Spydialer and OSINT on Danny Tanner

Ethical Creeping

Small sidebar before I get started.  The other members of the OSINT community I regularly engage with on Slack (shameless plug... Join us!  https://openosint.signup.team) have debated the best way to demo OSINT tools and techniques without doxxing (publishing private info about somebody) others.  I refer to this as ethical creeping.  We've seen bad examples of this at conference security talks and even vendor demos.  A presenter carelessly enters some random info and displays address, phone number, IP address or other information to the audience, solely to the benefit of the demo.  Please do not do this! If you are going to take the time to demo something that can potentially disclose the info of others, take some precaution.  For example, ask for a volunteer that doesn't care, use someone in the public eye already or do the work to obscure the info for your presentation before your demo.  Bare minimum use some common courtesy, please and thank you.  In the following demo I show some details, but nothing that general white page listings wouldn't show

SpyDialer

I have used Spydialer in the past to see if a target number had a voicemail greeting that could identify an account.  It is a nifty trick and nice way to check a number anonymously** (I'll come back to those 2 little stars) without directly dialing the target number yourself. 

Last night one of the OSINT forums I frequent, notified me SpyDialer had added some functionality to the website. I wanted to check it out and also make sure that the updates had left my previous Opt-Outs intact.

** 2 Little Stars

So back to the anonymity disclaimer.  If you go to the 'How it Works' part of the Spydialer page you see the warning that the voicemail check isn't really anonymous.

This is true, if you enter a target number the target cell phone will either display missed call or get a quick ring before displaying the missed call.  So make sure if you have a jumpy target you choose another tool or you may spook your subject.

Opt-Out

The opt out link is at http://www.spydialer.com/optout.aspx

There has always been debate in the security world on whether to trust the opt out process or not.  The main argument being that if you opt out, you are in turn validating your data and maybe the site will sell that validated data over to another marketing group.  I think that debate is the equivalent of which came first 'chicken or egg?'  

My Stance is:

1. Know what the service is capable of pulling on you (OSINT yourself!)

2. Figure out if they actually have an opt-out process and do it

3. See if they have a privacy policy listed online saying what they share with others

4. Follow the path of the others... if possible

5. Repeat steps 1 through 4... forever. (Kidding, but not really)

I can happily say that the opt outs I put in place a few months ago seemed to stay in effect even within the new features that SpyDialer launched. Kudos to SpyDialer for following a degree of honor regarding privacy.

No phone number for you!

No phone number for you!

 

New Features

So the 'People', 'Address' and 'Email' portions of the SpyDialer search seemed to be the new features.  Let's check them out!

New Feature... Address

With Ethical Creeping in mind, let's see what the 'Address' Function can find for us.  My approach was to look up an address that people have probably google searched many times already and any non-standard info I will obscure.  Let's creep on fictional Dad, Danny Tanner from Full House.  A quick google search for 'real address from Full House' nets the info of 1709 Broderick Street in San Francisco.  Input into Spydialer and get:

If we hit the details tab for Record 1 we see:

The neighbor reporting feature could come in handy as I have previously used a tool like Melissa Data Property Viewer to see public records info of addresses and nearby neighbors.  That's a nice added feature to get a quick listing of nearby addresses.  

New Feature... People

Continuing the Full House themed OSINT I input a search for Danny Tanner, the fictional father from the TV show.  

 

There are no Danny Tanners in San Francisco but SpyDialer is nice enough to tell us there are some elsewhere.

Details view of Danny Tanner Record 2 shows us that SpyDialer kindly obscures the last 4 digits of a cellular number.

Now would be a good time to point out that many sites partially obscure data due to being a 'free' website.  SpyDialer kindly advises you that BeenVerified is paid site that discloses full addresses and phone numbers.  Fortunately for OSINT investigators, there are many open source ways to see the incomplete info on SpyDialer.  FamilyTreeNow.com is one of those sources.  Using the name Danny Tanner from above, and finding an entry with location ties to Citrus Heights, CA is easy enough.  Being an ethical creeper I won't publish the last 4 digits of a stranger's cell phone, but see if you can find them.

New Feature... Email

Let's do a search for Danny Tanner's email.  Randomly I enter DannyTanner@yahoo.com

Well there's a surprise, Dannytanner@yahoo.com belongs to somebody name Geoff.  To try the email lookup service more completely I tried a few more. 

And

OK so maybe the email lookup tool isn't the best.  SpyDialer uncovered another Danny in Florida, and deduced a potential name from my 3rd search reporting the email MAY belong to somebody named Danny Tanner... brilliant!

Verdict on SpyDialer

OSINT tools constantly change, update, lose or gain functionality.  One thing stays the same in my own usage of them... I never use just one tool.  SpyDialer can be a decent starting point if you have a target phone number, but inevitably I will end up running the phone number through a PIPL.com search or see what other related addresses or phone numbers I can find listed on FamilyTreeNow.com.  My search methodologies go through a bank of OSINT resources and that bank changes depending on which data I already have and which data I am trying to find.  While the email search feature is pretty basic, I will continue to use SpyDialer if I have a starting phone number and no name.  If a site is good enough for me to want to opt out of it, the site is good enough for me to utilize it in an OSINT investigation.

Random

http://www.full-house.org/fullhouse/fullhouse_house.php

When researching the house location info for this demo I found that site and was impressed with the level of detail and research somebody put into the house from the show.  Maybe a little creepy... but impressive.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

 

 

 

 

 

Fake Travel with Android Emulator

Twitter Teleportation

Back in November I was testing a scenario for a case I picked up and came up with this little trick. 

There are currently only 2 geo tagged tweets in my Twitter timeline:

https://twitter.com/baywolf88/status/803617220374851585

The first tweet was 10:10am on 11-29-16 in Amsterdam, The Netherlands.

The second tweet was at 10:36am on 11-29-16 in South Carolina, USA.

https://twitter.com/baywolf88/status/803623573000781829

On both tweets I intentionally posted a photo with a view outside the window.  The view shows I was physically in the same location even though the geo tags say otherwise.

Both tweets included the hashtag #metadata so I could capture them with mapd’s tweet map.

https://www.mapd.com/demos/tweetmap/

The Setup

I did this using the android emulator Blue Stacks. http://www.bluestacks.com/

Blue stacks is emulator software (free) that simulates an android device on your computer.  Once you log into a google account you can access the google play store and load your ‘android’ device with any apps you want to run on your CPU.

Before I got started on Twitter I made sure to download and install another application Fake GPS Location Spoofer Free. https://play.google.com/store/apps/details?id=com.incorporateapps.fakegps.fre

(Disclaimer: I have not vetted the privacy of this app so take the proper anonymity precautions as you see fit for your use case)

Before we start using any location based apps in the emulator we set the location. Fake GPS lets us drop a pin location onto a map deciding where we want to beacon a GPS signal from.

Drop a pin and the click the play button in the bottom right hand corner of the map and any apps you run will think you are in Columbia, SC.

Using this method is how I set my tweets to be on opposite sides of the Atlantic Ocean within the same hour. 

OSINT Framework Mobile Emulation Tools

Bluestacks is not the only emulator available. If you are interested in Android emulation head over to OsintFramework.com for an assortment of useful emulation tools.  

Pro Tip - Use Wireshark

https://www.wireshark.org/

I will leave specific ways you can use spoofed location to your imagination at this point.  But one thing I will recommend is running Wireshark in the background while experimenting with different android apps.  If you are skilled in using the network protocol analyzer you may be able to export and save certain artifacts that are intended to “disappear” from your android device.

 

Comments or Tips to Share

If you have any emulator tips to share or comments please drop me a line on Twitter @baywolf88

 

 

Twitter OSINT Ninja

Becoming a Twitter OSINT Ninja

 

Twitter analytics – socialbearing.com

For basic twitter account analysis I start here.  Social bearing will give us several account statistics including when the account was created, what types of different devices the tweets come from (desktop, tweet deck, iPhone, android).  The analysis can include up to 3200 tweets and loads 200 at a time.  Recently @FBIRecordsVault became active and since it only has 131 tweets in the lifetime of its account it makes a good punching bag… I mean example:

Down the left side of the page are many useful statistics, keywords and geotags (if enabled).  The main panel if you scroll down shows the tweets that you have queried for the stats above.

There are times when a Twitter account may be run by multiple account “managers”.  The ‘tweets by source’ would be a good way to analyze this as we may see several different types of devices contributing to the account.  This is an example of an account allegedly run by multiple people:

 

There are some API limitations (3200 tweets) so an account that’s been around for a while may have limited or partial results but there is good data on SocialBearing.com

URL manipulation with tinfoleak.com

Tinfoleak is another analytic site.

This example is to show how you can sometime manipulate the URL of a webpage to get past registrations or email captures.

To use Tinfoleak you are supposed to enter a twitter username for research and an email address that a link will be sent to that allows you access to the data.  This is a work around compliments Mike Bazzell of Inteltechniques.  Enter this in a web browser:

www.tinfoleak.com/reports/<TwitterUserName>.html

changing out <TwitterUserName> with a target twitter account.

The results seem to be varied, but when it works the readout gives you very streamlined recap of hashtags, mentions, media posts and geotags.  Try it on a few accounts and see what works.

Protected Accounts?

With protected accounts we can’t see tweets unless were are confirmed by the account owner. Try entering to:TwitterUserName in the search field of twitter at the top right of your browser. 

 

This will show you tweets to the protected account which is like seeing half of a conversation.  Not ideal, but you can glean information sometimes. 

This One Crazy Trick to Hack Protected Accounts

There is a theory online that if you create a brand new account and follow a protected account.  Log out, log back in and check the ‘who to follow’ section of your new account you will see suggestions that your protected target account has associations with.

This may have been a successful tactic a few years ago but twitter has updated the secret sauce to prevent this from working today. 

So What Else Can We Do?

Analytics of a protected account just shows account creation date and what the user has in their profile.

PIPL Search

Head to Mike Bazzell’s search tools click on Twitter on the left and enter the profile name into the PIPL search:

After you hit search take a look at your web URL:

https://api.pipl.com/search/v5/?username=realdonaldtrump&key=sample_key

Realdonaldtrump is where the twitter account goes you can just type in a new Twitter handle and try again.

sample_key shows that we are using a sample API key.  You will run into limitations on the sample key at some point if you do repeated searches.

I recommend registering on Pipl.com and they will give you free API keys to use.  If you hit the sample key limit, just copy and paste your key into the URL where it says sample_key.

The results vary just like any OSINT target will, but I have found real names, addresses, phone numbers, job history, and known associations just by searching a protected twitter account handle. 

When Does Your Target Sleep? - Sleepingtime.org

This site has a simple enough interface, but you have to sign in with Twitter to use the service.  Make a fake account if you don’t trust this.  You can also log into your Twitter account settings later and revoke access to your account here:

https://twitter.com/settings/applications

Ok, so when do I sleep?

 

That is fairly accurate but note some caveats.  If the user is in a different time zone or has their time zone set incorrectly you will get some variance in this report.  Protected accounts do not report on sleeping time at all. 

Let’s say our target works a 2nd or 3rd shift job the sleeping patterns will be shifted.  If you are trying to locate somebody in real life (like say a private investigator might need to) this could be a great way to find your windows of opportunity to catch a target on the way to work.

The Jester’s Internet AWACS http://internetawacs.jesterscourt.cc/

The Jester’s site has a few settings with impressive readouts.  The Jester has different alert monitoring nodes that are driven from the Twitter fire hose.  Check those out for fun and then run the Deep Dive Search on your target account. 

Psyche – Activity – Geolocation are analyzed.  If you ever need somebody to test geolocation on, Steve Wozniak’s account is good for target practice @SteveWoz :

 

Geo maps

Ever since the free portion of Echosec became defunct, I’ve been looking for a good geo-mapping replacement for twitter.  MapD and Tweetpaths are the sites I end up on the most now. 

MapD from MIT - Mapd.csail.mit.edu/tweetmap

MIT’s MapD allows some map based research on hashtags.  If you have a target that uses geo tagging you can find tweets by hashtag within the last 30 days. 

As you might expect #grrcon, a security conference, only had about 5 geotag enabled tweets with the conference name tagged.

However a hashtag #iphone7 nets about 1400 geotag enabled tweets in the last 30 days.

Tweetpaths.com

Once you find an account with geotags enabled Tweetpaths.com is a great way to see where they’ve been.  This is another site that requires a sign-in with your twitter account so, once again, use a fake account or know how to revoke the permissions afterwards.

We will pick on Woz again: Enter his user name in the top left, click on advanced options and check the show path option:

We can see that Steve likes to tweet when travelling and at dinner time.

Further Down the Rabbit Hole – Osintframework.com

Once you’ve gathered some data with your Twitter ninja skills head over to Justin’s (@jnordine) www.osintframework.com and see what other data you can pivot your way into.  The framework has a few twitter tools up its sleeve:

I hope you enjoyed this peak into OSINT tactics on Twitter.  If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing!

Derbycon Shenanigans

That time I used twitter to orchestrate an icing of Hacking Dave...

Why is there a Tropical Fruit flavor?!?

Why is there a Tropical Fruit flavor?!?

This is a small tale of one of the many shenanigans that ensue when you get a bunch of hackers together in the same area for a few days.  One of the traditions of Derbycon is a little game called 'Icing'.  You can Ice people with Smirnoff Ice which is a questionable beverage at best.  These Derbycon Smirnoff have usually been enhanced by being heated up as well (Yuck level +10... gross).  So you find a target and hand them a warm Smirnoff and they must chug it down.  (Side note - totally OK to decline an Icing - nobody is forced to do anything at Derbycon they don't want to)  There are defensive bracelets available for purchase which proceeds support Hackers for Charity.  However if your Icer has more bracelets than you, your defense is invalidated.  Derbycon founder, Hacking Dave Kennedy usually ices a speaker or two mid talk which is totally awesome.

@HackingDave sneak attack on @JaysonStreet mid talk

@HackingDave sneak attack on @JaysonStreet mid talk

So Saturday evening @Skydog was setting up his ID maker machine in the Hyatt lobby. I missed out on an ID the previous year and I decide to jump in line.  While tweeting for people to come get in line for one of Skydog's awesome badges I notice this message from @HumanHacker Chris Hadnagy:

I'm not equipped with any Smirnoff Ice... but I know somebody that is. So I hit up @Nullspace on DM.

I don't know the specifics of where @nullspace was, how he found @HackingDave or how he made his Ice-hit go down right next to the Skydog ID badge line I was standing in.  But sometimes things just work out perfectly and this happened 4 minutes after my DM:

 

Tropical Icey Goodness for Hacking Dave and Nullspace getting photo proof for Human Hacker

Tropical Icey Goodness for Hacking Dave and Nullspace getting photo proof for Human Hacker

The inevitable face you make after getting Iced

The inevitable face you make after getting Iced

I get entertained while waiting in line, Nullspace gets a free ticket to BourbonCon, Human Hacker gets a payback on Hacking Dave, Hacking Dave gets to experience the magic of Tropical Fruit flavored Smirnoff Ice... everbody wins!  Oh and Hacking Dave, no need for revenge plotting.  I was collateral damage Iced by Nullspace about 90 seconds later.

So Gross... Thanks Nullspace

So Gross... Thanks Nullspace

All fun and games aside, a huge thanks to Dave Kennedy and all the staff for everything that is Derbycon.  The infosec community is a better place because of this conference.  This year was my 2nd Derbycon and 1st time ever as a conference speaker.  One of the talks I saw on OSINT last year at Derbycon set me on a path that helped me find my way into my own Infosec career. See you next year Derbycon!

PS Thanks for the badge @Skydog and for making it awkward @JaysonStreet