Document Metadata, The Silent Killer - PaulDotCom
Document Metadata, The Silent Killer - PaulDotCom
Document Metadata, The Silent Killer - PaulDotCom
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Metadata</strong> in Common <strong>Document</strong> Types<br />
!e silent killer<br />
Wednesday, March 11, 2009
Where This All Started<br />
(for me)<br />
• Inspiration: Myspace private picture leak<br />
• Automation grabbed 560,000 images<br />
marked as private from 44,000 profiles<br />
• That’s 17GB of pictures!<br />
• I figured there was a bunch I could learn<br />
from the metadata... (gps data on those<br />
sexy pics?)<br />
Wednesday, March 11, 2009
What I Learned<br />
• Processing 560,000 images is a nightmare<br />
• Those “sexy” images often weren’t so sexy<br />
• Myspace truly is the “Wretched hive of<br />
Scum and Villainy”<br />
• Images uploaded to Myspace are converted<br />
and sanitized of metadata!<br />
Wednesday, March 11, 2009
So what is this<br />
metadata stuff?<br />
• Found in all sorts of documents!<br />
• Additional data for searches, filing, routing<br />
info, and even items for file processing<br />
• Typically not revealed to the user<br />
• Can contain very interesting data!<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
Word!
Wednesday, March 11, 2009<br />
Word!
Wednesday, March 11, 2009<br />
Word!
Word!<br />
$ strings Test_<strong>Metadata</strong>_<strong>Document</strong>.doc<br />
This is a test.<br />
Test <strong>Metadata</strong> <strong>Document</strong><br />
What shows up in word metadata?<br />
Larry Pesce<br />
medtadata pauldotcom goolag metagoofil maltego<br />
This return is your a test tray of the emergency metadata system! Please<br />
tables and seat backs to thier full and upright position.<br />
Larry Pesce<br />
Microsoft Word 12.0.1<br />
Potential exploit<br />
<strong>PaulDotCom</strong> Enterprises<br />
Test <strong>Metadata</strong> <strong>Document</strong><br />
Title<br />
Telephone number<br />
e-mail<br />
800-555-1212<br />
larry@pauldotcom.com<br />
Microsoft Word 97-2004 <strong>Document</strong><br />
Wednesday, March 11, 2009
Doublespeak?<br />
• Office metadata can<br />
also reveal revisions<br />
• Even Microsoft can fail<br />
• <strong>The</strong> Revisionist<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
Acrobatics!
Wednesday, March 11, 2009<br />
Acrobatics!
Acrobatics!<br />
$ strings Test <strong>Metadata</strong>.pdf<br />
Acrobat Distiller 7.0 (Windows)<br />
metadata goolag acrobat metagoofil maltego<br />
Larry Pesce<br />
PScript5.dll Version 5.2.2<br />
2008-04-18T19:35:38-04:00<br />
2008-04-18T19:33:01-04:00<br />
2008-04-18T19:35:38-04:00<br />
Test <strong>Metadata</strong> <strong>Document</strong>.doc<br />
What info shows up in PDF metadata?<br />
/Author(Larry)/Creator(PScript5.dll Version 5.2.2)<br />
Wednesday, March 11, 2009
A pretty picture<br />
• President Obama’s official<br />
photo<br />
• First taken with a digital<br />
camera<br />
• First to contain<br />
metadata!<br />
• Let’s analyze...<br />
Wednesday, March 11, 2009
• So, what can we<br />
learn? Strings<br />
doesn’t cut it!<br />
• What are the<br />
possible risks and<br />
potential for<br />
something<br />
interesting?<br />
• So, who would you<br />
attack? <strong>The</strong><br />
BlackBerry or the<br />
photographer?<br />
exiftool -a -u -g1 -b obama-officialportrait.jpg<br />
---- ExifTool ----<br />
ExifTool Version Number : 7.23<br />
---- File ----<br />
File Name<br />
: obama-officialportrait.jpg<br />
Directory : .<br />
File Size<br />
: 785 kB<br />
File Modification Date/Time : 2009:01:15 10:12:02<br />
File Type<br />
: JPEG<br />
MIME Type<br />
: image/jpeg<br />
Exif Byte Order<br />
: Big-endian (Motorola, MM)<br />
---- IFD0 ----<br />
Image Description<br />
: Official portrait of<br />
President-elect Barack Obama on Jan. 13, 2009...(Photo by<br />
Pete Souza)..<br />
Make<br />
: Canon<br />
Camera Model Name<br />
: Canon EOS 5D Mark II<br />
Software<br />
: Adobe Photoshop CS3 Macintosh<br />
Modify Date : 2009:01:13 19:35:18<br />
Artist<br />
: Pete Souza<br />
Copyright<br />
: © 2008 Pete Souza<br />
---- ExifIFD ----<br />
Date/Time Original : 2009:01:13 17:38:39<br />
Create Date : 2009:01:13 17:38:39<br />
---- Photoshop ----<br />
Photoshop 0x0425<br />
: Ó\¯ıG›%œrè.ë+finº<br />
XML Data: (Binary data 6160 bytes, use -b option to<br />
extract)<br />
---- ICC-header ----<br />
Profile CMM Type<br />
: ADBE<br />
Profile Version : 2.1.0<br />
Profile Class<br />
: Display Device Profile<br />
Color Space Data<br />
: RGB<br />
Profile Connection Space : XYZ<br />
Profile Date Time : 1999:06:03 00:00:00<br />
Profile File Signature : acsp<br />
Primary Platform<br />
: Apple Computer Inc.<br />
CMM Flags<br />
: Not Embedded, Independent<br />
Wednesday, March 11, 2009
Even newer...<br />
exiftool<br />
-a -u -g1 -b First_Lady_Michelle_Obama_Official_Portrait_2009-red.jpg<br />
---- ExifTool ----<br />
ExifTool Version Number : 7.23<br />
---- File ----<br />
File Name :<br />
First_Lady_Michelle_Obama_Official_Portrait_2009-red.jpg<br />
File Size<br />
: 57 kB<br />
File Modification Date/Time : 2009:02:28 20:02:03<br />
Exif Byte Order<br />
: Big-endian (Motorola, MM)<br />
---- IFD0 ----<br />
Camera Model Name<br />
: Canon EOS-1D Mark II<br />
Software<br />
: Adobe Photoshop CS3 Windows<br />
Modify Date : 2009:02:27 10:39:12<br />
---- ExifIFD ----<br />
Date/Time Original : 2009:02:18 12:08:02<br />
Create Date : 2009:02:18 12:08:02<br />
---- XMP-xmp ----<br />
<strong>Metadata</strong> Date : 2009:02:27 10:39:12-05:00<br />
Creator Tool<br />
: Adobe Photoshop CS3 Windows<br />
---- XMP-crs ----<br />
Raw File Name<br />
: P021809JB-0046.dng<br />
---- XMP-xmpMM ----<br />
History When : 2009:02:24 21:22:09-05:00,<br />
2009:02:24 21:22:09-05:00, 2009:02:24 21:22:54-05:00,<br />
2009:02:24 21:32:51-05:00, 2009:02:27 09:49:50-05:00,<br />
2009:02:27 09:49:50-05:00, 2009:02:27 09:53:47-05:00<br />
History Software Agent : Adobe Photoshop CS4<br />
Macintosh, Adobe Photoshop CS4 Macintosh, Adobe Photoshop<br />
CS4 Macintosh, Adobe Photoshop CS4 Macintosh, Adobe<br />
Photoshop CS4 Macintosh, Adobe Photoshop CS4 Macintosh,<br />
Adobe Photoshop CS4 Macintosh<br />
---- ICC-header ----<br />
Profile CMM Type<br />
: ADBE<br />
Profile Version : 2.1.0<br />
Profile Class<br />
: Display Device Profile<br />
Primary Platform<br />
: Apple Computer Inc.<br />
Wednesday, March 11, 2009
Too revealing?<br />
• How about the<br />
embedded Preview/<br />
Thumbnail?<br />
• Cat Schwartz of Tech TV<br />
found this out the hard<br />
way...<br />
• <strong>The</strong>se photos appeared<br />
on her website<br />
• It was noted that they<br />
were cropped oddly...<br />
Wednesday, March 11, 2009
Too revealing?<br />
• Download and dump the<br />
EXIF embedded Thumbnails<br />
exiftool -b -ThumbnailImage original.jpg > output.jpg<br />
• Photoshop 7.0 bug that<br />
didn’t update thumbnails!<br />
exiftool -a -u -g1 original.jpg<br />
---- IFD0 ----<br />
Software : Adobe Photoshop 7.0<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
Picture this!
Picture this!<br />
$ strings 0x80_cracker_with_laptop.jpg<br />
SLUG: mag/hacker<br />
DATE: 12/20/2005<br />
PHOTOGRAPHER: Sarah L. Voisin/<br />
TWP id#:<br />
LOCATION: Roland, OK<br />
PICTURED:<br />
Canon EOS 20D<br />
Adobe Photoshop CS2 Macintosh<br />
2006:02:16 15:43:01<br />
Wednesday, March 11, 2009
Speaking of location<br />
• How about GPS info?<br />
• Geotagging photos anyone?<br />
• This is only getting easier!<br />
• Phones, Cameras, Software, Web<br />
• Maybe employee personal information,<br />
but...<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009
Adding GPS up<br />
• We now know:<br />
• Person<br />
• Possible platform (windows, OSX,<br />
laptop?)<br />
• Location: Home, work and coffee shop...<br />
Wednesday, March 11, 2009
Determined attacker<br />
• Exploit physical security<br />
• Know what to steal!<br />
Wednesday, March 11, 2009
A few scary examples<br />
• Eliot<br />
• Work, home, homestead<br />
• Tina<br />
• Home, ..<br />
• This is how we can begin to build an attack<br />
profile!<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
Eliot, Work
Wednesday, March 11, 2009<br />
Eliot, Home
Wednesday, March 11, 2009<br />
Eliot, Homestead
Wednesday, March 11, 2009<br />
Tina, Home
Wednesday, March 11, 2009<br />
Tina...
Wednesday, March 11, 2009<br />
Taking it too far
Trust?<br />
• We can even make some<br />
assumptions<br />
• Other collaborators<br />
• Co-workers<br />
• TRUSTED acquaintances!<br />
Wednesday, March 11, 2009
How do we know?<br />
• PGP Keysigning information!<br />
• Let’s find out who Roger Dingledine is...<br />
Wednesday, March 11, 2009
Mail headers<br />
• Public OOO replies<br />
• Mailing list submissions<br />
• Newsgroups<br />
Wednesday, March 11, 2009
Direct e-mail example<br />
Delivered-To: larry@pauldotcom.com<br />
Received: by 10.65.40.11 with SMTP id<br />
s11cs103281qbj;<br />
Fri, 5 Sep 2008 06:46:28 -0700 (PDT)<br />
Return-Path: <br />
Received: from johnnymo.paul.com<br />
([74.14.86.36])<br />
by mx.google.com with ESMTPS id<br />
p27sm274252ele.0.2008.09.05.06.46.15<br />
(version=TLSv1/SSLv3 cipher=RC4-MD5);<br />
Fri, 05 Sep 2008 06:46:20 -0700 (PDT)<br />
Message-ID: <br />
Date: Fri, 05 Sep 2008 09:46:09 -0400<br />
From: Paul Asadoorian <br />
User-Agent: Thunderbird 2.0.0.16 (Macintosh/<br />
20080707)<br />
Wednesday, March 11, 2009
Mailing list example<br />
Received: from lists.securityfocus.com<br />
(lists.securityfocus.com<br />
[205.206.231.19]) by outgoing3.securityfocus.com (Postfix)<br />
with QMQP<br />
id 6C53A237376; Sun, 14 Sep 2008 16:35:39 -0600 (MDT)<br />
Content-Type: multipart/mixed;<br />
boundary="----_=_NextPart_001_01C916BA.781F8E05"<br />
user-agent: Thunderbird 2.0.0.16 (Macintosh/20080707)<br />
list-post: <br />
list-id: <br />
delivered-to: moderator for pen-test@securityfocus.com<br />
mailing-list: contact pen-test-help@securityfocus.com; run by<br />
ezmlm<br />
Content-class: urn:content-classes:message<br />
Subject: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]<br />
Date: Sun, 14 Sep 2008 16:19:23 -0400<br />
Message-ID: <br />
In-Reply-To: <br />
Thread-Topic: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]<br />
Thread-Index: AckWungd3zHVyhdvRauRbYpXN6N07Q==<br />
From: "Tom Anderson" <br />
Sender: <br />
To: "Jack Sparrow" ,<br />
pen-test@securityfocus.com<br />
Wednesday, March 11, 2009
OOO<br />
Subject: [Email Tips] <strong>The</strong> Keymaker is<br />
out of the office.<br />
Auto-Submitted: auto-generated<br />
From: <strong>The</strong> Keymaker<br />
<br />
To: EmailTips@bogusmailinglist.org<br />
Message-ID: <br />
Date: Tue, 14 Oct 2008 04:19:17 -0400<br />
X-MIMETrack: Serialize by Router on<br />
D01ML076/01/M/IBM(Release 8.0.1|February<br />
07, 2008) at 10/14/2008 04:19:18<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
Newsgroups
Too cool for tool<br />
• Sure, there’s strings...<br />
• manual download<br />
• manual search<br />
• manual extract<br />
• Lets talk a little<br />
automation<br />
Wednesday, March 11, 2009
Fill ‘er up.<br />
• Metagoofil - Edge Security<br />
• Automated Google query<br />
• Common document types<br />
•<br />
•<br />
•<br />
•<br />
Automated extract and reporting<br />
IDs, Paths, even MAC addresses!<br />
Downloads direct from site<br />
OSX does not support office document<br />
Wednesday, March 11, 2009
Analyzing Word<br />
• Metagoofil<br />
• Exiftool<br />
• Larry’s Scripting for<br />
Custom User lists<br />
Wednesday, March 11, 2009
Use me, abuse me<br />
MetaGooFil 1.4a<br />
usage: metagoofil options<br />
-d: domain to search<br />
-f: filetype to download<br />
(all,pdf,doc,xls,ppt,odp,ods, etc)<br />
-l: limit of results to work with (default 100)<br />
-o: output file, html format.<br />
-t: target directory to download files.<br />
Example: metagoofil.py -d microsoft.com -l 20 -<br />
f all -o micro.html -t micro-files<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009
Wednesday, March 11, 2009
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
Metagoofil Demo
Exiftool<br />
• It turns out that Exiftool<br />
can analyze Word<br />
Pre-2007<br />
• <strong>Metadata</strong> storage based on<br />
FlashPix standard<br />
• Not compatible with<br />
Office 2007<br />
exiftool -r -h -a -u -g1 * >output.html<br />
Wednesday, March 11, 2009
Office 2007<br />
• Changed metadata storage format to XML<br />
• XML parsing with shell scripting is like herding cats<br />
• New document is just a ZIP archive<br />
• <strong>The</strong> best goodies for are typically located in<br />
docProps/core.xml<br />
• Wrote my first Perl script to extract author metadata<br />
http://www.pauldotcom.com/2007XMLextract.pl<br />
• Yes, the zip can be completed in Perl as well...<br />
unzip -e -j Testing<strong>Metadata</strong>2007.docx docProps/core.xml | perl ./2007XMLextract.pl core.xml | tr<br />
'[:space:]' '\n' | sort | uniq > 2007users.txt<br />
Wednesday, March 11, 2009
Custom user lists<br />
• So, lets take some word docs and pull out<br />
the user names and first and last names!<br />
• Tedious process? Script it!<br />
• What about Web?<br />
wget -r -l1 --no-parent -A.doc http://www.somewebsite.com | exiftool -r -a -u -Author -<br />
LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" |<br />
tr '[:space:]' '\n' | sort | uniq >cleanusers.txt<br />
• local disk?<br />
exiftool -r -a -u -Author -LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" |<br />
grep -v "\image files read" | tr '[:space:]' '\n' | sort | uniq >cleanusers.txt<br />
Wednesday, March 11, 2009
PDFs<br />
• I didn’t think a good command<br />
line tool existed until I found pdfk<br />
• I haven’t had much time to play<br />
• Not only good for metadata, but<br />
good for other PDF manipulation<br />
too!<br />
• Not nearly as revealing as strings,<br />
but it is a start...<br />
pdftk metadata.pdf dump_data<br />
Wednesday, March 11, 2009
My pwn SANS Paper<br />
InfoKey: Creator<br />
InfoValue: SANS Institute InfoSec Reading Room<br />
InfoKey: Title<br />
InfoValue: <strong>Document</strong> <strong>Metadata</strong>, the <strong>Silent</strong> <strong>Killer</strong>...<br />
InfoKey: Producer<br />
InfoValue: PDFlib+PDI 7.0.2 (PHP5/Linux)<br />
InfoKey: CreationDate<br />
InfoValue: D:20090202201331Z<br />
PdfID0: 6e469b8e315bc7573edf7290fd45825d<br />
PdfID1: 6e469b8e315bc7573edf7290fd45825d<br />
NumberOfPages: 69<br />
Wednesday, March 11, 2009
JPEGs?<br />
• Wget and EXIFtool for the win!<br />
• A little scripting can repeat the test and e-<br />
mail us results in HTML<br />
wget -r -l1 --no-parent -A.jpg http://www.pauldotcom.com | exiftool -r -h -a -u -g1 * >output.html<br />
Wednesday, March 11, 2009
JPEG GPS Data<br />
• Google maps is your friend!<br />
• Marker placement for GPS data<br />
• Mind your measurements, you may need<br />
to convert<br />
http://www.cosports.com/index.php/tool/tools/latlong<br />
• Firefox Greasemonkey Script for Flickr,<br />
Flickramio<br />
http://userscripts.org/scripts/show/27101<br />
Wednesday, March 11, 2009
A malt beverage?<br />
• Maltego - Paterva<br />
• Information gathering made easy<br />
• You give it a starting point<br />
• Automated!<br />
• <strong>Document</strong> finding and (limited)<br />
metadata extraction<br />
• Great for filling in the “softer” bits<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
Maltego Demo
Wednesday, March 11, 2009<br />
<strong>Document</strong> Discovery
Wednesday, March 11, 2009<br />
<strong>Document</strong> Discovery
What do we know?<br />
• Determination on an attack vector<br />
• Word, and even a possible version with a certain timeframe<br />
• Creates PDFs, timeframes and output DLL<br />
• Additional client applications: E-mail client, image processing, etc<br />
• E-mail address<br />
• Login IDs<br />
• Website<br />
• Some previous contacts to spoof<br />
• I’m sure we can find some exploits for what we know!<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
This is how you get...
Wednesday, March 11, 2009<br />
Also similar to...
How can this be used?<br />
• Determine internal architecture through Server names and<br />
paths<br />
• Find opportunities for B&E, hardware “acquisition”<br />
• Usernames to brute force other services<br />
• Internal patching practices for both OS and/or Desktop<br />
applications<br />
• Deliver a specific, targeted attack based on username and/<br />
or e-mail address and utilize a recent vulnerability in<br />
software likely still in use on client systems with a high<br />
degree of confidence, leveraging trust and social engineering<br />
Wednesday, March 11, 2009
Wednesday, March 11, 2009<br />
That’s called...
Wednesday, March 11, 2009
Clean up your act!<br />
• Limit your exposure!<br />
• If it is already on the internet, it is<br />
probably too late<br />
• At least limit everything new!<br />
Wednesday, March 11, 2009
Consider this...<br />
• Remember this metadata stuff is still useful!<br />
•<br />
Maintain documents in internal repository with<br />
<strong>Metadata</strong> intact<br />
• Maintain secondary repository for external<br />
communications<br />
• Slicks, marketing information, public postings<br />
•<br />
• Run removal tools across your organization<br />
• Yes, it is a lot of work...<br />
Educate and develop procedure on non-population?<br />
Wednesday, March 11, 2009
Cleanup Tool Selection<br />
• Tons of tools exist, some free,<br />
some minimal cost<br />
• This list is far from all inclusive<br />
• Use of free or existing tools<br />
•<br />
• Looking to include some<br />
Use of likely prior investments<br />
command line automation at a<br />
later date<br />
Wednesday, March 11, 2009
Microshafted!<br />
• For prior to Office 2007 Microsoft Remove<br />
Hidden data add-on<br />
• Tools | Options:<br />
C:\Offrhd.exe C:\documents /R<br />
• Office 2007 <strong>Document</strong> Inspector is better!<br />
Wednesday, March 11, 2009
Microshafted! (2)<br />
• Office 2007 is a<br />
different animal<br />
• Microsoft Office<br />
Button | Prepare |<br />
Inspect <strong>Document</strong><br />
• Select options<br />
•<br />
Inspect | Remove All<br />
Wednesday, March 11, 2009
PDF!<br />
• Acrobat Standard/Pro<br />
• Good for new, and<br />
existing documents<br />
• File | <strong>Document</strong><br />
Properties<br />
• Select the Description<br />
tag | Additional <strong>Metadata</strong><br />
• PDF Properties parent<br />
item | Delete<br />
Wednesday, March 11, 2009
JPEG cleanup<br />
• Exiftool!<br />
• Delete all for a single file<br />
exiftool -All= <br />
• Delete for multiple files<br />
exiftool -All= *.jpg<br />
Wednesday, March 11, 2009
A note on cleanup...<br />
• Some information will still be left behind!<br />
•<br />
Information usually related to output tool and<br />
format<br />
• When opening, the client tool needs to know<br />
how to process<br />
• Version compatibility, color spaces, format...<br />
• This info can still reveal information useful for<br />
an attack<br />
Wednesday, March 11, 2009
Litany of <strong>Metadata</strong><br />
I must not fear.<br />
<strong>Metadata</strong> is the network-killer.<br />
<strong>Metadata</strong> is the little-death that brings total<br />
obliteration.<br />
I will face my <strong>Metadata</strong>.<br />
I will not permit it to pass over networks by me.<br />
And before it has gone past I will turn the inner<br />
eye to see its server path.<br />
Where the <strong>Metadata</strong> has gone there will be<br />
nothing.<br />
Only emptiness will remain.<br />
Wednesday, March 11, 2009
EOF<br />
larry@pauldotcom.com<br />
http://www.pauldotcom.com<br />
http://twitter.com/haxorthematrix<br />
Wednesday, March 11, 2009