Poortego: An OS-INT correlation tool for the 99%

Expo Theatre (Hall G) October 23, 2012 - Feedback     

Bookmark and Share

Mike Geide

Aggregating and correlating open-source intelligence (OS-INT) is an important aspect of both attack and defense. When on the offensive, OS-INT provides critical reconnaissance information. Whether sucking down data from corporate directories, gathering information from social networking sites, or combing Pastebin for stolen credentials, the relationships among associated data sets paint a critical picture highlighting potential weaknesses in a target’s security posture. On defense, leveraging OS-INT to uncover the information that your organization and personnel are inadvertently exposing online can ensure that vulnerabilities are identified and mitigated before they can be leveraged by attackers. “Knowing your enemy” – such as tracking attackers, botnet/malware infrastructure, IRC/forum messages, and indicators of compromise also ensures that an organization is able to properly prioritize appropriate defenses.

Maltego and Casefile are popular applications that are quickly becoming an industry standard for tracking OS-INT. However, they are neither open-source, nor free for commercial use. Metasploit provides a great open-source and free framework for penetration testing, however, it is missing tools for automating the aggregation and correlation of OS-INT. In this talk, I will release a Metasploit extension known as Poortego (a poor man’s Maltego), that addresses the need for a free and open-source OS-INT capability. I will also provide various use-case scenarios to benefit your attack and defense, as well as walk through a real-world investigation where Poortego was leveraged to correlate large and disparate data sets to detect and understand a targeted threat.