Web Forum Exploitation
using XKEYSCRE

5217
July 2009

What forum data do we

_ _have in 

I FISA full takei< for U.S. web forum
servers under FISA coverage

I Passive collection for OCONUS web
forum server traffic

I Passive collection for individual forum
users located OCONUS

Content



- Posts and private messages

When FISA is available PINWALE is best
for content (large amount of 
traffic)

Time sensitive threats XKEYSCORE may
be faster

All posts/ threads on one
forum

I HTTP Activity query form
- Fingerprints:
maiI/WebmaiI/vbulletin/post*

- IP address (either): web forum server
IP

All Private Messages for a
Forum

I HTTP Activity query form
- Fingerprints:


- IP address (either): web forum server
IP

SysAdmin Activity


I CPanek

All web forum IP addresses
AND
Ports for CPaneI (2082 or 2083 or 2086 or 2087)

- AdminCP:

All web forum IP addresses
AND
- Application Info - *adminCp*

Applications Used on
Forums



I Example: all forum users with MS V2.0
private messages:




And