Document Metadata, The Silent Killer - PaulDotCom

Metadata in Common Document Types 

!e silent killer 

Wednesday, March 11, 2009

Where This All Started 

(for me) 

• Inspiration: Myspace private picture leak 

• Automation grabbed 560,000 images 

marked as private from 44,000 profiles 

• That’s 17GB of pictures! 

• I figured there was a bunch I could learn 

from the metadata... (gps data on those 

sexy pics?) 


What I Learned 

• Processing 560,000 images is a nightmare 

• Those “sexy” images often weren’t so sexy 

• Myspace truly is the “Wretched hive of 

Scum and Villainy” 

• Images uploaded to Myspace are converted 

and sanitized of metadata! 


So what is this 

metadata stuff? 

• Found in all sorts of documents! 

• Additional data for searches, filing, routing 

info, and even items for file processing 

• Typically not revealed to the user 

• Can contain very interesting data! 



Wednesday, March 11, 2009 

Word!


Word!


Word!

Word! 

$ strings Test_Metadata_Document.doc 

This is a test. 

Test Metadata Document 

What shows up in word metadata? 

Larry Pesce 

medtadata pauldotcom goolag metagoofil maltego 

This return is your a test tray of the emergency metadata system! Please 

tables and seat backs to thier full and upright position. 

Larry Pesce 

Microsoft Word 12.0.1 

Potential exploit 

PaulDotCom Enterprises 

Test Metadata Document 

Title 

Telephone number 

e-mail 

800-555-1212 

larry@pauldotcom.com 

Microsoft Word 97-2004 Document 


Doublespeak? 

• Office metadata can 

also reveal revisions 

• Even Microsoft can fail 

• The Revisionist 



Acrobatics!


Acrobatics!

Acrobatics! 

$ strings Test Metadata.pdf 

Acrobat Distiller 7.0 (Windows) 

metadata goolag acrobat metagoofil maltego 

Larry Pesce 

PScript5.dll Version 5.2.2 

2008-04-18T19:35:38-04:00 

2008-04-18T19:33:01-04:00 

2008-04-18T19:35:38-04:00 

Test Metadata Document.doc 

What info shows up in PDF metadata? 

/Author(Larry)/Creator(PScript5.dll Version 5.2.2) 


A pretty picture 

• President Obama’s official 

photo 

• First taken with a digital 

camera 

• First to contain 

metadata! 

• Let’s analyze... 


• So, what can we 

learn? Strings 

doesn’t cut it! 

• What are the 

possible risks and 

potential for 

something 

interesting? 

• So, who would you 

attack? The 

BlackBerry or the 

photographer? 

exiftool -a -u -g1 -b obama-officialportrait.jpg 

---- ExifTool ---- 

ExifTool Version Number : 7.23 

---- File ---- 

File Name 

: obama-officialportrait.jpg 

Directory : . 

File Size 

: 785 kB 

File Modification Date/Time : 2009:01:15 10:12:02 

File Type 

: JPEG 

MIME Type 

: image/jpeg 

Exif Byte Order 

: Big-endian (Motorola, MM) 

---- IFD0 ---- 

Image Description 

: Official portrait of 

President-elect Barack Obama on Jan. 13, 2009...(Photo by 

Pete Souza).. 

Make 

: Canon 

Camera Model Name 

: Canon EOS 5D Mark II 

Software 

: Adobe Photoshop CS3 Macintosh 

Modify Date : 2009:01:13 19:35:18 

Artist 

: Pete Souza 

Copyright 

: ¬© 2008 Pete Souza 

---- ExifIFD ---- 

Date/Time Original : 2009:01:13 17:38:39 

Create Date : 2009:01:13 17:38:39 

---- Photoshop ---- 

Photoshop 0x0425 

: Ó\¯ıG›%œrè.ë+finº 

XML Data: (Binary data 6160 bytes, use -b option to 

extract) 

---- ICC-header ---- 

Profile CMM Type 

: ADBE 

Profile Version : 2.1.0 

Profile Class 

: Display Device Profile 

Color Space Data 

: RGB 

Profile Connection Space : XYZ 

Profile Date Time : 1999:06:03 00:00:00 

Profile File Signature : acsp 

Primary Platform 

: Apple Computer Inc. 

CMM Flags 

: Not Embedded, Independent 


Even newer... 

exiftool 

-a -u -g1 -b First_Lady_Michelle_Obama_Official_Portrait_2009-red.jpg 

---- ExifTool ---- 

ExifTool Version Number : 7.23 

---- File ---- 

File Name : 

First_Lady_Michelle_Obama_Official_Portrait_2009-red.jpg 

File Size 

: 57 kB 

File Modification Date/Time : 2009:02:28 20:02:03 

Exif Byte Order 

: Big-endian (Motorola, MM) 

---- IFD0 ---- 

Camera Model Name 

: Canon EOS-1D Mark II 

Software 

: Adobe Photoshop CS3 Windows 

Modify Date : 2009:02:27 10:39:12 

---- ExifIFD ---- 

Date/Time Original : 2009:02:18 12:08:02 

Create Date : 2009:02:18 12:08:02 

---- XMP-xmp ---- 

Metadata Date : 2009:02:27 10:39:12-05:00 

Creator Tool 

: Adobe Photoshop CS3 Windows 

---- XMP-crs ---- 

Raw File Name 

: P021809JB-0046.dng 

---- XMP-xmpMM ---- 

History When : 2009:02:24 21:22:09-05:00, 

2009:02:24 21:22:09-05:00, 2009:02:24 21:22:54-05:00, 

2009:02:24 21:32:51-05:00, 2009:02:27 09:49:50-05:00, 

2009:02:27 09:49:50-05:00, 2009:02:27 09:53:47-05:00 

History Software Agent : Adobe Photoshop CS4 

Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop 

CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe 

Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh, 

Adobe Photoshop CS4 Macintosh 

---- ICC-header ---- 

Profile CMM Type 

: ADBE 

Profile Version : 2.1.0 

Profile Class 

: Display Device Profile 

Primary Platform 

: Apple Computer Inc. 


Too revealing? 

• How about the 

embedded Preview/ 

Thumbnail? 

• Cat Schwartz of Tech TV 

found this out the hard 

way... 

• These photos appeared 

on her website 

• It was noted that they 

were cropped oddly... 


Too revealing? 

• Download and dump the 

EXIF embedded Thumbnails 

exiftool -b -ThumbnailImage original.jpg > output.jpg 

• Photoshop 7.0 bug that 

didn’t update thumbnails! 

exiftool -a -u -g1 original.jpg 

---- IFD0 ---- 

Software : Adobe Photoshop 7.0 



Picture this!

Picture this! 

$ strings 0x80_cracker_with_laptop.jpg 

SLUG: mag/hacker 

DATE: 12/20/2005 

PHOTOGRAPHER: Sarah L. Voisin/ 

TWP id#: 

LOCATION: Roland, OK 

PICTURED: 

Canon EOS 20D 

Adobe Photoshop CS2 Macintosh 

2006:02:16 15:43:01 


Speaking of location 

• How about GPS info? 

• Geotagging photos anyone? 

• This is only getting easier! 

• Phones, Cameras, Software, Web 

• Maybe employee personal information, 

but... 



Adding GPS up 

• We now know: 

• Person 

• Possible platform (windows, OSX, 

laptop?) 

• Location: Home, work and coffee shop... 


Determined attacker 

• Exploit physical security 

• Know what to steal! 


A few scary examples 

• Eliot 

• Work, home, homestead 

• Tina 

• Home, .. 

• This is how we can begin to build an attack 

profile! 



Eliot, Work


Eliot, Home


Eliot, Homestead


Tina, Home


Tina...


Taking it too far

Trust? 

• We can even make some 

assumptions 

• Other collaborators 

• Co-workers 

• TRUSTED acquaintances! 


How do we know? 

• PGP Keysigning information! 

• Let’s find out who Roger Dingledine is... 


Mail headers 

• Public OOO replies 

• Mailing list submissions 

• Newsgroups 


Direct e-mail example 

Delivered-To: larry@pauldotcom.com 

Received: by 10.65.40.11 with SMTP id 

s11cs103281qbj; 

Fri, 5 Sep 2008 06:46:28 -0700 (PDT) 

Return-Path: 

Received: from johnnymo.paul.com 

([74.14.86.36]) 

by mx.google.com with ESMTPS id 

p27sm274252ele.0.2008.09.05.06.46.15 

(version=TLSv1/SSLv3 cipher=RC4-MD5); 

Fri, 05 Sep 2008 06:46:20 -0700 (PDT) 

Message-ID: 

Date: Fri, 05 Sep 2008 09:46:09 -0400 

From: Paul Asadoorian 

User-Agent: Thunderbird 2.0.0.16 (Macintosh/ 

20080707) 


Mailing list example 

Received: from lists.securityfocus.com 

(lists.securityfocus.com 

[205.206.231.19]) by outgoing3.securityfocus.com (Postfix) 

with QMQP 

id 6C53A237376; Sun, 14 Sep 2008 16:35:39 -0600 (MDT) 

Content-Type: multipart/mixed; 

boundary="----_=_NextPart_001_01C916BA.781F8E05" 

user-agent: Thunderbird 2.0.0.16 (Macintosh/20080707) 

list-post: 

list-id: 

delivered-to: moderator for pen-test@securityfocus.com 

mailing-list: contact pen-test-help@securityfocus.com; run by 

ezmlm 

Content-class: urn:content-classes:message 

Subject: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] 

Date: Sun, 14 Sep 2008 16:19:23 -0400 

Message-ID: 

In-Reply-To: 

Thread-Topic: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME] 

Thread-Index: AckWungd3zHVyhdvRauRbYpXN6N07Q== 

From: "Tom Anderson" 

Sender: 

To: "Jack Sparrow" , 

pen-test@securityfocus.com 


OOO 

Subject: [Email Tips] The Keymaker is 

out of the office. 

Auto-Submitted: auto-generated 

From: The Keymaker 

 

To: EmailTips@bogusmailinglist.org 

Message-ID: 

Date: Tue, 14 Oct 2008 04:19:17 -0400 

X-MIMETrack: Serialize by Router on 

D01ML076/01/M/IBM(Release 8.0.1|February 

07, 2008) at 10/14/2008 04:19:18 



Newsgroups

Too cool for tool 

• Sure, there’s strings... 

• manual download 

• manual search 

• manual extract 

• Lets talk a little 

automation 


Fill ‘er up. 

• Metagoofil - Edge Security 

• Automated Google query 

• Common document types 

• 

• 

• 

• 

Automated extract and reporting 

IDs, Paths, even MAC addresses! 

Downloads direct from site 

OSX does not support office document 


Analyzing Word 

• Metagoofil 

• Exiftool 

• Larry’s Scripting for 

Custom User lists 


Use me, abuse me 

MetaGooFil 1.4a 

usage: metagoofil options 

-d: domain to search 

-f: filetype to download 

(all,pdf,doc,xls,ppt,odp,ods, etc) 

-l: limit of results to work with (default 100) 

-o: output file, html format. 

-t: target directory to download files. 

Example: metagoofil.py -d microsoft.com -l 20 - 

f all -o micro.html -t micro-files 






Metagoofil Demo

Exiftool 

• It turns out that Exiftool 

can analyze Word 

Pre-2007 

• Metadata storage based on 

FlashPix standard 

• Not compatible with 

Office 2007 

exiftool -r -h -a -u -g1 * >output.html 


Office 2007 

• Changed metadata storage format to XML 

• XML parsing with shell scripting is like herding cats 

• New document is just a ZIP archive 

• The best goodies for are typically located in 

docProps/core.xml 

• Wrote my first Perl script to extract author metadata 

http://www.pauldotcom.com/2007XMLextract.pl 

• Yes, the zip can be completed in Perl as well... 

unzip -e -j TestingMetadata2007.docx docProps/core.xml | perl ./2007XMLextract.pl core.xml | tr 

'[:space:]' '\n' | sort | uniq > 2007users.txt 


Custom user lists 

• So, lets take some word docs and pull out 

the user names and first and last names! 

• Tedious process? Script it! 

• What about Web? 

wget -r -l1 --no-parent -A.doc http://www.somewebsite.com | exiftool -r -a -u -Author - 

LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" | 

tr '[:space:]' '\n' | sort | uniq >cleanusers.txt 

• local disk? 

exiftool -r -a -u -Author -LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | 

grep -v "\image files read" | tr '[:space:]' '\n' | sort | uniq >cleanusers.txt 


PDFs 

• I didn’t think a good command 

line tool existed until I found pdfk 

• I haven’t had much time to play 

• Not only good for metadata, but 

good for other PDF manipulation 

too! 

• Not nearly as revealing as strings, 

but it is a start... 

pdftk metadata.pdf dump_data 


My pwn SANS Paper 

InfoKey: Creator 

InfoValue: SANS Institute InfoSec Reading Room 

InfoKey: Title 

InfoValue: Document Metadata, the Silent Killer... 

InfoKey: Producer 

InfoValue: PDFlib+PDI 7.0.2 (PHP5/Linux) 

InfoKey: CreationDate 

InfoValue: D:20090202201331Z 

PdfID0: 6e469b8e315bc7573edf7290fd45825d 

PdfID1: 6e469b8e315bc7573edf7290fd45825d 

NumberOfPages: 69 


JPEGs? 

• Wget and EXIFtool for the win! 

• A little scripting can repeat the test and e- 

mail us results in HTML 

wget -r -l1 --no-parent -A.jpg http://www.pauldotcom.com | exiftool -r -h -a -u -g1 * >output.html 


JPEG GPS Data 

• Google maps is your friend! 

• Marker placement for GPS data 

• Mind your measurements, you may need 

to convert 

http://www.cosports.com/index.php/tool/tools/latlong 

• Firefox Greasemonkey Script for Flickr, 

Flickramio 

http://userscripts.org/scripts/show/27101 


A malt beverage? 

• Maltego - Paterva 

• Information gathering made easy 

• You give it a starting point 

• Automated! 

• Document finding and (limited) 

metadata extraction 

• Great for filling in the “softer” bits 



Maltego Demo


Document Discovery


Document Discovery

What do we know? 

• Determination on an attack vector 

• Word, and even a possible version with a certain timeframe 

• Creates PDFs, timeframes and output DLL 

• Additional client applications: E-mail client, image processing, etc 

• E-mail address 

• Login IDs 

• Website 

• Some previous contacts to spoof 

• I’m sure we can find some exploits for what we know! 



This is how you get...


Also similar to...

How can this be used? 

• Determine internal architecture through Server names and 

paths 

• Find opportunities for B&E, hardware “acquisition” 

• Usernames to brute force other services 

• Internal patching practices for both OS and/or Desktop 

applications 

• Deliver a specific, targeted attack based on username and/ 

or e-mail address and utilize a recent vulnerability in 

software likely still in use on client systems with a high 

degree of confidence, leveraging trust and social engineering 



That’s called...


Clean up your act! 

• Limit your exposure! 

• If it is already on the internet, it is 

probably too late 

• At least limit everything new! 


Consider this... 

• Remember this metadata stuff is still useful! 

• 

Maintain documents in internal repository with 

Metadata intact 

• Maintain secondary repository for external 

communications 

• Slicks, marketing information, public postings 

• 

• Run removal tools across your organization 

• Yes, it is a lot of work... 

Educate and develop procedure on non-population? 


Cleanup Tool Selection 

• Tons of tools exist, some free, 

some minimal cost 

• This list is far from all inclusive 

• Use of free or existing tools 

• 

• Looking to include some 

Use of likely prior investments 

command line automation at a 

later date 


Microshafted! 

• For prior to Office 2007 Microsoft Remove 

Hidden data add-on 

• Tools | Options: 

C:\Offrhd.exe C:\documents /R 

• Office 2007 Document Inspector is better! 


Microshafted! (2) 

• Office 2007 is a 

different animal 

• Microsoft Office 

Button | Prepare | 

Inspect Document 

• Select options 

• 

Inspect | Remove All 


PDF! 

• Acrobat Standard/Pro 

• Good for new, and 

existing documents 

• File | Document 

Properties 

• Select the Description 

tag | Additional Metadata 

• PDF Properties parent 

item | Delete 


JPEG cleanup 

• Exiftool! 

• Delete all for a single file 

exiftool -All= 

• Delete for multiple files 

exiftool -All= *.jpg 


A note on cleanup... 

• Some information will still be left behind! 

• 

Information usually related to output tool and 

format 

• When opening, the client tool needs to know 

how to process 

• Version compatibility, color spaces, format... 

• This info can still reveal information useful for 

an attack 


Litany of Metadata 

I must not fear. 

Metadata is the network-killer. 

Metadata is the little-death that brings total 

obliteration. 

I will face my Metadata. 

I will not permit it to pass over networks by me. 

And before it has gone past I will turn the inner 

eye to see its server path. 

Where the Metadata has gone there will be 

nothing. 

Only emptiness will remain. 


EOF 

larry@pauldotcom.com 

http://www.pauldotcom.com 

http://twitter.com/haxorthematrix

Document Metadata, The Silent Killer - PaulDotCom

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?