Attacks against privacy and OSINT- plan for the lab

We will try to test some of the methods and tools that were described in the lecture, but the main focus of the lab will be on OSINT. The lecturer will demo the tool and give students sufficient time for them to also install them so that they can actively participate.

We list here some of the tools that we might use in the lab, but the final decisions will be made in the lab based on the available time. Due to time constraints it is likely that we won't be able to do all of the tasks listed below. However, there will be a homework task where you can apply some of the tools or methods that we try out in the lab.

Useful links about OSINT:

• What is OSINT?
• Guide To Using Reverse Image Search For Investigations
• Can AI Chatbots Be Used for Geolocation?
• Bellingcat investigations

Tools/demos that we might consider:

• Browser extensions that block tracking
• Copying of session cookies
• Viewing and removing metadata from photos with exiftool. Validating the GPS coordinates with Google Street View.
• Using OSINT tools to find information.
  • Search engines
  • Wayback Machine
  • OSINT framework
  • Maltego
  • Censys
  • TinEye
  • Map Switcher - a Google Chrome extension
  • Shodan
  • hunter.io
  • These are the Tools Open Source Researchers Say They Need
  • Bellingcat's scripts/tools
  • Try to ask questions from LLM-s.
  • robots.txt
• Maybe if there is time: Illustration of a man-in-the-middle attack with Burp Suite.
• Maybe if there is time: Caputring network traffic with Wireshark.

1. Task - block CNAME based tracking

Try to play with browser extensions and to block CNAME based tracking. Brave browser is supposed to block such tracking. Brave browser is configured to protect users' privacy: Brave deemed most private browser in terms of 'phoning home' (2020). When coming back to the topic of CNAME blocking, uBlock for Firefox also has this feature. In Google Chrome CNAME based tracking can be blocked by uBlock, but it is not as efficient compared to Firefox.

Some examples to try out: 16ao.mathon.fr, elr.sfr.fr, or pick and test one from https://raw.githubusercontent.com/AdguardTeam/cname-trackers/master/data/combined_disguised_trackers.txt

2. Task - session hijacking

Test for yourself how easy it is to copy a session cookie from one browser to another. Thereby, it is possible to hijack even these session where the user was authenticated via two-factor authentication. Therefore it is important to prevent cookies from being leaked. You can test this approach with the courses.cs.ut.ee account after you have logged in from the top right corner of this page. You can view the cookies by pressing F12 in Google Chrome / Firefox and navigating to Storage -> Cookies in case of Firefox or Application -> Storage -> Cookies in Google Chrome. Next, the old session cookie has to be deleted and a new one created. One way to create a new cookie is from browser's console window by entering the command: document.cookie="cookiename=cookievalue";.

3. Task - viewing and removing EXIF data with exiftool

Download exiftool and see how it works. You can get sample data from https://github.com/ianare/exif-samples. Download some photos and view which kind of interesting information is available. However, metadata could be modified. Thus, use Google Street View to validate whether the GPS coordinates from the metadata match the location shown on the photo. If you need to convert the GPS coordinates to a form that can be inserted into Google Maps, use the flag: -c "%.6f", so e.g. exiftool.exe -c "%.6f" name_of_photo.jpg. Finally, use exiftool to remove all metadata that is not directly tied with the photo. This can be done with the following command: exiftool.exe -all= name_of_photo.jpg.

Use exiftool to also check the metadata of PDF files. Useful tip for scrubbed PDF files: https://twitter.com/flakpaket/status/1654617325520433152.

4. OSINT task - find information about the given image

Warm up task. Use reverse image search to identify what is located on the pictures.

Use different OSINT tools to find information about the following two photos.

• When was the image taken?
• Where was the image taken?
• Which camera was used to capture this photo?
• Does the historic whether data match the one seen on the image?
• What is the name of boat?
• From which website does this image originate from?
• Anything else that is relevant?

5. Task - Maltego

Maybe we will have time to briefly look at the functionalities offered by Maltego. However, registration is required to use this tool. In case you are interested you can view the video tutorials from youtube: https://www.youtube.com/c/MaltegoOfficial/videos.

The task is to learn to use the basics of the free version of Maltego: how to crate graphs, install transformations, use transformations. Once you understand the basics, you can try to create a simple graph (choose the topic on your own).

6. Voluntary task - try to use Burp Suite to intercept network traffic

First download and install Burp Suite. Next, you can try to interface it with your browser or use the built in browser. If you choose to configure your own browser, we recommend to use Firefox as it allows to configure a proxy that affects only Firefox. Once this is done, try to browser the web and intercept the queries, e.g. login to courses.cs.ut.ee. This illustrates what the corporate proxies are able to see in case the company you work for requires to monitor the TLS traffic of its employees. Once you have understood the basics you can solve some of the tasks from Burp Suite Academy (requires registration).