OSINT and the Hermit Kingdom Learning More About the World’s Most Secretive Nation Introduction • Currently between jobs this weekend • Before that worked at Phantom/Splunk developing integrations and automation playbooks • Based out of Boston • @superducktoes What is OSINT? • Data collected from publicly available sources to be used in an intelligence context. • In the intelligence community, the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources). • It is not related to open-source software or collective intelligence. • There’s plenty of paid services but today we’re going to be looking at what’s free and can be found sitting on the couch. What is OSINT Used For? • Red Team • Scanning attack surface • Leaked Information • Employee profiling • Blue Team • All of the above • Monitoring and alerting • Threat hunting Benefits of OSINT • Less Risky • Cost effective • Easy to gather • Did all of this from my couch watching hockey • Legal Issues • Everything is already online Challenges of OSINT • Data Volume • Reliability • Manual Review of Data Why North Korea? • It’s fun to tell my mom • It’s the Hermit Kingdom • VICE Guide to North Korea Information Gathering Asset Discovery • Three ways of gathering information • Passive • Semi-passive • Active • Looking to identify: • Internet facing assets • Services and versions • Cloud or federated services • Operating systems What’s In Scope? What if there’s not a Wikipedia article? MM.DD.20XX What if there’s not a Wikipedia article? How Many Servers Are Online? How Many Servers Are Online? How Many Servers Are Online? Shodan Censys What’s Online? Device Identification Red Star OS scnprc - file scanner that cannot be disabled. Uses a file /tmp/AnGae.dat that contains strings of texts in different languages that translate into "strike with fists", "punishment", and "hungry" and automatically deletes any files opprc - runs in the back ground and watermarks any files that are modified on the system. These watermarks stack up and would provide an audit trail for tracking file distribution. Confirmed to work on .docx, .rtf, .png, and .jpg files. Red Star OS https://github.com/takeshixx/ redstar-tools https://c3subtitles.de/talk/50 1/ Red Star OS v1 Red Star OS v2 Red Star OS v3 Red Star OS v4 Found in Foreign Trade of the DPRK Red Star OS Server Different from desktop OS - Beam - Rssmon - Setools - Yum is disabled - Runs as root but still lacking certain privileges Red Star OS Server - setools Using the Bell-LaPadula model for enforcing access control Red Star OS Server - setools Turn to the manual Found by Googling “Красная Звезда” Red Star OS Server - setools Turn to the manual Also has guides similar to CIS benchmarks to hardening Red Star servers Red Star OS Server There’s lots of interesting things on here Aware of the difference between /dev/random and /dev/urandom Red Star OS Server There’s lots of interesting things on here Wrote their own blocking mechanisms instead of using something like fail2ban Red Star OS Server - Beam Red Star OS Server - Beam Red Star OS Server - Beam Red Star OS Server - Beam Red Star OS Server - Beam Red Star OS Server - Beam Domain Enumeration Domain Enumeration Domain Enumeration • How many websites are currently hosted in North Korea? • 32 websites • 34 different domains • Goal is to find all domains that are owned by an organization • Want to find any subdomains as well as ownership information • Look at Passive DNS to discover a list of domains • Whois data to find registered domains • Map domains to infrastructure What If There Isn’t a Wikipedia Article? • Whois data and reverse DNS lookups What If There Isn’t a Wikipedia Article • Passive DNS Data Censys What If There Isn’t a Wikipedia Article? Service Enumeration Service Enumeration Service Enumeration Service Enumeration Remember To Validate Findings What’s running on these hosts? • 5 Webservers Found the following 33 devices • Ports 80, 443, 8888 29 Linux Servers • 4 DNS Servers - Mix of Red Hat and Red • 3 NTP Servers Star • 3 SMTP Servers 3- Windows Servers • 1 VNC Server 1 – Cisco • 1 VMWare Server • 1 FTP Server • 1 Telnet Server • 1 SSH Server • 20 services running on port 8080 What’s running on these hosts? Semi-Passive Intelligence Gathering SMTP Tests Proxy Checker SEO Tools SEO Tools Sometimes we need to get creative with the tools that we use SEO tools looked for broken links and hidden directories SEO Tools North Korea Online Internet in North Korea • Started in 2001 with an email relay between Pyongyang and Shenyang • 2 different networks in North Korea • Intranet known as Kwangmyong • Naenara • Official internet browser for accessing the “intranet” Internet in North Korea webmail.star.net.kp - not accessible from the public internet portal.net.kp – Used in hotels in North Korea for entering access codes that you can purchase internet access sns.star.net.kp- Unknown, I was told sns is a common abbreviation of "social networking service" in Korea and Japan Steam Powered Online Logs allintext:175.45.176.135 filetype:log Public Pastes Looking for any kind of leaked info Wikipedia Edits Wikipedia Edits Wikipedia Edits Torrent Traffic Torrent Traffic • 175.45.177.173 • 175.45.177.180 • 175.45.177.184 • 175.45.177.186 • 175.45.178.17 • 175.45.178.19 • 175.45.178.21 • 175.45.178.23 • 175.45.178.25 • 175.45.178.31 • 175.45.178.102 • 175.45.178.115 Web Logs Web Logs Domain Squatting? ● Typically North Korean domains are *.com.kp, *.org.kp ● What happens if we bought just the .com version? ● Two NK domains ● One in the OS manual ● One threat intel domain Social Media Social Media Employee Badges Employee badge, employee number #newjob Employee Badges Notice that it also has a contact name under visitor #visitorbadge Employee Badges Not a lot of information but still a good look at a #visitorbadge Social Media Mini kegs are coming soon… Social Media Hotels are going to prepare you for anything Social Media Visas and long term stay cards Social Media Palace of the Sun. No pictures allowed inside… Social Media Windows XP is still very popular Social Media Sometimes though we can’t always trust what we find Social Media Sometimes though we can’t always trust what we find Social Media Strava heat map showing where people are Social Media Downtown Pyongyang and where tour groups are lead Social Media Able to track individual buildings visited Social Media Found two lines up north that looked interesting Social Media Appears to be a ski resort but it’s not the one that is normally shown in official state sponsored news Social Media Appears to be a ski resort but it’s not the one that is normally shown in official state sponsored news Silivaccine GitHub - Shadowbrokers Leak North Korean Malware? North Korean Malware North Korean Malware North Korean Software Wrapping Up OSINT Framework Osintframework.com Nkinternet.wordpress.com Maltego Spiderfoot One Last Site One Last Site One Last Site THANK YOU! Nick Roy [email protected].