Solving an OSINT Challenge

During the SANs SEC487 class, Micah provided a link to an Instagram picture while demonstrating the many techniques on social media intelligence. During the talk, he challenged the class to find the location of this image. It wasn't an official challenge but i was intrigued and i want to challenge myself to see what i could find. Of course it was 2 pm and my after lunch syndrome kicked in and my eyes were tired but this surprise challenge is what prevented me from sleeping in class!

So the challenge was: Find the location of this image. An image the trainer took and posted on his Instagram.

The Flag: Find this place

First thing i did was to screenshot the image, open in paint, save in JPEG format and look at the possible clues in this image.

Extracting the Image from Instagram 

Potential clues/artifacts that could be pivoted

After looking at the clues, I did what many would probably do - use Google Image to see if similar images would provide me the answer - but as i expected... all were strikingly similar but none were the answer.

Google Image results

Next, using Google search and with the two clues 'Constitution' and '2000', i attempt to see if any results would actually makes sense to me. As the image appeared to be possibly a park, keywords 'constitution' and 'park' were used but the results were plenty. I am definitely not going to use each of these results and locate them in Google Maps.

Results when keying the term 'constitution park'

I then used the keywords '2000' and 'constitution' and I got a result that sounded American and the others just didn't make sense to me.

Results when keying in '2000 constitution'

 Using the result '2000 constitution ave' and put it on Google Maps, i found something. But it didn't look like a public park to me. So yeah, definitely not the answer.

Trying out the first 'logical' result

Similarly to using Google search engine, i tried the same keywords on Google Maps and again, plenty of results. I was sure it's one of the hundreds but I don't think i was gonna visit one by one. 

Google Map's results when keying '2000 constitution'

Google Map's results when keying '2000 constitution park'

So after wasting over 20 mins, i went on to find another way. This time I need to find information that could tell me where he was at that time. The clue was at his Instagram pic on a publicly set URL link. Date: 17 November 2017.

Date of Picture Posted

What i did then was to visit his Instagram account in the hopes of getting to see what other pics he might have posted that could provide some clues to where he was at. But unfortunately, his Instagram account was set to Private! So nothing!

Instagram Account is Private

I even went to his personal website and find posts within the date range of 10 November to 20 November but nothing! Absolutely nothing that could help me. Then i recall he has a Twitter account that was set to public! With his twitter handler and using advanced search, i was hoping to find something.

Twitter Advanced Search Option

 That's when i found a single post that could be the holy grail to find what i eventually was looking for. It was a Retweet of a post from a Twitter account tagging him - dated 14 Nov 2017!

Retweeted on 14 November. A possible clue!

 Accessing the original post, the next clue was '@hcpss_arl'. And yeah that's him for sure!

Confirmed his physical presence at this location

Visiting the Twitter account of @hcpss_arl led me to its website

Twitter Profile of HCPSS ARL

Visiting the Twitter account of @hcpss_arl led me to its website and the address! The Google Map link was definitely a bonus!

  

Address of the institution Micah was at

Now that I am here, what next??????

Location of the Institution on Google Maps

This is where my keywords search came in handy! If you have not notice it before, Google Maps provide results that are nearest to the location you are viewing at that moment. So by typing 2000 constitution it will get me all the address with 2000 constitution closest to the location of the map i am currently viewing. In this case it showed as 2000 Constitution Avenue Northwest Washington, DC. 

The first result that is closest to the institution

The distance from the institution to the 2000 Constitution Avenue

 This was the time my confidence level shot up because the location definitely looks like a park to me!

Looks like a Huge Park!!!

Now time to find where exactly the location of the image was taken. Street View to the rescue!!

Street View of the location 

 And finally!!! Found the exact location where the artifacts in that original image are present - now on the Street View itself!

Location Finally Found!

When i showed this to a classmate, he asked a very good question. The Tweet was dated 14 November and the image posted on his Instagram was dated 17 November. So in a way, although i got my answer right, I was actually drawing invisible dots to connect the timeline of events. 

This was where I need to come out with a theory myself to justify my connecting of the invisible dots... so two theories are:

1) Micah could have stayed a few days around the area of the institution before he drove down to the park on the 17th.

2) Micah could have drove down to the park after his lesson, took that pic on 14 November itself and decided to post it on the 17th instead.

Only the trainer knows the logical and true answer and unfortunately I wasn't able to get it from him. But i was pleased to see his reaction when i told him that I found the location and his response was "Oh You Did?!".  I am definitely not sure if this was how it was intended to find the location to the image and I'm sure some of the readers stumbling upon this blog would probably go... "meh.." but nonetheless I was happy to 'capture the flag'!

SANS SEC487 OSINT Training and CTF

I had a great week attending the OSINT SEC487 training conducted by SANS here in Singapore. Initially i wanted to take the SANS Cyber Threat Intelligence FOR578 training as my current field of work is exactly that however, due to schedule and commitment, i couldn't sign up for it. But as I was going through the list of available training that could benefit and enhance my daily job, i stumbled into this OSINT course and thought this could definitely help for my everyday investigation. You see, part of my job is to analyse threat actors, their IOCs, researching about their TTPs and all those CTI stuffs using open source and tools to deliver the work. So when i saw the modules of this training, I knew this would be something that would definitely benefit my current scope of work.

Micah Hoffman (@webbreacher) the OSINT trainer

The wallpaper of the VM provided for the training

I thoroughly enjoyed the training and Micah was a great trainer, well spoken and easily understood. In spite of me doing OSINT and applying it during my work and personal research since 2013, I learned a handful of new things, new techniques and new features of every day things we rely on during the course of training. I would definitely recommend anyone who wants to have an understanding of OSINT especially if you are in the field where you have to rely on open source resources, fundamentals of the deep and dark net and a feel of finding information legally without hacking. One should consider having this training. I do hope SANS would consider exploring an advance version of this expanding its 'sock puppet' technique into a full cyber HUMINT for intelligence collection, gathering, analysis and reporting as a module.

While the training is all fun and good, I was greatly looking forward for the sixth day Capture the Flag event! That's when you get to apply the techniques you learned and apply them AND if you do well, the winning team will get the rare SANS coin. 

The SANS SEC487 CTF winner coin

The CTF on the sixth day was a tough one. It wasn't straight forward. You don't know if the answer you found was the right answer and the good thing was you can use whatever technique you learned to find them. The more you think out of the box, the more ways you are able to expand your findings. To win this CTF was not just by doing well but you need to present your findings to everyone and eventually be voted by everyone. In that manner, it was indeed a tough process to win. Imagine thinking you have done well but eventually not voted as the winner. So yeah, tough one!

So after a full five hours of 'find, research, analyse, recommend and report' I was happy that our team - all very passionate in their tasks were able to be voted the winner! 

The winning team posing with the trainer

This is my third SANs training and the third time winning their sixth day CTF challenge! The last time was way back in 2013!

SANs 560 (GPEN), 542 (GWAPT) and 487 (OSINT) CTF coins.

Blogposts on past SANs CTF experiences:

http://securityg33k.blogspot.com/2013/09/sans542-gwapt-ctf-won.html

http://securityg33k.blogspot.com/2013/11/sans-560-gpen-training-and-ctf-event.html

http://securityg33k.blogspot.com/2014/01/sans-holiday-hack-challenge-2013.html

SANS Holiday Hack Challenge 2013 - Honorable Mention

So last year, i was introduced to this Holiday Hack Challenge organized by SANS and i took part in it. With a career as an Ethical Hacker and graduated from a Cyber Forensics Degree, i took this challenge to see how i can exploit my knowledge to answer this.

(Source: http://pen-testing.sans.org/holiday-challenge/2013)

Well, it wasn't easy of course. Given just a PCAP file, i need to analyze, figure out the chain of events, create hypothesis and find evidence of attacks and finally suggest solutions on how to prevent this.

I spent over 3-5 nights using various PCAP analysis tools such as Wireshark, Network Miner, Xplico and Netwitness Investigator. One of the challenges i faced was the timestamp of the PCAP file. Since this PCAP file was created from the US, i only realized it 2 nights later that my Computer clock and Timezone settings was affecting the chain of events. Once i set it to the US timezone, then the chain of events made sense.

After completing the challenge, i submitted to SANS and the next day, i got a reply from Ed Skoudis! It was a compliment about my submission and it made me very confident about being one of the 4 winners.

When the results were out, i was a little disappointed that i didn't manage to get any of the top 4 positions. I looked at the answers by the Winners and i was shocked and satisfied..they were really in detail, diving deep into the technicalities of their analysis. They even managed to find something that i overlooked! A huge KUDOS to them! Truly deserved winners! 

But not all was gloomy for me. When i scrolled down under the section 'Honorable Mentions', i was excited to see my name was among the many other honorable submissions! This was what mentioned:

"Fadli B. Sidek: Fadli's response was amazingly detailed, lavishly illustrated, and beautifully formatted. It's an awesome entry from an obviously gifted information security analyst who knows how to convey information extremely effectively. This answer also pulls in the little lulzsec cartoon character near the end, to good comedic effect."

(source: http://pen-testing.sans.org/blog/pen-testing/2014/01/20/holiday-challenge-2013-winners-and-answers)

It made my day and put me in a cloud 9 for a while! I was happy that my nights spent to do this got rewarded! Anyhoo, i would like to share the report i submitted to SANS:

Special thanks to Ed Skoudis and the whole SANS team for organizing such as great challenge for all the nerds and geeks out there! Looking forward to participate in more challenges like this!

SANS Holiday Challenge 2013

Its that time of the year again where SANS organizes a holiday challenge for those who have some free time to spare during the holidays.

This year, SANS organized a challenge that includes a PCAP file that needs to be downloaded and analyzed and provide your findings based on the questions provided.

Enough talk! If you are keen to test your analysis and investigative skills, go to this site:
http://pen-testing.sans.org/holiday-challenge/2013 and test your might!


A small tip:

For those not from the US, you might find a problem with the time stamp in the packet frames. To overcome this, you need to set your machine's timezone to UTC - 6:00 or the US/Canada timezone.

SANS 560 GPEN Training and CTF Event

Went for a GPEN course that was held in Singapore at the Grand Copthorne Waterfront Hotel last week and had a great time learning some of the network hacking stuffs that i am not aware of. Unlike the previous course i attended which was the GWAPT (Web Application Pen Test), the books for GPEN was much thicker. The trainer was an official GIAC trainer and was from Belgium and spoke good, clear and understandable English. He was fun and approachable and explain things confidently when we were unsure.

At the last day of the course, like GWAPT in Bangkok, there was a Capture the Flag event, a mini hacking competition for all the participants and whoever wins it will get a special medal. This limited edition medal can only be given to those who successfully managed to capture all the flags and present to the participants how they win it. 

The GPEN CTF was much harder than GWAPT. Only after the event was over that the trainer confessed that there were no vulnerable machines for us to exploit and we had to find another weakness in the system instead. So it was a disappointment when we found NOTHING after running tools like Nessus and NMAP vuln nse scripts. There were both Linux and Windows machines and we had to think out of the box on getting the flags! It wasn't as straight forward as i would have thought. Even the CTF organized by Symantec previously wasn't as tough as this. We needed to know how to use password cracking/guessing tools, had to know how to sniff and analyze traffic using Wireshark/TCPdump. We had to know how to crack the hashes and compile an exploit to try and exploit a Linux machine! And who would have guessed that one of the flags was stored in a VOIP traffic!!!??? It was a quite tough 3-4 hrs event.

And eventually, despite all the toughness, our team won and was the only team to capture all the flags after the hour is over. 

Here are some pictures: 

The Course

The Training Room

One of the Chapters

The Trainer

The Books

Posing beside the SANS banner

The Medals

Our team with the medals

Me with the GPEN Medal

The Medal Close Up

For more information about the GIAC GPEN course: 

http://www.giac.org/certification/penetration-tester-gpen

SANS542 GWAPT CTF - WON!!!

So after an intensive theory/practical classes, the 6th day is where the knowledge starts to apply! CTF! The reward: a limited edition SANS medal coin! The medal is only given to those who managed to win the Capture the Flag competition and yes, it is a big deal to bring back a glory for the team and company after spending so much for the training in Bangkok, Thailand.

It wasn't an easy competition. The flags were to Social Security Numbers, Addresses, Bank Accounts and its balances. We had to think outside of the box to capture a flag like for example, after using Nikto, we found ourselves staring blank at the result until one of us viewed the source code of the results and PING! we found a flag!

It wasn't easy to be honest, and while i tried to use commercial tools to cheat my way to win, eventually, it couldn't find anything. Tools that were used during the CTF were

1) NMAP
2) CEWL
3) Burpsuite (lots and lots of it)
4) Nikto
5) Your creativity

It was a great team effort and we finally pulled it off! Got all 3 flags. And well, here it is:

SANS Thailand 2013

Web App Penetration Testing and Ethical Hacking (SEC542)

August 26-31.2013

Bangkok

My team mate and my laptop...

This is my first time winning a Capture the Flag event and looking forward to more such competitions in the future.