TELNET Sessions in XKS a Identifying Browers a Web Forum Logins Passwords a Webmail Logins Passwords TUP TD USA, ALIS. DAN, GER, MEL TDP TD USA, AUS. DAN, GER, NZL 'Aend I I What TAO needs from TDP TD USA, AUS. DAN, GER, MEL TUP SECRETHCUMINTHHEL TD USA, AUS, BAH, GER, HZL TA need? a; Network Information - Logins and Passwords - Router configuration information Software Information - Browser - Version Numbers - Operating Systems - NOTE: If target device is under a satellite hop, please consult your TAO Liaison on how to proceed. TUP TD USA, ALIS. DAN, GER, MEL SECRETHGOMINTHHEL To USA. nus, BAH. can, HZL . We et at? Network Information - We target TELNET, FTP, etc for logins and passwords . Use a LOGIN and PASSWORD QUERY ports of interest (21, 23, 110, 69, etc) - WEBMAIL logins and passwords . Use LOGIN and PASSWORD QUERY ports of interest (80, 3000, 8080) DO NOT use the loginfpassword you find to log in as your target in Airgap. Ever. Just record them and pass to TAO. - Router configuration information . Use ?Full Log DNI query" FROM port 23 and ?From? IP of interest TDP TD USA, ALIS, DAN, GER, MEL TD USA. nus, BAH, GBFI. HZLSoftware Information - Browsers . Use HTTP Activity Query and results are in the ?browser? field - Servers . Use HTTP Activity: HTTP "Response" traffic contains web server information - Operating Systems or Version Numbers . Using FULL LOG DNI we can do ?Banner Grabbing? on content FROM port 23 and FROM the target's IP address TDP TD USA, ALIS, DAN, GER, MEL TDP TD USA, AUS, DAN, GER, NZL 'Aenda . . TELNET Sessions in XKS TDP TD USA, AUS. DAN, GER, NIL TDP SECRETHGUMINTHHEL TD USA. AUS. GBH, Understand en Administrator attempts to reach remote host using Telnet From Port 3434 ?Telnet 202-, To Port 23 4? To Port 3434 ?Welcome to router, Apache 2.0 - Please enter Login 3 Password? From Port 3434 To Port 23 ?Username: Admin Password: Admin" To Port 3434 ?Here?s your router configuration information TDP TD USA, ALIS, DAN, GER, MEL From Port 23 To USA. thus, cm, can, HZL. - e- rsta Te en Administrator attempts to reach remote host using Telnet 5T: {01" if? 23 From Port 23 it I. To Port 3434 ?Welcome to router, I Apache 2.0 - Please enter Login Password? From Port 3434 To Port 23 ?Username: Admin Password: Admin" Let's make a query and target this traffic! To Port 3434 ?Here?s your router configuration information TDP TD USA, ALIS, DAN, GER, MEL SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL 'BnerGrbing I Search: Full Lia-1;; Query Marne: mail server Jugtificatinn: ?dditi-z-Hal Jugti?catin?: 1" Miranda Number: Datetime: 1 week ?w Start: gang?Drag Iluzuzmzuzn $7 St?p: [EmaUsername: address for i attribute In?j: [p?pulate with trying to gain access (mail IF 213- Pm TDP TD USA, ALIS. CAN, GER, MEL 'Banner TD USA, AUG. DAN, GER, NZL Grabbing i ?i3 I. . - To Port (?3334 From Port 23 ?Welcome to router, Apache 2.0 - Please enter Login 8: PasswordDatetin'ie Case Hetatien Frem ?3 Te Frern F'erl: Te Perl: ?retest 2222?22?11 Saudi .?irahiaj 212 Lehanenj I Hessian Header Meta I I Iir'ii'? I I 5' Enterte?i? search app_id= terminalftelnetffrem_server{ pnrt23} viewer= AZECII fermatter. Infc=i Find traf?c en iCiscd Eduter and Eecuritv ?evice Manager is installed an this device. . . . SDH Find ennesite side e1? sess i i iThis feature requires the cne?time use df the username "ciscd" 313-133 '2 Edith the passI-Itird "ciscc". The default username and have a privilege level cf 15 :12 gPlease chan publicly lui credentials using SDH er the IDS CLI. the Ciscc IDS ccmmands. gusername imyuser} End userhame ciscd privilege 15 secret smvpassucrd} Find i gheplaee {mvuser} and with the username ah . . . vdu want re use. Find Fingerprint Find email address . EFdr ash-jut EDH please nstructidns in the START EGUIDE fer renter er ge te http:HH sce.cemfgefsdm ACCESS LIEU: 1'31]. iUsername: . . . . ..isp TDP TD USA, AUS. CAN, GER, MEL TGP TD USA, AUS, BAN, GER, NZL . Ber Grabbi (another example) - . I 5' To Port 3434 t0 XYZ router, From Port 23 Apache 2.0 - Please enter Login 8: Password" 3 Datetime Ceae Hetetiur?l Frern TEI Frem F'Ijr?l: Te Perl: 5 2222?22?11 24:22:45 lea?{I china:- Cuba] 2122 WW Iv .an Eear'uz'l EntertEII-Ettu EE I AUTEI FDHMATFEH: Uiewer= ASCII ferma?t DH Quick CliEkS I??r'I?'l I ill- Fin-:1 I: Side 21? SEESS Integrated Device 2 I Find tra?ic?? Cepyright. Huemei Teehnelegy. Ce?. Ltd. Meme: Phene Number: 125? Find agglicatign User name (2:15 ehere): terminal?telnet?fmmje TDP TD USA, AUS. CAN, GER, MEL TDP Te USA, AUS. DAN, GER, NZL I Detetime Hetetien Frem Te Frem F'ert Te F'ert 33:33:33 r51._ (- China} Cuba? _3541 Meta AUTD nter ?[Ell-Meleume Le ETE Full Service Aeneas Platfurm Fin-:1 side Press Return te get eterted Copyright, ETE Fin-:1 trefl?ieer'l if? Elm- Legin: El_ Fin-:1 terminelftelnetffrernje TDP TD USA, AUS. DAN, GER, NIL Te USA. ALIS, DAN, een, NZL . Bner Grbbig (another example) Detetime Caee Hetetie? Frem Te Frern F'ert Te F'ert Fret: 19:35:52 Le; gnu?[E Cuba] Elm-(I China) . 33 44FID TCP 0? I Bessie-n Header Meta Iv Eieruj te: F-"IEnje: Full - - - reh Centent: search FDRMATFEFL: epp_il:l= Viewer: fermetter. Cepyright[e} Huemei Teehuelegiee Ce., Ltd. All rights reserved. Fin-:1 5 le ef sees . . . . 1, Hltheut the ewner 3 print written :eneent, I EDD 123?3 nu er reveree?engineering ehell he ellewed. I Fin-:1 fineererint eigdevfhuewei Legi? euthentieetien mleefnetwerkJ-?een?gure' Fin-:1 trafficUserneme: 20'1- magma Fin-:1 terminel?tel?etffremje TDP TD USA, AUS. DAN, GER, NIL SECRETHGUMINTHHEL To qujij] elp me nd 9 rstan Teller ll . Administrator attempts to reach remote host using Telnet From Port 3434 ?Telnet 202--, To Port 23 Halli. To Port 3434 ?Welcome to router, Apache 2.0 - Please Let?s make a query enter Login 3 Password" and target this traffic! From Port 3434 To Port 23 Username: Admin Password: Admin" I From Port 23 To Port 3434 ?Here?s your router configuration information TDP TD USA, ALIS, DAN, GER, MEL SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL gins and Passwords I'Tet I Search: and nuan- wamm telnet admin I Justificatiun: Additianal Juati?catinr?l: i Miranda Number: i Datetime: 1 Day" it? Start: E. StunName: i router?s IP 5 address for 2 . I you re 3 ?ddregg: FrDr?r?I ESE- Tc: I Fran?I I Part: 23 TD TDP TD USA, ALIS. CAN, GER, MEL SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL I'Tlnet senames and PW I l-I From Port 3 To Port Username: Admin I Password: Admin" Datetime Cage Mutatinn 1P TI: F'Ijrt TEI gang?0113 1-35? Yemen} Eng?(I China} 1:14? Hessian Header (3) Metaidr] I 5 Quick CliEkS Find traffic on Find terminalftelnetftn_59rm TDP TD USA, ALIS. CAN, GER, MEL SECRETHGUMINTHHEL To qujij] elp me nd 9 rstan Teller ll - . Administrator attempts to reach remote host using Telnet From Port 3434 ?Telnet 202?, To Port 23 Halli. To Port 3434 ?Welcome to router, Apache 2.0 - Please enter Login 3 Password? From Port 3434 ?Usemame: Admin To Port 23 Lars make a query Password: Admin and target this traffic! To Port 3434 ?Here?s your router I configuration information TDP TD USA, ALIS, DAN, GER, MEL I I I I TGP TD USA, AUS. DAN, GER, NZL Rter on . Search: Full Log Query Marne: Ju5tificatinn: ?dditional Juati?catior?lz Miranda Number: Datetirne: Client 1P: U?err?lame: r-Httributo Info: ID ?ddrESS: ?ddregsz Data Length: F'Ul'tl i5 iranian telnet traffic [mot-om "r Start: Er 21m Stop: From your target?s IP From Port 23 Greater than 500 bytes IE- To ?r 23 From FEED TDP TD USA, AUS. CAN, GER, MEL SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL I'Ruter Con Datetime Case Notation FFDH1IP Tia-i: Ire-Hi Tc In F'crl: Iran? a Hessian Headari3i MetaiEi I I: 'i Enit I i cl: 5 if: Find Finnernrint Fin-:l traf?c an 35 33 Find application terminalftelnetffram_se interface EthernetD no ip address interface Serial? nc ip address ahutdemn clack rate 3315333 no fair-queue interface Seriali nc ip address clack rate 3015333 no fair?queue no ip address clack rate 3315333 nc fair?queue interface Serial? no ip address shutdown clack rate 3315333 nc fair?queue interface 5eriall:15 ip unnumbered FaetEtnernet? encapsulation iadn switch?type primary?netE interface Serial3:15 ip unnumbered FaetEthernet? encapeulaticn ?Thanks for the router config? -TAO ??HcreSeria13 Many times will contain Access Control Lists (ACLs) VERY important pieces of Intel. Copy/{Paste out full Config. .. TDP TD USA, AUS, DAN, GER, NZL 'Aenda I Identifying Browsers TDP TD USA, AUS. DAN, GER, NIL TD USA, AUG, DAN, GER, HZL - Browsers "dtifyi Why? . TAO can exploit the browsers that lack strong security TDP TD USA, ALIS. CAN, GER, MEL TD USA, AUS, BAN, GER, HZL nt (Browser) pull 9 This query targets foreign-based targets visiting known Jihadi web forums to learn about what browsers they use. Search: HTTP rinsti'urib,r Query.I Marne: web ferurn hrewsers tergete vieiting knewn jihedi Justifieetien: we}: fdrume additidnal Justi?catidn: Miranda Number: Er i; Etep: 21:sa Datetirne: [lust-em Etart: HTTP Type: ler *haneininie er *ansarinet erl'ansarnetinie Dpulate with URL Field Builder] CeuntryUSA, ALIS. DAN, GER, MEL get get get get get get get get get get get get get get get get DJ 5D PH HT ID LE 1111 PH DJ PH PH DJ 1'11 b' For T1155 F111 0501 F111 Heet 5 t i 11 115 11151 lieneinjnfe 01010131131013.1010 105- 205- 50- 119._ 11511111511511.1010 01011131151015.1010 mun" 9 igl?ig infn 55- m? To use. AUS. new. GBFI. Hz um Visitor protJiI 0 I [m lair-h: I. I .. Breweer 111521111010 {eeln ieti ile; 1.0; 1111005115 111 1115.1; 5111} .11ET Heleie2550s-2110101.01} 111021111050 111 5.1; 5?01; 5.510554} 111521115110 {eeln ieti ile; 1.0; 1111015015 111 5.0; .11ET 2.0.50121; Metlie i-Center PC 5.0; .11ET 10.01505; 111021111050 011111110115; 111 5.0; ell?115; 01:15.51 1} 5ee11012005050215 menu-05.0.1 1 11102111111110 {eeln ietilile; 111 5.1; 501; Media Center Pt?: 5.0; .HET 5L5 1.0.5105; Creethte 501011011111 111021111010 $001135! DH it it 111021115140 {eelii iatilile; we 111 5.1; 5 ierei5.25 {1151010115 111 5.1; en} 1110211110110 [eengietilile; M5IE 111 5.0; .11E1 CLH 2.0.50121; Metlie ICenter P5 5.0; .11E1 5L5 5.001505; 1115211111110 {eeln ieti ile; 111 5.1; 501; .1-1ET 20.50121} 1110211111150 111111110015; 0511110115115 111 5.1; ell-LIE} H i ileWeliH1115251El Iii-1e ?eet-:5} 13111011112110.15135 511111111525. 111521111050 {Meeinteslg Intel 11111:: 05 1t 10_5_5; en-us} H i iIeWeliHitt525151 Iii-te 5eeI-te} Uersienm .2 511110115 1115211111510 ieemgetilile; 5.0; Wintlews 111 5.1; 511 1; .1-1ET 1.1.1322; .11ET 2.0.50121; mege5lteelt Teellier 111021111040 10151E 5.0; 1151010015 willie 05:11:10.0 ieemgetilile; 1115155595 uo'5eeue51ee5rrweue 111021111040 10151E 0113 #5111015'11 311110-115 111 5.This displays the From Country (where target is . located), their IP, the website they visited, AND their browser .HET ELH TDP TD ALIS. DAN. GER. MEL SECRETHGUMINTHHEL Te USA. AUS. BAH. GBHrowsl Type Fm Ceu Heet Ereweer 4 get EH metegwir Melina-4.3 HT 5.11i get 23-: Melina-4.3 {eellt tatiltle; ME Here's another example where we get ta rgeted the people Visi ng *govl {eel-Immune; Ma get weaJmehrlaethIJ-mir {eeln :latil1le; MEIE NT 5.1; .HET 1.1.4322} get IH Melina-4.3 {eeln }etil}le; MEIE 33; NT 5.1; .HET 3334533343; .HET I pest 313?: Melina-4.3 MSIE 3.3; NT 5.1; 531} get wwa-methgw.? {eeln }atil}le; MEIE HT 1.3.3235; .HET get PH MEIE NT 5.1; 3?31; .HET 1.1.4322} get 3E {eelnuetiltle; MEIE NT 5.1; 3'31; .HET get Melina-4.3 {eeln tatil1le; MEIE NT 5.1; 531; .HET [13 1.1.4322; .HET get EH Melina-4.3 {eeln }atil}le; MEIE 3.3;Wntlewe HT 1.1.4322; .HET get Famine-4.3 {eenu-mtihle; MEIE 3.3;Wntlewe NT 5.1; 3'31; .HET ELH 2.II get ELI tee-Immune; MSIE NT 5.1; 3'31; .HET ELH 2.IE get transgertjrieageer Melina-4.3 {eellt tatiltle; MEIE HT 1.1.4322; lltfePatlt.2} get PH Melina-4.3 {eeln latil1le; MEIE 3.3;Wntlews HT 2.353222]: get {eeln 1etil1le; MEIE 3.3;Wntlewe HT ELFI. 2.353222; .HET ELH 1 net MEIE HT 2.353222; .HET ELH 1 iZ: HT CLH 2.3.53222; .HET 1 {eeln 1etil1le; MEIE NT 5.1; 3'31; .HET 2.353222; .HET 3 Which browser are we seei 1.24.1] {eeln tetil1le; MSIE NT 5.1; 531; .HET 2.3.53222; .HET 3 get 324.3 {ee n }atiltle; MEIE 3.3; Wittlewe HT 2.353222; .HET ELF: 3 get l3 {eelltl-mtiltle; MEIE NT 5.1; 3'31; .HET 1132353222; tun-1 iiti?ll nnuir i'I I'u'l'lilF I-T.. 53H- Fl' 2 fl IITl'nDr-ttlt ?2'h bl:th IHL-UMIH IU Liz-A, EH, HEL tivity to find Brows . . SECRETHCUMINTHHEL TD USA, AUS, HZL Type Fm Gnu Heet .. get 5? Illefe.gw.ir Me:illef4.5i[ elnuetihle M5IE 5.5; NT 5.1} if. .HET ll'ILFl 1.1.4322; .HET CLFL 2.II .HET CLH 1.1.4322; .HET .HET CLH 1.1.4322; .HET CLFL .HET CLH 1.1.4322; .HET .HET 1.1.4322; .HET CLFL 2i .HET 1.1 .4322; .HET CLH 2.5.55222} .HET 2.5.55222; IELI-11 .HET 2.5.55222; .HET CLFL1 .HET CLH 2.5.55222; IELI-111 .HET 2.5.55222; .HET CLFL 3 .HET CLH 2.5.55222; .HET 3 .HET 2.5.55222; .HET CLFL 3 .HET get 51-: Mezillaf4.5u[ MEIE little-we NT 5.1; .HET CLH 1.1.4322} get lFr. Me:illef4.5i[ enmetihle M5IE 5.5; little-we NT 5.1; .HET CLR 1.1.4322; .HET 2.5.5514: get AE Mezillaf4.5llj empatilrrle MEIE 5.5; Intlewe NT 5.1; .HET CLH 2.5.552221 get Me:illef4.5i[ elnuetihle M5IE 5.5; Imlewe HT get Mezillar4.5n[ empatihle MEIE 5.5; Intlewe NT 5.1; .HET 1.1.4322} get IF. Me:illef4.5qf elnuetihle M5IE I pest mm it.helulasl1t.ge5.ir Mezillar4.5u[ empatihle MEIEI The browser is I 6 get IF. Me:illef4.5i[ enmetihle M5IEI Internet Explorer get PH mns.n?a.ge5.ir Mezillaf4.5l[ empatilrrle -- . I - . . :u I. get .EIE Me:illef4.5{ elnuetihle M5IE 5.5; IIHIDWS NT 5.1; 551; get 15. Mezillaf4.5I[ empetihle MEIE 5.5; Intlewe NT 5.1; 551; get 5H Me:illef4.5i[ elnuetihle M5IE 5.5; NT 5.1; 551; get Mezillar4.5n[ empatihle MEIE 5.5; Intlewe NT 5.1; 551; get ELI Me:illef4.5i[ elnuetihle M5IE 5.5; NT 5.1; 551; get 15. transnertjrieagemir Mezillaf4.5u[ empatilrrle MEIE 5.5; little-we NT 5.1; 551; get Me:illef4.5i[ enmetihle M5IE 5.5; little-we NT 5.1; 551; get 15. Mezillaf4.5llj empatilrrle MEIE 5.5; Intlewe NT 5.1; 551; get lFr. Me:illef4.5i[ elnuetihle M5IE 5.5; Imlewe NT 5.1; 5?51; get PH Mezillar4.5n[ empatihle MEIE 5.5; Intlewe NT 5.1; 551; get It]! Me:illef4.5qf elnuetihle M5IE 5.5; NT 5.1; 5?51; get Mezillaf4.5:[ empetihle MEIE 5.5; "1.115555 NT 5.1; 551; get Me:illef4.5i[ enluetihle M5IE 5.5; "It'll-WE NT 5.1; 5?51; get empatilrrle MEIE 5.5; Intlewe NT 5.1; 551; nan-t lu'l'5IF 5 n- Imlnwe HT 5 1- 5?51- TD USA, ALIS. DAN, GER, MEL l"l Fl' fl 5112'??- Illfn?nth Th Acti vi ty HR get get get get get get get get get get get get get get get get get get get get get get get uni Ft'r'I DEILI H551 mine.miltl.gev.ir wemenmilthgeteir 11115551155151 intl.ntint.gee.ir wwmnetegetnir miningettategy.mint.gee.ir mpeJ-zjgeeir IHWDITI EEJ IE .geejr net-Inner I'Iil'l'l .rlmr ir TDP SEGHETHGUMINTHREL Te uee. AUS. 1:511. GEE. to find ro_ -- Me I illefil? {eelnpeti e; [551.11 1.0; 1152115515 Meeillei?? 1115311515.!) {eeltt }etil}le; {eelnuetilrle; Hengtleren??; Lime-1} l[lil1e ?eeke} {E1111Iret?Tltumlnmile} 1115511515.!) {eellt 1etil}le; 111.1 121151511 2.5; {eenmetilrle; Itteltitie.eeln - free meniteriltg ]1 {en-gel I[l1HTlulLl lil1e Heel-1e; Geegle Wireless 351515525. 1 3 [115211151511 "115511115511; Intel Mac 1215 11 {Hun-1L; lilte 555115; 551115515255 111531151551 151515111551]; Intel lulae IDS it lr-fr} [l1HTlu'lLl il1e ?eel-ze} 3515151525 1115311515.!) {1115511115515 Mm: 155 11 it-il} 51mm, lilte 5551-51.; 11551511551 55151115511 1: Mezille."5.l] {M?eiltteele Intel lulae I35 31:; Ill?Ell]! AgeleWeltltit.I'525.15.1 i 1e Eelari."525.15 111521115151] {Mean-teen; PPC 311 a 1111321115151] I Hit. Mezillei?? Ll; HeHieH?? _3 1313.13 1 1 5; Pre?le??lDP-EJ] luleeille."5.l] NT 5.1; er; [111.51.11.11} . 15 515155.555 1 Mezille?? l_l; NT 5.1; [tutti-1.0.9} Heel-15125595453 1 Firefee?lt? 1115311515.!) W?lttlewe; ?u'lu'ilttlewe NT 5.1; tle; m1.?.1.13} 5555551005551 ICLH 3.5.3111'25} 1115511555 (1111155115; 1151155155 NT 5.1; 511-515; [1.11.55.11} 5551-1551555 55215 1 11155115151] M'ilttlewe; NT 5.1; 5 1 lleWeltliitI525.1Q i 1e Geeke] Safari-T525. 1155115155 5111155115; 1151155155 NT 5.1; mus; lt 1 tleWeltltitI5E?? I L, lil-te 555115} 13151115955551 Satan-525.5 [1152111555 (1151155115; u; NT 5.1; en-US} H 1 1leWelliltitI53Il1T {11 i 1e 5551-15; eersmmam Safarix55o.1t h?neill?al'? i'l II-ll?l?lulrumrn HT 4: an "'21 HI Iikn Eur-Ira} 1'1 EH Q?f?ril'E'Il'l 1 .1 . A 1- tleWenl TDP TD ALIS, MEL I .e I TDP SECRETHGUMINTHHEL Te USA. Aus. GBFI. I121, .l l' FOWSG rs I I j" EL Ee??ssending P11 .51] Eeries? l' .1 .1 I ?ll. 3:111 Minimum-ELI] [sellm?tllri-le; MSIE Senes?. 12.3 1 Fre?leilullDP?l? {ti-Inlmtili-le; l'i'lSlE Series?. 92.1] Eelmgur?ti?ni?DC-L? FH'terg p. [sm11pstil1le; MSIE 5.1.1; Series?' Emr?gurmieniCLDC-Hi] MSIE 3.3.11.1 115;?on "1135.13? 5.3.3.1 If you have thousands Of 1 . Mezilhi'il? uni-I11 J?till-le; MSIE . 1min: es; "10.5.0? 5.4.0.1 i i I 51" results, try to Group By ., MSIE swims: ?SH-lel-{ia "11115.0? 11101dedupe rest-"ts FiuntDats li- [smnp?tIIJ-le; MSIE 3.0; Heine 1.4.0.1 rCirid Mezillai'??i {Syl11llial133.l'3.2; Mummies [Synhian??i?? u; Serieesms. [Eganhi?n??i?? Series?i??. Me?llai??l Eeries??l?. Mezillai'??i {Syl11llial133.l'3.2; [55.111l1i?l1?5i92; u; Seriessms. [Emul?sn??i?? Eeries??l?. Mezillai'?? {33111111ial133."3.2; Mezillsi?? U;EeriesEiE 13- Apple?u?u?ehl?tr?d? Cm1?guratim1iCLlIIE-1J [11 HTML, 1; Fi ll A 1 ileWelil1itM13 Mel-1mm 1 [111111113111 I Hehia? 1 Ellie-3.33; H?l'li?? HeHisE 1201351 1; PH Aura-Fir Column Width Celr?gur?tieni?LDC- 1.1 1 A 1 1leWel111itiIl13 I I11L. uecmi 3-. 1 3 CelmguratieniCLDC-1.1 Apple?u'u'elil?iitr'tl? like Geek-1} Safari-413 Watch for Mobile ems-MID iHHTlulL, IiHe Heel-m} Safaris! 13 like Geeks} Safari-HE Hehi?? 123133.111; . like Heel-m} SafariM 13 Mel-H113 1 Elle-3.31; . like Geek-1} Safari-413 Cen?gursiieni?LDE??l .1 3 Esfsrii-i'l 3 browsers! luluIillai'?? Series?lil?. Muzillai?? II. Ii 5; Eell?gllr Di:- 1 . 1 13 TrulL, like Geek-n] Safarim 1 3 Hehi?E? 1493111134 -. Pre?leMlDP-E? Cen?gur atimm-?EL 1 . 1 i 13 TML. Iii-:e Geeks] Eafarii-El13 nr- .I .I ITIJI - rli.- TDP TD USA, ALIS. DAN, GER, MEL TDP TD USA, AUS. DAN, GER, NZL 'Aend I I I I Web Forum Logins Passwords TDP TD USA, AUS. DAN, GER, MEL TDP TD USA, AUS. DAN, GER, NZL lb Foru ogins/ PW - Search: L?gins and Pasawnrda anew faralgn {jugglal?lg}. welt:- I: 1.1111 Ila-21:3 Ju 5t ificat i a ?aggaa 1: aa awar-?a ?dditiar?lal Juati?catian: I Miranda Number: aatatima; 25.3% a Start: St?p: USEF ?ddreaa: Tc] F'ar't: From F'Drt: Ta TDP TD USA, AUS. DAN, GER, MEL SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL Datetime Cage HEIt-Eltiljr'l FrEIrn ?3 TI: FrEIrn F'Drt TI: Far I gang?0115 11:2?:11 1951mm lag?'1: Iran] United 9253 Seaainn Header Meta (11} attachments (19} EUTD .393m? Quick Clickg IEI ALITIDI app_id= mailfwehmailfuhulletin Infn= 1 :IEKxiattachrnentS Di?play ur'lkr'lcuwn 2 tEHt ?Web Farm Dl?pl?f I 11" . embedded_base? Fun? FEMS embedded_base? embedded_base? 5 i embeddecLI-Ja?e? 111embedded_bage? 1 1 embeddedjjage? embedded ba?a? passwm?chd? embeddedjasea [j I embeddecLbaseE. ?m?th i embedded_baze? F?m i embedded_base? usm??mn-z embeddEdeaSEEI? passwm?d . pasnvm?dcml??u 3 embedded_ba?Find mg m: SE _@yalmu.m1u I g: 925: 1111:] ge stamp (13 32 - g?ha 511 1.39715 a4 a?c43 349 3 {1291599 5 3::1 TDP TD USA, ALIS. CAN, GER, MEL TDP TD USA, AUS. DAN, GER, NZL 'Aend Webmail Logins Passwords TDP TD USA, AUS. DAN, GER, MEL SECRETHCUMINTHHEL Tn USA, nus. cm, can, HZL Logins Wth-? giWebmail Masquerade as user and read mail - Useful, but secondary Potentially use Login/PW to get full access to web server itself - Port 80 is useful, - Port 3000 has XDaemon traffic (woo hoo! Let?s take a look) TDP TD USA, ALIS. DAN, GER, MEL XKEYSC arr" - w":I . - Search: LEI-gins and TD USA, AUG, DAN, GER, HZL - rm Iranian baSEd webmaii Eti? cati IJ r1 111 err} . USBFS Targeting foreign-based Iranian government webmail her: inn: mag?Dena Webmail Ports me: 1 Week: Start: Users in and out of Iran User Name: F'asewurd: Tr: Part: Fr-err'l Partl'l'rj VI TDP TD USA, ALIS. CAN, GER, MEL TDP SECRETHCUMINTHHEL TD USA, AUS. DAN, GER, HZL EEC 5355inn Viewer Purl: Td Pdr?l: Td 2 Iran) Datetin'ie C355 11:54:00 Session Header Meta {En} HJTD 5555 Sean: 1 ian'itant: Entertain fl:- 5 earth [urn?latter: nti nn-s. ann_id= Viewer= fnrn'iatter. [nfn= Quick Clicks lifll 3K SE55idn 33K [Zine Find 5ide nf 5555 1913?33423 Display Send tn ?dilitai Rea 2 EC Accept: ?llagcf 1-1113ch jpeg, npp?ca?m?x-shn CI-iWHVE-?frl?ill, Find traffic nn applje ?11351, Htim?mswm?d, ff" 2 1 Ref-5151': 111115 :ff'im'is 5.111111. gens. ii'?Find EFCIHE ha5h 503355?5 Find H-fnrwardEd-fnr gzip, (In?ate hinz?la?? (cn?lpatib-lc; Brig-IE Will-:lnws NT 5.1; wa-?is 3.111fa . gut-1:. 51? Ace User-agent: CWl??i -- - ?si?gjii 111111315 51? 115' EFTHR 1.15: 131113111 - - placc=dcl?t?d fa111il=d?lcte c1 _11t1113=23313 51544.23 ??ggl 123937?47?22124325 542D. _11t1112=2 3 31 3 cmulutmc c11={rn: fafp-a 541-111-155 .1311]:- 1.1 5131133128 1?Tia: K-meard?d-Fnr: TDP TD USA, AUS. DAN, GER, NZL 'bmal I I More webmail TDP TD USA, AUS. DAN, GER, MEL TDP TD USA, AUS, DAN, GER, NZL . Chinese wemail users .7, Search: L?gins and i Tara}; k2 Justifi E?ti an: ?dditinr'lal Jugti?catin?: 1r? Number: I Datetime: Start: IE1 2115"] Etc-p: Dumam: ?ddr'ESS! ?ddrESS: Part: I:er I Part: El] Dr TD 3" EN Fran-l TDP TD USA, AUS. DAN, GER, NIL SECRETHGUMINTHHEL TD USA, AUG. DAN, GER, HZL Lgins webmail Datatima Case Mutatian ?3 F'Ijr?l: Tu part I I .s shins) sun?(E Cuba] 13445 sass I Hasslarliajl MatsIIE-jl attachmentsl??lif? EH3 aria-raj si= I Hi is u'Fls? Isa-ii s? "Iii gas}; Eli :3th- .- Ia: ""E'Ia'ap' .. search QuicstIicss gig! Wf?? :Iz??ttashmants unknuwn I ??tast unkn?wn_621?_ww' ID: sas [Incument type: Elsts Display . Raw Data Find aggasita aid-a sass 51' 13445 Ducument Infurm?tiun: Esgand all i . Cnntents I11) 53-4} all Fin-2 traf?c an . . . I Farm F1: is. attachment; rjl- 9' CCDF Fin asnlisatisn Sand 1:0 Display-I rmatiun: HTFF Farm sums-ems Ls ?uts ?rms Us er Pa 5 sward Ants ?rms TDP TD USA, ALIS. CAN, GER, MEL TDP TD USA, AUS, DAN, GER, NZL Search: L?gins and query Name: wahmall iagins Justificatinn: ?dditinr?al Justi?cation: 1r- Miranda Number: Datetime: Gugtgr?n Start: St?l?: EDI: Uger Ham-2: Dumair?l: 5" ?ddrega: th it Part: Frc-r?r?l Part: Tc: Cnuntry: CH 1" Fr?r?l?l TD USA, AUS. DAN, GER, NIL TGP TD USA, AUS. DAN, GER, NZL l'bmaiILins PWs Datatin'ia Case Hdtatidn Td Fram Fan: Ta F'Ell?i DEE-3: 19 5.7} IDS-435.45 Private eddiessi 2:745 . Hessian Headerl?aj Meta [El] attachments I Fdi'rnattei': AUTO Iv as". Eiessiar'i .: Sessidn Sears-i Eantent: Enterte?t? search ALITDI ann_id= mailfwehmailfeeremail Uiewar= i Quick Clielss El I Eessian dgx??achmentg Deeunnent Infermatlen: File Esgar Linknewn IElsnterlts (1) Esgar test File name File IILIE File size Attachment I I 5 3-K Esau-h ntn'il 13s a Find deadsite side ef sess Display Infermatien: New UIS Web Farm Display 1034.35.45 Find analieatian Fem] Fields sle111ei11 1215. e111 Find email address language [1 moulds -@126.csm .- TDP TD USA, AUS. CAN, GER, MEL TDP TD USA, AUS. DAN, GER, NZL I. - I Datetime Case Mntatinn Fran-I Tn Frc-rn F'uznr'l: Tu:- F's-r1: I 2222?22?12 22:22:12 . United stab Emirates} sci?(z Iran) 2222? Hessian Heather Meta ?ttathments AUTO .: . FLJII 52-52mm [anticn-r; - - Search search - app_id= Viewer= Infn= i Quick Clicks I Bessie-n 5 [Incument type: dl??ttathments :l 3 unknown Display- 1:221: . u?kmw?_4DEIH_Ww. It Ducument Infurmatiun: Fills EwanExganc Find side 21? sass I: 22?22222 Fi _2tu1_e File size Attachments 152 Find traf?c: an - F9 Display 5am s2 - Find Emmi-stint UIS Wish Farm 111511112}.r . mailfwehmailfvbullstin Farm Fields tr]: m1 sm11_us tar tssl-t 1:255:11 11:th L2 1115]) WusH?tb A: 1 {If?bh339?3??3f33 2343 I29 sb??b?l 1 TDP TD USA, AUS. DAN, GER, MEL TU AUS, GER, HZL Srvers "ldtifyi Web Servers run particular software - E.g. Apache, Microsoft IIS, Unix, - TAO has exploits for particular ones TDP TD USA, 13AMll GER, MEL XKS query to find server . LII-all I . - ?l - This targets Jihadi web forums for their Server information Search: HTTP query :Lhai? fortune Justification: odditional Juati?oation: Miranda Nurnloer: Datetime: EBaya Start: El Stop: HTTP- Type: reeoonee 1r Heat: erfelnuru [Pogulatemithlloi I . - Country: ?.15 NHJD NEE: NHJD Hie ?it-JD ?it-JD Forelgn TDP TD USA, ALIS. CAN, GER, MEL TDP SECRETHCUMINTHHEL TD USA, AUG, DAN, GER, HZL we J, Search: HTTP ir m?l? web Ju?ti?cati?m This is the network to which I?m trying to gain ?dditiarlal Justi?catiarl: access Miranda Number: Datetime: Eugtmm 1* Start: Type: i ?ddreza: WE TD TDP TD USA, ALIS. CAN, GER, MEL TUP SECRETHCUMINTHHEL TD USA, AUS, BAH, GER, HZL oServer query In the HTTP Activity results, you see the servers listed SewerType .-- 1 {Unix} with Eul?msin-Ijatth 1 1 {Unix} with 1 ?n?thef?i? 1 {Unix} FHFFIEEJEE {Unix} with 1 {Unix} 1 Eli-Mutt? 1 {Unix} {Eent??} [mm-m: TUP TD USA, ALIS. DAN, GER, MEL To USA. GBFI, HZL II I 4. Many times when we task TAO we have back/forth conversations about how to exploit the target. These slides should help you find the things that TAO needs from 82 It?s difficult to cover all of the examples of how XKS can help, but this is a good start.. . Good luck. TDP TD USA, ALIS, DAN, GER, MEL